Security
This section describes Brightspot’s security configuration keys in context.xml. In addition, as a best practice install Brightspot on an SSL-configured domain that is separate from the sites it publishes.
See also:
When a user submits a username and password at the login page, Brightspot checks if the user has an existing account. If the user does not have an existing account, and if Brightspot is in development mode, the key cms/tool/isAutoCreateUserindicates if Brightspot should automatically create one. This setting is convenient for testing and debugging.
The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for automatically creating a user account. If this key is not set, Brightspot does not automatically create user accounts. |
cms/tool/isAutoCreateUser |
type |
Type of the value. |
java.lang.Boolean |
value |
Indicates if Brightspot automatically creates accounts for logged in users without one. |
|
The following snippet indicates Brightspot automatically creates accounts for users at the login page who do not have an account.
<Environment name="cms/tool/isAutoCreateUser" type="java.lang.Boolean" value="true" />
See also:
The key cms/tool/fileContentTypeGroups defines a global list of permitted and blocked file types that users can upload. The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for limiting file uploads by type. If this key is not set, users can upload any type of file. |
cms/tool/fileContentTypeGroups |
type |
Type of the value. |
java.lang.String |
value |
Files types allowed and disallowed for upload. |
List of file types formatted in the SparseSet representation. |
The following snippet blocks file uploads of all types except for images, PDFs, videos, and audio files.
<Environment name="cms/tool/fileContentTypeGroups" type="java.lang.String" value="-/ +image/ +application/pdf +video/ +audio/" />
Using the annotation @Recordable.MimeTypes, you can further constrain the global list of permitted upload types at the field level—but not expand the global list of blocked file types.
Some developer-level features are available through the Brightspot UI, such as the HTML toggle on the rich-text toolbar and the Developer submenu in the navigation menu. Users without a role are by default super users, and have access to all Brightspot features including those at the developer level.
To block super users’ access to the developer-level features, set the key brightspot/missingRolePermissions. The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid Values |
|---|---|---|
name |
Key for blocking super users from accessing developer-level features in the UI. If this key is not set, super users have access to those features. |
brightspot/missingRolePermissions |
type |
Type of the value. |
java.lang.String |
value |
Features allowed and blocked from super users. |
List of features formatted in the SparseSet representation.
|
The following snippet blocks access to all developer-level features—those in the navigation menu and those in widgets.
<Environment name="brightspot/missingRolePermissions" type="java.lang.String" value="+/ -area/developer -area/developer/ -developer/"/>
The key cms/tool/sessionTimeout configures the duration after which a Brightspot session times out and the user must log in again. The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for specifying session timeout. |
cms/tool/sessionTimeout |
type |
Type of the value. |
java.lang.Long |
value |
Number of milliseconds before an inactive session times out. |
Any long, although as a best practice the value should conform to your organization's security policy for session timeouts. |
The following snippet specifies a session timeout after five minutes.
<Environment name="cms/tool/sessionTimeout" type="java.lang.Long" value="300000" />
The key cms/tool/passwordExpirationInDays configures the number of days after which a user must create a new password. The following table describes the attributes associated with this key.
| Atrribute |
Description |
Valid values |
|---|---|---|
name |
Key for specifying number of days between password expirations. If this key is not set, passwords never expire. |
cms/tool/passwordExpirationInDays |
type |
Type of the value. |
java.lang.Long |
value |
Number of days between password expirations. |
Any long, although as a best practice the value should conform to your organization's security policy for password expirations. |
The following snippet specifies password expiration after 60 days.
<Environment name="cms/tool/passwordExpirationInDays" type="java.lang.Long" value="60" />
The key cms/tool/admin/users/disablePasswordChangeenables or disables the users' ability to change their own passwords. The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for toggling users' ability to change their passwords. If this key is not set, users can change their passwords. |
cms/tool/admin/users/disablePasswordChange |
type |
Type of the value. |
java.lang.Boolean |
value |
Indicates users can change their passwords. |
true, false |
The following snippet prevents users from changing their own passwords.
