Topics

Security


In This Guide

This section describes Brightspot’s security configuration keys in context.xml. In addition, as a best practice install Brightspot on an SSL-configured domain that is separate from the sites it publishes.

See also:


Automatic user account creation

When a user submits a username and password at the login page, Brightspot checks if the user has an existing account. If the user does not have an existing account, and if Brightspot is in development mode, the key cms/tool/isAutoCreateUserindicates if Brightspot should automatically create one. This setting is convenient for testing and debugging.

The following table describes the attributes associated with this key.

Attribute
Description
Valid values
name
Key for automatically creating a user account. If this key is not set, Brightspot does not automatically create user accounts.
cms/tool/isAutoCreateUser
type
Type of the value.
java.lang.Boolean
value
Indicates if Brightspot automatically creates accounts for logged in users without one.
  • true—Brightspot automatically creates the account.
  • false—A Brightspot administrator must manually create the account.

The following snippet indicates Brightspot automatically creates accounts for users at the login page who do not have an account.

<Environment name="cms/tool/isAutoCreateUser" type="java.lang.Boolean" value="true" />

See also:


Limiting uploads by file type

The key cms/tool/fileContentTypeGroups defines a global list of permitted and blocked file types that users can upload. The following table describes the attributes associated with this key.

Attribute
Description
Valid values
name
Key for limiting file uploads by type. If this key is not set, users can upload any type of file.
cms/tool/fileContentTypeGroups
type
Type of the value.
java.lang.String
value
Files types allowed and disallowed for upload.
List of file types formatted in the SparseSet representation.

The following snippet blocks file uploads of all types except for images, PDFs, videos, and audio files.

<Environment name="cms/tool/fileContentTypeGroups" type="java.lang.String" value="-/ +image/ +application/pdf +video/ +audio/" />

Using the annotation @Recordable.MimeTypes, you can further constrain the global list of permitted upload types at the field level—but not expand the global list of blocked file types.


Limiting super user access to developer features

Some developer-level features are available through the Brightspot UI, such as the HTML toggle on the rich-text toolbar and the Developer submenu in the navigation menu. Users without a role are by default super users, and have access to all Brightspot features including those at the developer level.

To block super users’ access to the developer-level features, set the key brightspot/missingRolePermissions. The following table describes the attributes associated with this key.

Attribute
Description
Valid Values
name
Key for blocking super users from accessing developer-level features in the UI. If this key is not set, super users have access to those features.
brightspot/missingRolePermissions
type
Type of the value.
java.lang.String
value
Features allowed and blocked from super users.

List of features formatted in the SparseSet representation.

The following snippet blocks access to all developer-level features—those in the navigation menu and those in widgets.

<Environment name="brightspot/missingRolePermissions" type="java.lang.String" value="+/ -area/developer -area/developer/ -developer/"/>


        

Session timeout

The key cms/tool/sessionTimeout configures the duration after which a Brightspot session times out and the user must log in again. The following table describes the attributes associated with this key.

Attribute

Description

Valid values

name
Key for specifying session timeout.
cms/tool/sessionTimeout
type
Type of the value.
java.lang.Long
value
Number of milliseconds before an inactive session times out.
Any long, although as a best practice the value should conform to your organization's security policy for session timeouts.

The following snippet specifies a session timeout after five minutes.

<Environment name="cms/tool/sessionTimeout" type="java.lang.Long" value="300000" />


Password expiration

The key cms/tool/passwordExpirationInDays configures the number of days after which a user must create a new password. The following table describes the attributes associated with this key.

Atrribute

Description

Valid values

name
Key for specifying number of days between password expirations. If this key is not set, passwords never expire.
cms/tool/passwordExpirationInDays
type
Type of the value.
java.lang.Long
value
Number of days between password expirations.
Any long, although as a best practice the value should conform to your organization's security policy for password expirations.

The following snippet specifies password expiration after 60 days.

<Environment name="cms/tool/passwordExpirationInDays" type="java.lang.Long" value="60" />


Password change

The key cms/tool/admin/users/disablePasswordChangeenables or disables the users' ability to change their own passwords. The following table describes the attributes associated with this key.

Attribute

Description

Valid values

name
Key for toggling users' ability to change their passwords. If this key is not set, users can change their passwords.
cms/tool/admin/users/disablePasswordChange
type
Type of the value.
java.lang.Boolean
value
Indicates users can change their passwords.
truefalse

The following snippet prevents users from changing their own passwords.

