Security

This section describes Brightspot’s security configuration keys in context.xml. In addition, as a best practice install Brightspot on an SSL-configured domain that is separate from the sites it publishes.

Automatic User Account Creation

When a user submits a username and password at the login page, Brightspot checks if the user has an existing account. If the user does not have an existing account, and if Brightspot is in development mode, the key cms/tool/isAutoCreateUser indicates if Brightspot should automatically create one. This setting is convenient for testing and debugging.

The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for automatically creating a user account. If this key is not set, Brightspot does not automatically create user accounts. cms/tool/isAutoCreateUser
type Type of the value. java.lang.Boolean
value Indicates if Brightspot automatically creates accounts for logged in users without one.
  • true—Brightspot automatically creates the account.
  • false—A Brightspot administrator must manually create the account. For details, see Creating Users.

The following snippet indicates Brightspot automatically creates accounts for users at the login page who do not have an account.

<Environment name="cms/tool/isAutoCreateUser" type="java.lang.Boolean" value="true" />

See also:

Limiting Uploads by File Type

The key cms/tool/fileContentTypeGroups defines a global blacklist and whitelist of file types that users can upload. The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for limiting file uploads by type. If this key is not set, users can upload any type of file. cms/tool/fileContentTypeGroups
type Type of the value. java.lang.String
value Files types allowed and disallowed for upload. List of file types formatted in the SparseSet representation.

The following snippet blocks file uploads of all types except for images, PDFs, videos, and audio files.

<Environment name="cms/tool/fileContentTypeGroups" type="java.lang.String" value="-/ +image/ +application/pdf +video/ +audio/" />

Using the annotation @Recordable.MimeTypes, you can further constrain the global whitelist of file upload types at the field level—but not expand the global blacklist.

Session Timeout

The key cms/tool/sessionTimeout configures the duration after which a Brightspot session times out and the user must log in again. The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for specifying session timeout. cms/tool/sessionTimeout
type Type of the value. java.lang.Long
value Number of milliseconds before an inactive session times out. Any long, although as a best practice the value should conform to your organization’s security policy for session timeouts.

The following snippet specifies a session timeout after five minutes.

<Environment name="cms/tool/sessionTimeout" type="java.lang.Long" value="300000" />

Password Expiration

The key cms/tool/passwordExpirationInDays configures the number of days after which a user must create a new password. The following table describes the attributes associated with this key.

Atrribute Description Valid values
name Key for specifying number of days between password expirations. If this key is not set, passwords never expire. cms/tool/passwordExpirationInDays
type Type of the value. java.lang.Long
value Number of days between password expirations. Any long, although as a best practice the value should conform to your organization’s security policy for password expirations.

The following snippet specifies password expiration after 60 days.

<Environment name="cms/tool/passwordExpirationInDays" type="java.lang.Long" value="60" />

Password Token Expiration

The key cms/tool/changePasswordTokenExpirationInHours configures the number of hours after which a temporary Brightspot-generated password expires. The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for specifying number of hours after which a temporary password token expires. If this key is not set, the expiration defaults to 24 hours. cms/tool/changePasswordTokenExpirationInHours
type Type of the value. java.lang.Long
value Number of hours after which password token expires. Any long, although as a best practice the value should conform to your organization’s security policy for temporary password expirations.

The following snippet specifies password token expiration after 48 hours.

<Environment name="cms/tool/changePasswordTokenExpirationInHours" type="java.lang.Long" value="48" />

See also:

Password Change

The key cms/tool/admin/users/disablePasswordChange enables or disables the users’ ability to change their own passwords. The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for toggling users’ ability to change their passwords. If this key is not set, users can change their passwords. cms/tool/admin/users/disablePasswordChange
type Type of the value. java.lang.Boolean
value Indicates users can change their passwords. true, false

The following snippet prevents users from changing their own passwords.

<Environment name="cms/tool/admin/users/disablePasswordChange" type="java.lang.Boolean" value="true" />

Email Notification From Address

The key cms/tool/forgotPasswordEmailSender specifies the from address when Brightspot sends emails regarding password resets. This key also exposes a Forgot Password link on the login page that users click to submit a password-reset request.