<Environment name="cms/tool/admin/users/disablePasswordChange" type="java.lang.Boolean" value="true" />
The key cms/tool/forgotPasswordEmailSender specifies the from address when Brightspot sends emails regarding password resets. This key also exposes a Forgot Password link on the login page that users click to submit a password-reset request.
The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for specifying the from address for password-reset emails. |
cms/tool/forgotPasswordEmailSender |
type |
Type of the value. |
java.lang.String |
value |
From address in password-reset emails. |
An email address. |
The following snippet specifies a from address when sending password-reset emails.
<Environment name="cms/tool/forgotPasswordEmailSender" type="java.lang.String" value="password-admin@example.com" />
The key cms/tool/forgotPasswordIntervalInMinutes specifies the number of minutes before Brightspot sends another password-reset email to the same user. This option protects Brightspot from processing automated repeated password-reset requests from the same user within an unreasonably short period of time.
The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for specifying number of minutes to pass before sending another password email request to the same user. If this key is not set, users can submit password reset requests every five minutes. |
cms/tool/forgotPasswordIntervalInMinutes |
type |
Type of the value. |
java.lang.Long |
value |
Number of minutes to pass before sending another password email request to the same user. |
Any long, although as a best practice the value should conform to your organization's security policy for protecting servers. |
The following snippet indicates users can submit password reset requests every 15 minutes.
<Environment name="cms/tool/forgotPasswordIntervalInMinutes" type="java.lang.Long" value="15" />
The key dari/userPasswordPolicy/ declares available password policies. A password policy validates new or changed passwords for complexity, such as number of characters, character types in the password (alphanumeric, special characters), and if the password can be reused within a period of time. You can declare multiple password policies, and assign one of them to your Brightspot instance.
The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for specifying a class that validates a password's complexity. |
dari/userPasswordPolicy/<id>/class, where <id> is a unique XML-compatible identifier. |
type |
Type of the value. |
java.lang.String |
value |
Class that validates a password's complexity. The class must implement UserPasswordPolicy. |
Fully qualified class name that implements UserPasswordPolicy. |
The following snippet declares two policies for validating password complexity.
<Environment name="dari/userPasswordPolicy/simple/class" type="java.lang.String" value="brightspot.core.tool.SimplePasswordPolicy" /><Environment name="dari/userPasswordPolicy/hardened/class" type="java.lang.String" value="brightspot.core.tool.HardenedPasswordPolicy" />
Both classes SimplePasswordPolicy and HardenedPasswordPolicy must implement UserPasswordPolicy, as in the following example.
package brightspot.core.tool;
import java.util.Map;
import com.psddev.dari.util.PasswordException;
import com.psddev.dari.util.UserPasswordPolicy;
public class SimplePasswordPolicy implements UserPasswordPolicy {
@Override
public void initialize(String settingsKey, Map<String, Object> settings) {
/* Initialization code */
}
@Override
public void validate(Object user, String password) throws PasswordException {
/* Validation code */
}
}See also:
The key cms/tool/userPasswordPolicy activates one of the password policies declared with the key dari/userPasswordPolicy/. The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for activating a password policy. If this key is not set, Brightspot does not check users' passwords for complexity. |
cms/tool/userPasswordPolicy |
type |
Type of the value. |
java.lang.String |
value |
Class to use for validating a password. |
One of the identifiers specified with the key dari/userPasswordPolicy/. |
The following snippet activates the password policy simple that was declared in the snippet Declaring password policies.
<Environment name="cms/tool/userPasswordPolicy" type="java.lang.String" value="simple" />
The key <id>/passwordHistoryLimit specifies the previous number of passwords to retain for a user's account. You can use this limit to ensure a user does not use a previous password.
The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for retaining a user's previous passwords. If this key is not set, Brightspot does not retain any previous passwords. |
<id>/passwordHistoryLimit, where <id> is one of the identifiers specified with the key dari/userPasswordPolicy/. |
type |
Type of the value. |
java.lang.String |
value |
Number of passwords to retain. |
Any long, although as a best practice the value should conform to your organization's security policy for using previous passwords. |
The following snippet specifies retaining a user's ten previous passwords (including the current one) when the user password policy simple is activated.