<Environment name="cms/tool/admin/users/disablePasswordChange" type="java.lang.Boolean" value="true" />


Email notification from address

The key cms/tool/forgotPasswordEmailSender specifies the from address when Brightspot sends emails regarding password resets. This key also exposes a Forgot Password link on the login page that users click to submit a password-reset request.

The following table describes the attributes associated with this key.

Attribute

Description

Valid values

name
Key for specifying the from address for password-reset emails.
cms/tool/forgotPasswordEmailSender
type
Type of the value.
java.lang.String
value
From address in password-reset emails.
An email address.

The following snippet specifies a from address when sending password-reset emails.

<Environment name="cms/tool/forgotPasswordEmailSender" type="java.lang.String" value="password-admin@example.com" />


Password reset email interval

The key cms/tool/forgotPasswordIntervalInMinutes specifies the number of minutes before Brightspot sends another password-reset email to the same user. This option protects Brightspot from processing automated repeated password-reset requests from the same user within an unreasonably short period of time.

The following table describes the attributes associated with this key.

Attribute

Description

Valid values

name
Key for specifying number of minutes to pass before sending another password email request to the same user. If this key is not set, users can submit password reset requests every five minutes.
cms/tool/forgotPasswordIntervalInMinutes
type
Type of the value.
java.lang.Long
value
Number of minutes to pass before sending another password email request to the same user.
Any long, although as a best practice the value should conform to your organization's security policy for protecting servers.

The following snippet indicates users can submit password reset requests every 15 minutes.

<Environment name="cms/tool/forgotPasswordIntervalInMinutes" type="java.lang.Long" value="15" />


Declaring password policies

The key dari/userPasswordPolicy/ declares available password policies. A password policy validates new or changed passwords for complexity, such as number of characters, character types in the password (alphanumeric, special characters), and if the password can be reused within a period of time. You can declare multiple password policies, and assign one of them to your Brightspot instance.

The following table describes the attributes associated with this key.

Attribute
Description
Valid values
name
Key for specifying a class that validates a password's complexity.
dari/userPasswordPolicy/<id>/class, where <id> is a unique XML-compatible identifier.
type
Type of the value.
java.lang.String
value
Class that validates a password's complexity. The class must implement UserPasswordPolicy.
Fully qualified class name that implements UserPasswordPolicy.

The following snippet declares two policies for validating password complexity.

<Environment name="dari/userPasswordPolicy/simple/class" type="java.lang.String" value="brightspot.core.tool.SimplePasswordPolicy" /><Environment name="dari/userPasswordPolicy/hardened/class" type="java.lang.String" value="brightspot.core.tool.HardenedPasswordPolicy" />

Both classes SimplePasswordPolicy and HardenedPasswordPolicy must implement UserPasswordPolicy, as in the following example.

package brightspot.core.tool;

import java.util.Map;

import com.psddev.dari.util.PasswordException;
import com.psddev.dari.util.UserPasswordPolicy;

public class SimplePasswordPolicy implements UserPasswordPolicy {

    @Override
    public void initialize(String settingsKey, Map<String, Object> settings) {
       /* Initialization code */
    }

    @Override
    public void validate(Object user, String password) throws PasswordException {
       /* Validation code */
    }
}

See also:


Activating a password policy

The key cms/tool/userPasswordPolicy activates one of the password policies declared with the key dari/userPasswordPolicy/. The following table describes the attributes associated with this key.

Attribute
Description
Valid values
name
Key for activating a password policy. If this key is not set, Brightspot does not check users' passwords for complexity.
cms/tool/userPasswordPolicy
type
Type of the value.
java.lang.String
value
Class to use for validating a password.
One of the identifiers specified with the key dari/userPasswordPolicy/.

The following snippet activates the password policy simple that was declared in the snippet Declaring password policies.

<Environment name="cms/tool/userPasswordPolicy" type="java.lang.String" value="simple" />


Limiting password reuse

The key <id>/passwordHistoryLimit specifies the previous number of passwords to retain for a user's account. You can use this limit to ensure a user does not use a previous password.

The following table describes the attributes associated with this key.

