Hi Calle, security isn't really confined to a few files and we don't have a document specifically on that.
Since you need an urgent reply what you could say is: - Main security config files are found here: http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml - DHIS 2 is using a fairly standard security setup based on Spring Security. Web site <http://projects.spring.io/spring-security/> | reference <https://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity.html> | overview <https://en.wikipedia.org/wiki/Spring_Security> - DHIS 2 uses Bcrypt adaptive hashing of passwords. Read more <https://en.wikipedia.org/wiki/Bcrypt>. - DHIS 2 can authenticate against the local database, using OpenID <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch07.html#d5e1573> (from 2.19) and LDAP <http://dhis2.github.io/dhis2-docs/master/en/implementer/html/ch08s05.html> server (from 2.21) - DHIS 2 supports OAuth2 <http://dhis2.github.io/dhis2-docs/master/en/developer/html/ch01s02.html#d5e75> and basic <http://dhis2.github.io/dhis2-docs/master/en/developer/html/ch01s02.html#d5e69> authentication for Web API requests / integration with other systems, - DHIS 2 lets you configure password expiration under settings <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch23.html#d5e4445>. - DHIS 2 allows for user account recovery / password reset with recaptcha under settings <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch23.html#d5e4445>. - DHIS 2 access control is based on a standard solution with user roles with authorities. regards, Lars On Tue, Dec 8, 2015 at 12:48 PM, Calle Hedberg <[email protected]> wrote: > Hi > > We have an urgent request from the SA Auditor General for a copy of the > software code controlling/defining the password/security setup in DHIS2. > > 1. Is all of that code in one file or set of files, and if yes which/where > can I quickly find it? > > 2. Is there a document available that provides a more conceptual > description of the DHIS2 access/security features? > > Sorry to push, but this is urgent - I was only made aware of the request 2 > minutes ago, and the deadline was 9am this morning.... (it's habitual for > the AG to give extremely short deadlines, regrettably - and while I don't > see them actually doing an in-depth assessment of that code, that seems to > be what they want...) > > Regards > Calle > > ******************************************* > > Calle Hedberg > > 46D Alma Road, 7700 Rosebank, SOUTH AFRICA > > Tel/fax (home): +27-21-685-6472 > > Cell: +27-82-853-5352 > > Iridium SatPhone: +8816-315-19119 > > Email: [email protected] > > Skype: calle_hedberg > > ******************************************* > > > _______________________________________________ > Mailing list: https://launchpad.net/~dhis2-devs > Post to : [email protected] > Unsubscribe : https://launchpad.net/~dhis2-devs > More help : https://help.launchpad.net/ListHelp > > -- Lars Helge Øverland Lead developer, DHIS 2 University of Oslo Skype: larshelgeoverland http://www.dhis2.org <https://www.dhis2.org>
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : [email protected] Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
