This page documents the limitations of the current system and describes some requirements for the future system.

Current Authentication Mechanism

The old Maven repository (http://repository.jboss.org/maven2) used svn (https://svn.jboss.org/repos/repository.jboss.org) to deploy and track artifacts.  User access was controlled by the Apache authz_svn module.

In order to maintain compatibility with the previous system, Nexus is configured to use a custom plugin which validates user credentials against the old svn server over https.  The main limitation of this configuration is that users are granted access to the server via a single role in Nexus.  This means that only a single set of permissions can be applied to users authenticated via svn.

Requirements for the New Security System

The jboss.org team is currently in the process of designing a new security system.  The new system should meet the following requirements to better support the Maven repository.

• There system must support multiple levels of authorization.  For example user groups which map to security roles in Nexus.  Currently Nexus only supports LDAP for mapping external groups to roles.
• The management of users must be decentralized (i.e. the Maven repository admin is able to grant/deny access to the Maven repo, but not access security settings for other systems in jboss.org)
• The Maven repository (Nexus) must send all authentication requests over a secure channel such as SSL.