../../../_images/forgot-password.svg

The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for specifying the from address for password-reset emails. cms/tool/forgotPasswordEmailSender
type Type of the value. java.lang.String
value From address in password-reset emails. An email address.

The following snippet specifies a from address when sending password-reset emails.

<Environment name="cms/tool/forgotPasswordEmailSender" type="java.lang.String" value="password-admin@example.com" />

Password Reset Email Interval

The key cms/tool/forgotPasswordIntervalInMinutes specifies the number of minutes before Brightspot sends another password-reset email to the same user. This option protects Brightspot from processing automated repeated password-reset requests from the same user within an unreasonably short period of time.

The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for specifying number of minutes to pass before sending another password email request to the same user. If this key is not set, users can submit password reset requests every five minutes. cms/tool/forgotPasswordIntervalInMinutes
type Type of the value. java.lang.Long
value Number of minutes to pass before sending another password email request to the same user. Any long, although as a best practice the value should conform to your organization’s security policy for protecting servers.

The following snippet indicates users can submit password reset requests every 15 minutes.

<Environment name="cms/tool/forgotPasswordIntervalInMinutes" type="java.lang.Long" value="15" />

Declaring Password Policies

The key dari/userPasswordPolicy/ declares available password policies. A password policy validates new or changed passwords for complexity, such as number of characters, character types in the password (alphanumeric, special characters), and if the password can be reused within a period of time. You can declare multiple password policies, and assign one of them to your Brightspot instance.

The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for specifying a class that validates a password’s complexity. dari/userPasswordPolicy/<id>/class, where <id> is a unique XML-compatible identifier.
type Type of the value. java.lang.String
value Class that validates a password’s complexity. The class must implement UserPasswordPolicy. Fully qualified class name that implements UserPasswordPolicy.

The following snippet declares two policies for validating password complexity.

Declaring available password policies
<Environment name="dari/userPasswordPolicy/simple/class" type="java.lang.String" value="brightspot.core.tool.SimplePasswordPolicy" />
<Environment name="dari/userPasswordPolicy/hardened/class" type="java.lang.String" value="brightspot.core.tool.HardenedPasswordPolicy" />

Both classes SimplePasswordPolicy and HardenedPasswordPolicy must implement UserPasswordPolicy, as in the following example.

package brightspot.core.tool;

import java.util.Map;

import com.psddev.dari.util.PasswordException;
import com.psddev.dari.util.UserPasswordPolicy;

public class SimplePasswordPolicy implements UserPasswordPolicy {

    @Override
    public void initialize(String settingsKey, Map<String, Object> settings) {
       /* Initialization code */
    }

    @Override
    public void validate(Object user, String password) throws PasswordException {
       /* Validation code */
    }
}

See also:

Activating a Password Policy

The key cms/tool/userPasswordPolicy activates one of the password policies declared with the key dari/userPasswordPolicy/. The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for activating a password policy. If this key is not set, Brightspot does not check users’ passwords for complexity. cms/tool/userPasswordPolicy
type Type of the value. java.lang.String
value Class to use for validating a password. One of the identifiers specified with the key dari/userPasswordPolicy/.

The following snippet activates the password policy simple that was declared in the snippet Declaring available password policies.

<Environment name="cms/tool/userPasswordPolicy" type="java.lang.String" value="simple" />

See also:

Limiting Password Reuse

The key <id>/passwordHistoryLimit specifies the previous number of passwords to retain for a user’s account. You can use this limit to ensure a user does not use a previous password.

The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for retaining a user’s previous passwords. If this key is not set, Brightspot does not retain any previous passwords. <id>/passwordHistoryLimit, where <id> is one of the identifiers specified with the key dari/userPasswordPolicy/.
type Type of the value. java.lang.String
value Number of passwords to retain. Any long, although as a best practice the value should conform to your organization’s security policy for using previous passwords.

The following snippet specifies retaining a user’s ten previous passwords (including the current one) when the user password policy simple is activated.

<Environment name="simple/passwordHistoryLimit" type="java.lang.String" value="10" />

See also:

Declaring Authentication Policies

The key dari/userPasswordPolicy/ declares available authentication policies. An authentication policy can check if a user object exists corresponding to the username in the login form, if the user’s password expired and needs to be reset, and can validate attempted logins from suspicious domain names. You can declare multiple authentication policies, and assign one of them to your Brightspot instance.