<Environment name="simple/passwordHistoryLimit" type="java.lang.String" value="10" />
See also:
The key dari/authenticationPolicy/ declares available authentication policies. An authentication policy can check if a user object exists corresponding to the username in the login form, if the user's password expired and needs to be reset, and can validate attempted logins from suspicious domain names. You can declare multiple authentication policies, and assign one of them to your Brightspot instance.
The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for specifying a class that authenticates an attempted login. |
dari/authenticationPolicy//class, where is a unique XML-compatible identifier. |
type |
Type of the value. |
java.lang.String |
value |
Class that authenticates an attempted login. The class must implement AuthenticationPolicy. |
Fully qualified class name. |
The following snippet declares two policies for authenticating attempted logins.
<Environment name="dari/authenticationPolicy/simple/class" type="java.lang.String" value="com.psddev.cms.db.SimpleAuthenticationPolicy" /><Environment name="dari/authenticationPolicy/hardened/class" type="java.lang.String" value="com.psddev.cms.db.HardenedAuthenticationPolicy" />
Both classes SimpleAuthenticationPolicy and HardenedAuthenticationPolicy must implement AuthenticationPolicy, as in the following example.
package com.psddev.cms.db;
import java.util.Map;
import com.psddev.dari.util.AuthenticationException;
import com.psddev.dari.util.AuthenticationPolicy;
public class SimpleAuthenticationPolicy implements AuthenticationPolicy {
@Override
public ToolUser authenticate(String username, String password) throws AuthenticationException {
/* Authentication code that returns a ToolUser object. */
return user;
}
@Override
public void initialize(String settingsKey, Map<String, Object> settings) {
/* Initialization code. */
}
}
See also:
The key cms/tool/authenticationPolicy activates one of the password policies declared with the key dari/authenticationPolicy/. The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for activating an authentication policy. If this key is not set, Brightspot checks if the submitted password matches the password associated with the user's account. |
cms/tool/authenticationPolicy |
type |
Type of the value. |
java.lang.String |
| value |
Class to use for authenticating a login attempt. |
One of the identifiers specified with the key dari/authenticationPolicy/. |
The following snippet activates the authentication policy simple that was declared in the snippet Declaring authentication policies.
<Environment name="cms/tool/authenticationPolicy" type="java.lang.String" value="simple" />
See also:
<Environment name="{custom}/passwordHistoryLimit" type="java.lang.String" value="10" override="false" />Key:{custom}/passwordHistoryLimitType: java.lang.String
The number of past passwords to keep for a user. Replace the {custom} placeholder with a value used by a custom password policy that implements com/psddev/dari/util/UserPasswordPolicy. The value is an identifier that is used to look up this configuration setting. If this option is not set, then there is no limit.
The key <id>/loginAttemptLimitspecifies the maximal number of login attempts before Brightspot locks the user's account.
The following table describes the attributes associated with this key.
| Attribute |
Description |
Valid values |
|---|---|---|
name |
Key for specifying the number of login attempts before locking a user's account. If this key is not set, there is no limit on the number of login attempts. |
<id>/loginAttemptLimit, where <id> is one of the identifiers specified with the key dari/authenticationPolicy/. |
type |
Type of the value. |
java.lang.Long |
value |
Number of permitted login attempts. |
Any long, although as a best practice the value should conform to your organization's security policy for login attempts. |
The following snippet specifies a maximum of 10 login attempts, after which Brightspot locks the users account. This limit is applicable when the authentication policy simple is activated.
