dhis2-devs team mailing list archive

[Lars Helge Øverland <larshelge@xxxxxxxxx>]

Hi Calle,

security isn't really confined to a few files and we don't have a document
specifically on that.

Since you need an urgent reply what you could say is:

- Main security config files are found here:

http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml
http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml

- DHIS 2 is using a fairly standard security setup based on Spring
Security. Web site <http://projects.spring.io/spring-security/> | reference
<https://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity.html>
| overview <https://en.wikipedia.org/wiki/Spring_Security>

- DHIS 2 uses Bcrypt adaptive hashing of passwords. Read more
<https://en.wikipedia.org/wiki/Bcrypt>.

- DHIS 2 can authenticate against the local database, using OpenID
<http://dhis2.github.io/dhis2-docs/master/en/user/html/ch07.html#d5e1573>
(from 2.19) and LDAP
<http://dhis2.github.io/dhis2-docs/master/en/implementer/html/ch08s05.html>
server (from 2.21)

- DHIS 2 supports OAuth2
<http://dhis2.github.io/dhis2-docs/master/en/developer/html/ch01s02.html#d5e75>
and
basic
<http://dhis2.github.io/dhis2-docs/master/en/developer/html/ch01s02.html#d5e69>
authentication for Web API requests / integration with other systems,

- DHIS 2 lets you configure password expiration under settings
<http://dhis2.github.io/dhis2-docs/master/en/user/html/ch23.html#d5e4445>.

- DHIS 2 allows for user account recovery / password reset with recaptcha
under settings
<http://dhis2.github.io/dhis2-docs/master/en/user/html/ch23.html#d5e4445>.

- DHIS 2 access control is based on a standard solution with user roles
with authorities.


regards,

Lars



On Tue, Dec 8, 2015 at 12:48 PM, Calle Hedberg <calle.hedberg@xxxxxxxxx>
wrote:

> Hi
>
> We have an urgent request from the SA Auditor General for a copy of the
> software code controlling/defining the password/security setup in DHIS2.
>
> 1. Is all of that code in one file or set of files, and if yes which/where
> can I quickly find it?
>
> 2. Is there a document available that provides a more conceptual
> description of the DHIS2 access/security features?
>
> Sorry to push, but this is urgent - I was only made aware of the request 2
> minutes ago, and the deadline was 9am this morning....  (it's habitual for
> the AG to give extremely short deadlines, regrettably - and while I don't
> see them actually doing an in-depth assessment of that code, that seems to
> be what they want...)
>
> Regards
> Calle
>
> *******************************************
>
> Calle Hedberg
>
> 46D Alma Road, 7700 Rosebank, SOUTH AFRICA
>
> Tel/fax (home): +27-21-685-6472
>
> Cell: +27-82-853-5352
>
> Iridium SatPhone: +8816-315-19119
>
> Email: calle.hedberg@xxxxxxxxx
>
> Skype: calle_hedberg
>
> *******************************************
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Lars Helge Øverland
Lead developer, DHIS 2
University of Oslo
Skype: larshelgeoverland
http://www.dhis2.org <https://www.dhis2.org>