dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #41878
Re: Password/security related code in DHIS2
Lars,
Thanks - much appreciated
Regards
Calle
On 8 December 2015 at 14:12, Lars Helge Øverland <larshelge@xxxxxxxxx>
wrote:
> Hi Calle,
>
> security isn't really confined to a few files and we don't have a document
> specifically on that.
>
> Since you need an urgent reply what you could say is:
>
> - Main security config files are found here:
>
>
> http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml
>
> http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml
>
> - DHIS 2 is using a fairly standard security setup based on Spring
> Security. Web site <http://projects.spring.io/spring-security/> |
> reference
> <https://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity.html>
> | overview <https://en.wikipedia.org/wiki/Spring_Security>
>
> - DHIS 2 uses Bcrypt adaptive hashing of passwords. Read more
> <https://en.wikipedia.org/wiki/Bcrypt>.
>
> - DHIS 2 can authenticate against the local database, using OpenID
> <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch07.html#d5e1573>
> (from 2.19) and LDAP
> <http://dhis2.github.io/dhis2-docs/master/en/implementer/html/ch08s05.html>
> server (from 2.21)
>
> - DHIS 2 supports OAuth2
> <http://dhis2.github.io/dhis2-docs/master/en/developer/html/ch01s02.html#d5e75> and
> basic
> <http://dhis2.github.io/dhis2-docs/master/en/developer/html/ch01s02.html#d5e69>
> authentication for Web API requests / integration with other systems,
>
> - DHIS 2 lets you configure password expiration under settings
> <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch23.html#d5e4445>.
>
> - DHIS 2 allows for user account recovery / password reset with recaptcha
> under settings
> <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch23.html#d5e4445>.
>
> - DHIS 2 access control is based on a standard solution with user roles
> with authorities.
>
>
> regards,
>
> Lars
>
>
>
> On Tue, Dec 8, 2015 at 12:48 PM, Calle Hedberg <calle.hedberg@xxxxxxxxx>
> wrote:
>
>> Hi
>>
>> We have an urgent request from the SA Auditor General for a copy of the
>> software code controlling/defining the password/security setup in DHIS2.
>>
>> 1. Is all of that code in one file or set of files, and if yes
>> which/where can I quickly find it?
>>
>> 2. Is there a document available that provides a more conceptual
>> description of the DHIS2 access/security features?
>>
>> Sorry to push, but this is urgent - I was only made aware of the request
>> 2 minutes ago, and the deadline was 9am this morning.... (it's habitual
>> for the AG to give extremely short deadlines, regrettably - and while I
>> don't see them actually doing an in-depth assessment of that code, that
>> seems to be what they want...)
>>
>> Regards
>> Calle
>>
>> *******************************************
>>
>> Calle Hedberg
>>
>> 46D Alma Road, 7700 Rosebank, SOUTH AFRICA
>>
>> Tel/fax (home): +27-21-685-6472
>>
>> Cell: +27-82-853-5352
>>
>> Iridium SatPhone: +8816-315-19119
>>
>> Email: calle.hedberg@xxxxxxxxx
>>
>> Skype: calle_hedberg
>>
>> *******************************************
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Lars Helge Øverland
> Lead developer, DHIS 2
> University of Oslo
> Skype: larshelgeoverland
> http://www.dhis2.org <https://www.dhis2.org>
>
>
--
*******************************************
Calle Hedberg
46D Alma Road, 7700 Rosebank, SOUTH AFRICA
Tel/fax (home): +27-21-685-6472
Cell: +27-82-853-5352
Iridium SatPhone: +8816-315-19119
Email: calle.hedberg@xxxxxxxxx
Skype: calle_hedberg
*******************************************
References