The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for specifying a class that authenticates an attempted login. dari/authenticationPolicy/<id>/class, where <id> is a unique XML-compatible identifier.
type Type of the value. java.lang.String
value Class that authenticates an attempted login. The class must implement AuthenticationPolicy. Fully qualified class name.

The following snippet declares two policies for authenticating attempted logins.

Declaring available authentication policies
<Environment name="dari/authenticationPolicy/simple/class" type="java.lang.String" value="com.psddev.cms.db.SimpleAuthenticationPolicy" />
<Environment name="dari/authenticationPolicy/hardened/class" type="java.lang.String" value="com.psddev.cms.db.HardenedAuthenticationPolicy" />

Both classes SimpleAuthenticationPolicy and HardenedAuthenticationPolicy must implement AuthenticationPolicy, as in the following example.

package com.psddev.cms.db;

import java.util.Map;

import com.psddev.dari.util.AuthenticationException;
import com.psddev.dari.util.AuthenticationPolicy;

public class SimpleAuthenticationPolicy implements AuthenticationPolicy {

    @Override
    public ToolUser authenticate(String username, String password) throws AuthenticationException {
        /* Authentication code that returns a ToolUser object. */
        return user;
    }

    @Override
    public void initialize(String settingsKey, Map<String, Object> settings) {
        /* Initialization code. */
    }
}

See also:

Activating an Authentication Policy

The key cms/tool/authenticationPolicy activates one of the password policies declared with the key dari/authenticationPolicy/. The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for activating an authentication policy. If this key is not set, Brightspot checks if the submitted password matches the password associated with the user’s account. cms/tool/authenticationPolicy
type Type of the value. java.lang.String
value Class to use for authenticating a login attempt. One of the identifiers specified with the key dari/authenticationPolicy/.

The following snippet activates the authentication policy simple that was declared in the snippet Declaring available authentication policies.

<Environment name="cms/tool/authenticationPolicy" type="java.lang.String" value="simple" />

See also:

Login Attempt Limit

The key <id>/loginAttemptLimit specifies the maximal number of login attempts before Brightspot locks the user’s account.

The following table describes the attributes associated with this key.

Attribute Description Valid values
name Key for specifying the number of login attempts before locking a user’s account. If this key is not set, there is no limit on the number of login attempts. <id>/loginAttemptLimit, where <id> is one of the identifiers specified with the key dari/authenticationPolicy/.
type Type of the value. java.lang.Long
value Number of permitted login attempts. Any long, although as a best practice the value should conform to your organization’s security policy for login attempts.

The following snippet specifies a maximum of 10 login attempts, after which Brightspot locks the users account. This limit is applicable when the authentication policy simple is activated.

<Environment name="simple/loginAttemptLimit" type="java.lang.String" value="10" />

See also:

Toggling Production and Development Environments

The key PRODUCTION toggles between production and development environments. The following table describes the some of the differences between these environments.

Feature true (production environment) false (development environment)
Debugging Clients must authenticate against the debugging username and password before accessing the Dari debug tools. For information about configuring the debugging username and password, see Debug Tools. Clients can access the Dari debug tools without logging in.
robots.txt Brightspot serves the actual file /robots.txt. Brightspot serves a dummy text file.
Debugging emails Brightspot sends notifications only to subscribers. Brightspot sends notifications to the configured debugging email addresses in addition to other subscribers. See the table Global Settings–Main Tab for information about configuring debugging email addresses.

Caution

If this key is not set, Brightspot assumes a default value of false and operates in a development environment—along with the associated relaxed security measures. Ensure you explicitly configure this value to true in production environments.

The following table describes the attributes associated with this key.

Atrribute Description Valid values
name Key for enabling or disabling production mode. Must be set in all caps. PRODUCTION
type Type of the value. java.lang.Boolean
value Enables or disables production mode. true, false (default)

The following snippet configures an instance of Brightspot to run in production mode.

<Environment name="PRODUCTION" type="java.lang.Boolean" value="true" />