This page documents the limitations of the current system and describes some requirements for the future system.
Current Authentication Mechanism
The old Maven repository (http://repository.jboss.org/maven2) used svn (https://svn.jboss.org/repos/repository.jboss.org) to deploy and track artifacts. User access was controlled by the Apache authz_svn module.
In order to maintain compatibility with the previous system, Nexus is configured to use a custom plugin which validates user credentials against the old svn server over https. The main limitation of this configuration is that users are granted access to the server via a single role in Nexus. This means that only a single set of permissions can be applied to users authenticated via svn.
Requirements for the New Security System
The jboss.org team is currently in the process of designing a new security system. The new system should meet the following requirements to better support the Maven repository.
- There system must support multiple levels of authorization. For example user groups which map to security roles in Nexus. Currently Nexus only supports LDAP for mapping external groups to roles.
- The management of users must be decentralized (i.e. the Maven repository admin is able to grant/deny access to the Maven repo, but not access security settings for other systems in jboss.org)
- The Maven repository (Nexus) must send all authentication requests over a secure channel such as SSL.