Attribute
Description
Valid values
name
Key for retaining a user's previous passwords. If this key is not set, Brightspot does not retain any previous passwords.
<id>/passwordHistoryLimit, where <id> is one of the identifiers specified with the key dari/userPasswordPolicy/.
type
Type of the value.
java.lang.String
value
Number of passwords to retain.
Any long, although as a best practice the value should conform to your organization's security policy for using previous passwords.

The following snippet specifies retaining a user's ten previous passwords (including the current one) when the user password policy simple is activated.

<Environment name="simple/passwordHistoryLimit" type="java.lang.String" value="10" />

See also:


Declaring authentication policies

The key dari/authenticationPolicy/ declares available authentication policies. An authentication policy can check if a user object exists corresponding to the username in the login form, if the user's password expired and needs to be reset, and can validate attempted logins from suspicious domain names. You can declare multiple authentication policies, and assign one of them to your Brightspot instance.

The following table describes the attributes associated with this key.

Attribute
Description
Valid values
name
Key for specifying a class that authenticates an attempted login.
dari/authenticationPolicy//class, where  is a unique XML-compatible identifier.
type
Type of the value.
java.lang.String
value
Class that authenticates an attempted login. The class must implement AuthenticationPolicy.
Fully qualified class name.

The following snippet declares two policies for authenticating attempted logins.

<Environment name="dari/authenticationPolicy/simple/class" type="java.lang.String" value="com.psddev.cms.db.SimpleAuthenticationPolicy" /><Environment name="dari/authenticationPolicy/hardened/class" type="java.lang.String" value="com.psddev.cms.db.HardenedAuthenticationPolicy" />

Both classes SimpleAuthenticationPolicy and HardenedAuthenticationPolicy must implement AuthenticationPolicy, as in the following example.

package com.psddev.cms.db;

import java.util.Map;

import com.psddev.dari.util.AuthenticationException;
import com.psddev.dari.util.AuthenticationPolicy;

public class SimpleAuthenticationPolicy implements AuthenticationPolicy {

    @Override
    public ToolUser authenticate(String username, String password) throws AuthenticationException {
        /* Authentication code that returns a ToolUser object. */
        return user;
    }

    @Override
    public void initialize(String settingsKey, Map<String, Object> settings) {
        /* Initialization code. */
    }
}

See also:


Activating an authentication policy

The key cms/tool/authenticationPolicy activates one of the password policies declared with the key dari/authenticationPolicy/. The following table describes the attributes associated with this key.

Attribute
Description
Valid values
name
Key for activating an authentication policy. If this key is not set, Brightspot checks if the submitted password matches the password associated with the user's account.
cms/tool/authenticationPolicy
type
Type of the value.
java.lang.String
value
Class to use for authenticating a login attempt.
One of the identifiers specified with the key dari/authenticationPolicy/.

The following snippet activates the authentication policy simple that was declared in the snippet Declaring authentication policies.

<Environment name="cms/tool/authenticationPolicy" type="java.lang.String" value="simple" />

See also:


Password reuse limit

<Environment name="{custom}/passwordHistoryLimit" type="java.lang.String" value="10" override="false" />

Key:{custom}/passwordHistoryLimitType: java.lang.String

The number of past passwords to keep for a user. Replace the {custom} placeholder with a value used by a custom password policy that implements com/psddev/dari/util/UserPasswordPolicy. The value is an identifier that is used to look up this configuration setting. If this option is not set, then there is no limit.


Login attempt limit

The key <id>/loginAttemptLimitspecifies the maximal number of login attempts before Brightspot locks the user's account.

The following table describes the attributes associated with this key.

Attribute
Description
Valid values
name
Key for specifying the number of login attempts before locking a user's account. If this key is not set, there is no limit on the number of login attempts.
<id>/loginAttemptLimit, where <id> is one of the identifiers specified with the key dari/authenticationPolicy/.
type
Type of the value.
java.lang.Long
value
Number of permitted login attempts.
Any long, although as a best practice the value should conform to your organization's security policy for login attempts.

The following snippet specifies a maximum of 10 login attempts, after which Brightspot locks the users account. This limit is applicable when the authentication policy simple is activated.

<Environment name="simple/loginAttemptLimit" type="java.lang.String" value="10" />

See also:


Toggling production and development environments

The key PRODUCTION toggles between production and development environments. The following table describes the some of the differences between these environments.