<Environment name="simple/loginAttemptLimit" type="java.lang.String" value="10" />
See also:
The key PRODUCTION toggles between production and development environments. The following table describes the some of the differences between these environments.
| Feature |
true (production environment) |
false (development environment) |
|---|---|---|
| Debugging | Clients must authenticate against the debugging username and password before accessing the Dari debug tools. For information about configuring the debugging username and password, see Debug tools. | Clients can access the Dari debug tools without logging in. |
robots.txt |
Brightspot serves the actual file /robots.txt. |
Brightspot serves a dummy text file. |
| Debugging emails | Brightspot sends notifications only to subscribers. | Brightspot sends notifications to the configured debugging email addresses in addition to other subscribers. See the table Settings for the Global site for information about configuring debugging email addresses. |
Caution
If this key is not set, Brightspot assumes a default value of false and operates in a development environment—along with the associated relaxed security measures. Ensure you explicitly configure this value to true in production environments.
The following table describes the attributes associated with this key.
| Atrribute |
Description |
Valid values |
|---|---|---|
name |
Key for enabling or disabling production mode. Must be set in all caps. |
PRODUCTION |
type |
Type of the value. |
java.lang.Boolean |
value |
Enables or disables production mode. |
true, false (default) |
The following snippet configures an instance of Brightspot to run in production mode.
<Environment name="PRODUCTION" type="java.lang.Boolean" value="true" />
Step 1: Create authentication policy implementation
The following code example shows a custom implementation of AuthenticationPolicy. CustomAuthenticationPolicy extends ToolAuthenticationPolicy. This Brightspot base class does the work of validating user passwords. It also checks if the cms/tool/userPasswordPolicy key is set with a custom password policy implementation. If it is, ToolAuthenticationPolicy invokes the implementation to validate the password.
In the event that ToolAuthenticationPolicy cannot validate the user, CustomAuthenticationPolicy checks if the user has reached the login-attempt limit. It does this by accessing the value of the cms/tool/userPasswordPolicy key.
public class CustomAuthenticationPolicy extends ToolAuthenticationPolicy implements AuthenticationPolicy {
@Override
public ToolUser authenticate(final String username, String password) throws AuthenticationException {
ToolUser user = null;
try {
user = super.authenticate(username, password);
} catch (AuthenticationException e) {
user = Query.from(ToolUser.class).where("email = ? or username = ?", username, username).first();
if (user != null) {
/* Check if the login attempt limit has been reached. */
long loginAttemptLimit = Settings.getOrDefault(long.class, "acme/loginAttemptLimit", 0L);
if (loginAttemptLimit > 0
&& helperClass.getConsecutiveFailedLogins().size() >= loginAttemptLimit) {
throw new AuthenticationException("Too many failed login attempts. Please contact your System Administrator.");
}
}
throw e;
}
return user;
}
}
Step 2: Create password policy implementation
A custom password policy implements UserPasswordPolicy. It typically checks that a new password complies with defined string requirements like length and character type. A password policy can also access the passwordHistoryLimit key to limit reuse of a password within a defined history limit.
public class CustomPasswordPolicy implements UserPasswordPolicy {
@Override
public void validate(Object user, String password) throws PasswordException {
/* Validate password */
}
}
Step 3: Configure custom authentication policy
The Tomcat context.xml file includes the security keys to configure Brightspot for the custom authentication and password policy implementations.
<Environment name="dari/userPasswordPolicy/acme/class" type="java.lang.String" value="com.acme.auth.CustomPasswordPolicy" override="false" />
<Environment name="cms/tool/userPasswordPolicy" type="java.lang.String" value="acme" override="false" />
<Environment name="dari/authenticationPolicy/acme/class" type="java.lang.String" value="com.acme.auth.CustomAuthenticationPolicy" override="false" />
<Environment name="cms/tool/authenticationPolicy" type="java.lang.String" value="acme" override="false" />
<Environment name="acme/loginAttemptLimit" type="java.lang.String" value="5" override="false" />
<Environment name="acme/passwordHistoryLimit" type="java.lang.String" value="10" override="false" /> -
Specifies a custom password policy that implements com.psddev.dari.util.UserPasswordPolicy.
-
Specifies a custom authentication policy that implements com.psddev.dari.util.AuthenticationPolicy.
-
Specifies the login attempt limit, which is read by CustomAuthenticationPolicy.
-
Specifies the password reuse limit, which is read by CustomPasswordPolicy.