Security

It is a best practice to place the Brightspot editorial UI on an SSL-configured domain that is separate from the end-user sites it powers. In addition, the Brightspot editorial UI can be secured with the following configuration options.

User Creation

<Environment name="cms/tool/isAutoCreateUser" type="java.lang.Boolean" value="{true|false}" override="false" />
Key: cms/tool/isAutoCreateUser Type: java.lang.String
If true (default), automatically creates ToolUser objects for first-time users who log into Brightspot. If false, first-time users cannot log into Brightspot before the administrator creates accounts for the users.

File Upload Restrictions

<Environment name="cms/tool/fileContentTypeGroups" type="java.lang.String" value="{fileTypes}" override="false" />
Key: cms/tool/fileContentTypeGroups Type: java.lang.String

You can limit the type of files uploaded to Brightspot, both on the global and field levels. If this option is not set at either level, then any file type can be uploaded to Brightspot.

This key specifies the file types that can be uploaded at the global level. Set the value using the SparseSet representation, for example:

-/ +image/ +application/pdf +video/ +application/zip +audio/ +application/msword +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet +application/vnd.ms-excel +application/vnd.ms-powerpoi+application/x-photoshop +application/postscript

You can also limit file upload types at the field level, specifically for StorageItem fields. For more information, see the @Recordable.MimeTypes annotation.

Session Timeout

<Environment name="cms/tool/sessionTimeout" type="java.lang.Long" value="{num}" override="false" />
<Environment name="dari/routingFilter/applicationPath/{custom}" type="java.lang.String" value="{servletPath}" override="false" />
Key: cms/tool/sessionTimeout Type: java.lang.Long
The number of milliseconds before an inactive session times out. If this option is not set, then no timeout applies.
Key: dari/routingFilter/applicationPath/{custom} Type: java.lang.String
The custom servlet path for session timeout error. Replace the {custom} placeholder with an identifier used by a filter class to look up this configuration setting.

Authentication Policy

There are a number of security keys that you can set to customize user authentication. For example, you can override default Brightspot settings for changing passwords, resetting passwords, and number of login attempts.

For greater customization, you can implement your own authentication policy that leverages the security options described below. A custom authentication policy can also invoke a custom password policy that enforces password requirements.

Password Expiration

<Environment name="cms/tool/passwordExpirationInDays" type="java.lang.Long" value="{num}" override="false" />
<Environment name="cms/tool/changePasswordTokenExpirationInHours" type="java.lang.Long" value="{num}" override="false" />
Key: cms/tool/passwordExpirationInDays Type: java.lang.Long
The number of days before passwords expire. If this option is not set, then there is no expiration.
Key: cms/tool/changePasswordTokenExpirationInHours Type: java.lang.Long
The number of hours before password tokens expire. If this option is not set, the default of 24 hours is used.

Password Change

<Environment name="cms/tool/admin/users/disablePasswordChange" type="java.lang.Boolean" value="{true|false}" override="false" />
Key: cms/tool/admin/users/disablePasswordChange Type: java.lang.Boolean
If this option is not set, users can change their passwords.

Password Reset

<Environment name="cms/tool/forgotPasswordEmailSender" type="java.lang.String" value="{sender@host}" override="false" />
<Environment name="cms/tool/forgotPasswordIntervalInMinutes" type="java.lang.Long" value="{num}" override="false" />
Key: cms/tool/forgotPasswordEmailSender Type: java.lang.String

An email sender identifier that Brightspot injects into password-reset emails, for example, password-reset@acme.com that is used in the email “from” line.

If this option is set, Brightspot includes a “Forgot Password?” link on the login page, which, if clicked, allows the user to submit a password-reset request. If the user’s Brightspot account includes an email address, Brightspot sends a password-reset message with a temporary password to the user’s email account.

If this option is missing the value, or if the email address is not set in the user’s Brightspot account, PasswordException is thrown.

Key: forgotPasswordIntervalInMinutes Type: java.lang.Long
The number of minutes that must pass before Brightspot will send another password-reset email to the user. This option protects Brightspot from processing repeated password-reset requests from the same user within an unreasonably short period of time. If this option is not set, the default of 5 minutes is used.

Custom Authentication Policies

<Environment name="dari/userPasswordPolicy/{custom}/class" type="java.lang.String" value="{com.your.passwordImpl}" override="false" />
<Environment name="cms/tool/userPasswordPolicy" type="java.lang.String" value="{custom}" override="false" />
<Environment name="dari/authenticationPolicy/{custom}/class" type="java.lang.String" value="{com.your.authImpl}" override="false" />
<Environment name="cms/tool/authenticationPolicy" type="java.lang.String" value="{custom}" override="false" />
Key: dari/userPasswordPolicy/{custom}/class Type: java.lang.String

The class name of a custom com/psddev/dari/util/UserPasswordPolicy implementation. Replace the {custom} placeholder with an identifier value that Brightspot will use to find the class.

A password policy typically validates passwords for new users or existing users changing their password. It verifies the password requirements of the site, such as string length, character types in the string, and whether the string is being reused within a defined history limit.

If a custom password policy is not used, Brightspot does not validate passwords; any passwords can be used.