Featuretrue (production environment)false (development environment)
DebuggingClients must authenticate against the debugging username and password before accessing the Dari debug tools. For information about configuring the debugging username and password, see Debug tools.Clients can access the Dari debug tools without logging in.
robots.txtBrightspot serves the actual file /robots.txt.Brightspot serves a dummy text file.
Debugging emailsBrightspot sends notifications only to subscribers.Brightspot sends notifications to the configured debugging email addresses in addition to other subscribers. See the table Settings for the Global site for information about configuring debugging email addresses.

Caution

If this key is not set, Brightspot assumes a default value of false and operates in a development environment—along with the associated relaxed security measures. Ensure you explicitly configure this value to true in production environments.

The following table describes the attributes associated with this key.

Atrribute
Description
Valid values
name
Key for enabling or disabling production mode. Must be set in all caps.
PRODUCTION
type
Type of the value.
java.lang.Boolean
value
Enables or disables production mode.
truefalse (default)

The following snippet configures an instance of Brightspot to run in production mode.

<Environment name="PRODUCTION" type="java.lang.Boolean" value="true" />


Custom authentication policy example

Step 1: Create authentication policy implementation

The following code example shows a custom implementation of AuthenticationPolicy. CustomAuthenticationPolicy extends ToolAuthenticationPolicy. This Brightspot base class does the work of validating user passwords. It also checks if the cms/tool/userPasswordPolicy key is set with a custom password policy implementation. If it is, ToolAuthenticationPolicy invokes the implementation to validate the password.

In the event that ToolAuthenticationPolicy cannot validate the user, CustomAuthenticationPolicy checks if the user has reached the login-attempt limit. It does this by accessing the value of the cms/tool/userPasswordPolicy key.

public class CustomAuthenticationPolicy extends ToolAuthenticationPolicy implements AuthenticationPolicy {

    @Override
    public ToolUser authenticate(final String username, String password) throws AuthenticationException {

        ToolUser user = null;
        try {         
            user = super.authenticate(username, password);
        } catch (AuthenticationException e) {
            user = Query.from(ToolUser.class).where("email = ? or username = ?", username, username).first();
            if (user != null) {
                /* Check if the login attempt limit has been reached. */
                long loginAttemptLimit = Settings.getOrDefault(long.class, "acme/loginAttemptLimit", 0L);
                if (loginAttemptLimit > 0
                     && helperClass.getConsecutiveFailedLogins().size() >= loginAttemptLimit) {
                    throw new AuthenticationException("Too many failed login attempts. Please contact your System Administrator.");
                }
            }
            throw e;
        }
        return user;
    }
}

Step 2: Create password policy implementation

A custom password policy implements UserPasswordPolicy. It typically checks that a new password complies with defined string requirements like length and character type. A password policy can also access the passwordHistoryLimit key to limit reuse of a password within a defined history limit.

public class CustomPasswordPolicy implements UserPasswordPolicy {

    @Override
    public void validate(Object user, String password) throws PasswordException {

        /* Validate password */

    }
}

Step 3: Configure custom authentication policy

The Tomcat context.xml file includes the security keys to configure Brightspot for the custom authentication and password policy implementations.

 <Environment name="dari/userPasswordPolicy/acme/class" type="java.lang.String" value="com.acme.auth.CustomPasswordPolicy" override="false" /> 
 <Environment name="cms/tool/userPasswordPolicy" type="java.lang.String" value="acme" override="false" />

 <Environment name="dari/authenticationPolicy/acme/class" type="java.lang.String" value="com.acme.auth.CustomAuthenticationPolicy" override="false" /> 
 <Environment name="cms/tool/authenticationPolicy" type="java.lang.String" value="acme" override="false" /> 

 <Environment name="acme/loginAttemptLimit" type="java.lang.String" value="5" override="false" /> 
 <Environment name="acme/passwordHistoryLimit" type="java.lang.String" value="10" override="false" /> 
  • Specifies a custom password policy that implements com.psddev.dari.util.UserPasswordPolicy.
  • Specifies a custom authentication policy that implements com.psddev.dari.util.AuthenticationPolicy.
  • Specifies the login attempt limit, which is read by CustomAuthenticationPolicy.
  • Specifies the password reuse limit, which is read by CustomPasswordPolicy.