jamesfredley opened a new pull request, #1224: URL: https://github.com/apache/grails-spring-security/pull/1224
Introduces three top-level documents binding the 8.0.x branch: - **`THREAT_MODEL.md`** - prose threat model following the Apache security-team rubric, covering all eight plugins (`core`, `acl`, `compat shim`, `ldap`, `cas`, `oauth2`, `rest/jwt`, `ui`) plus the four REST token-storage backends. Sections cover scope, trust boundaries, configuration variants, per-input trust, adversaries, properties provided (P1-P15), properties disclaimed, downstream responsibilities, known misuse patterns, known non-findings, conditions that would change the model, the closed set of triage dispositions, and open questions for the PMC. - **`threat-model.yaml`** - machine-readable companion indexing components, config knobs, entry points, adversaries, claimed and disclaimed properties, false friends, known non-findings, and the closed disposition set. Intended for automated triage tooling. - **`SECURITY.md`** - disclosure-process artifact pointing reporters at the ASF Security Team ([[email protected]](mailto:[email protected])) and cross-referencing the threat-model sections that govern triage. ## Status `DRAFT`. Section 14 lists open questions for PMC ratification, grouped into three waves (scope, trust boundaries, misuse patterns) plus three meta questions. Once answered, the matching `(inferred)` tags promote to `(maintainer)` and the questions are deleted. ## What it claims (§8 summary) P1-P15 across the eight plugins. The most security-critical claims: - **P1**: Passwords stored as bcrypt hashes by default. - **P2**: Session fixation prevented by default. - **P3**: Pessimistic URL coverage (`rejectIfNoRule: true`). - **P10**: JWT signature verified before claims trusted - with the `alg=none` open-question flagged for wave 1. - **P15**: Username enumeration via authentication-exception type suppressed by default. ## What it disclaims (§9 summary) Highlights that surface frequently in scans of this codebase: - CSRF protection on REST/JWT endpoints (bearer-token model). - Anti-bot / rate limiting on `/login`, `/register`, `/forgotPassword`, `/api/login`. - Reset-token and registration-code expiry. - Stateless JWT revocation (`JwtTokenStorageService.removeToken` is a no-op). - OAuth2 PKCE; secure `state` (current implementation uses `java.util.Random`). - `X-Forwarded-For` / `X-Forwarded-Port` awareness in `IpAddressFilter` and `PortResolverImpl`. - LDAP StartTLS; default `ldap.context.server` is plaintext `ldap://`. - Default authorization on UI plugin endpoints (no `@Secured`, no default Requestmap rows). - Mass-assignment protection in UI domain bindings. ## Drafting methodology Multi-agent code analysis across the eight plugins: - `plugin-core`: filter chain composition, authentication/authorization machinery, password encoders, session security, remember-me, channel security, IP restrictions, role hierarchy, autoconfig exclusion. - `plugin-acl` + `spring-security-compat`: ACL services, object identity, voters, run-as, channel processors, expression-based pre/post advice. - `plugin-rest`: REST filter chain, JWT generation/validation, token storage backends, CORS, refresh tokens, OAuth callback flow. - `plugin-ldap` + `plugin-cas` + `plugin-oauth2`: external IdP integration patterns, ticket validators, OAuth state generation, PKCE absence, callback URL handling. - `plugin-ui`: controllers, forms, command objects, GSP files, registration/reset flows, CSRF (`useToken`/`withForm`) coverage. Cross-referenced against per-plugin `docs/src/docs/*.adoc` files for the `(documented)` provenance tags. ## Open questions for the PMC The 22 questions in §14 are the load-bearing ratification gate. Wave 1 (scope / intended use) drives section 2-3 wording and the disposition for the `alg=none` and `cas.useSingleSignout` cases. Wave 2 (trust boundaries) covers proxy-awareness and OAuth2 hardening. Wave 3 covers misuse-pattern policy and known non-finding curation. ## Companion change in grails-core Pairs with [`apache/grails-core#15664`](https://github.com/apache/grails-core/pull/15664), which introduces the equivalent document at the framework level. References to "Grails plugin or `grails` profile" are aligned across both PRs. Assisted-by: claude-code:claude-4.7-opus -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