Key: cms/tool/userPasswordPolicy Type: java.lang.String
The custom password policy class for Brightspot to use. Set the value to match the {custom} placeholder value in dari/userPasswordPolicy/{custom}/class.
Key: dari/authenticationPolicy/{custom}/class Type: java.lang.String

The class name of a com.psddev.dari.util.AuthenticationPolicy implementation. Replace the {custom} placeholder with an identifier value that Brightspot will use to find the class.

If no custom authentication policy is set, Brightspot uses com.psddev.cms.db.ToolAuthenticationPolicy for basic authentication functionality. ToolAuthenticationPolicy checks if passwords of existing users are correct. For new users, or existing users changing their passwords, ToolAuthenticationPolicy checks the cms/tool/userPasswordPolicy key for a custom password policy, and validates passwords with the custom policy if it exists.

Key: cms/tool/authenticationPolicy Type: java.lang.String
The custom authentication policy class for Brightspot to use. Set the value to match the {custom} placeholder value in dari/authenticationPolicy/{custom}/class.

See Custom Authentication Policy Example.

Password Reuse Limit

<Environment name="{custom}/passwordHistoryLimit" type="java.lang.String" value="10" override="false" />
Key: {custom}/passwordHistoryLimit Type: java.lang.String
The number of past passwords to keep for a user. Replace the {custom} placeholder with a value used by a custom password policy that implements com/psddev/dari/util/UserPasswordPolicy. The value is an identifier that is used to look up this configuration setting. If this option is not set, then there is no limit.

Login Attempt Limit

<Environment name="{custom}/loginAttemptLimit" type="java.lang.String" value="{num}" override="false" />
Key: {custom}/loginAttemptLimit Type: java.lang.String
The number of login attempts to allow before the user is locked out of the system. Replace the {custom} placeholder with a value used by custom authentication policy that implements com.psddev.dari.util.AuthenticationPolicy. The value is an identifier that is used to look up this configuration setting. If this option is not set, then there is no limit.

Custom Authentication Policy Example

Step 1: Create Authentication Policy Implementation

The following code example shows a custom implementation of AuthenticationPolicy. Note that CustomAuthenticationPolicy extends ToolAuthenticationPolicy. This Brightspot base class does the work of validating user passwords. It also checks if the cms/tool/userPasswordPolicy key is set with a custom password policy implementation. If it is, ToolAuthenticationPolicy invokes the implementation to validate the password.

In the event that ToolAuthenticationPolicy cannot validate the user, CustomAuthenticationPolicy checks if the user has reached the login-attempt limit. It does this by accessing the value of the cms/tool/userPasswordPolicy key.

public class CustomAuthenticationPolicy extends ToolAuthenticationPolicy implements AuthenticationPolicy {

   @Override
   public ToolUser authenticate(final String username, String password) throws AuthenticationException {

      ToolUser user = null;
      try {
         user = super.authenticate(username, password);

      } catch (AuthenticationException e) {
           user = Query.from(ToolUser.class).where("email = ? or username = ?", username, username).first();
           if (user != null) {
               // Check if the login attempt limit has been reached.
               long loginAttemptLimit = Settings.getOrDefault(long.class, "acme/loginAttemptLimit", 0L);
               if (loginAttemptLimit > 0
                     && helperClass.getConsecutiveFailedLogins().size() >= loginAttemptLimit) {
                  throw new AuthenticationException("Too many failed login attempts.
                        Please contact your System Administrator.");
               }
           }
           throw e;
      }

      return user;
   }
}

Step 2: Create Password Policy Implementation

A custom password policy implements UserPasswordPolicy. It typically checks that a new password complies with defined string requirements like length and character type. A password policy can also access the passwordHistoryLimit key to limit reuse of a password within a defined history limit.

public class CustomPasswordPolicy implements UserPasswordPolicy {

   ...

   @Override
   public void validate(Object user, String password) throws PasswordException {

   // Validate password

   ...

   }
}

Step 3: Configure Custom Authentication Policy

The Tomcat context.xml file includes the security keys to configure Brightspot for the custom authentication and password policy implementations.

1
2
3
4
5
6
 <Environment name="dari/userPasswordPolicy/acme/class" type="java.lang.String" value="com.acme.auth.CustomPasswordPolicy" override="false" />
 <Environment name="cms/tool/userPasswordPolicy" type="java.lang.String" value="acme" override="false" />
 <Environment name="dari/authenticationPolicy/acme/class" type="java.lang.String" value="com.acme.auth.CustomAuthenticationPolicy" override="false" />
 <Environment name="cms/tool/authenticationPolicy" type="java.lang.String" value="acme" override="false" />
 <Environment name="acme/loginAttemptLimit" type="java.lang.String" value="5" override="false" />
 <Environment name="acme/passwordHistoryLimit" type="java.lang.String" value="10" override="false" />

In the previous snippet—

  • Lines 1–2 specify a custom password policy that implements com.psddev.dari.util.UserPasswordPolicy.
  • Lines 3–4 specify a custom authentication policy that implements com.psddev.dari.util.AuthenticationPolicy.
  • Line 5 specifies the login attempt limit, which is read by CustomAuthenticationPolicy.
  • Line 6 specifies the password reuse limit, which is read by CustomPasswordPolicy.