Lars, Thanks - much appreciated
Regards Calle On 8 December 2015 at 14:12, Lars Helge Øverland <[email protected]> wrote: > Hi Calle, > > security isn't really confined to a few files and we don't have a document > specifically on that. > > Since you need an urgent reply what you could say is: > > - Main security config files are found here: > > > http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml > > http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml > > - DHIS 2 is using a fairly standard security setup based on Spring > Security. Web site <http://projects.spring.io/spring-security/> | > reference > <https://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity.html> > | overview <https://en.wikipedia.org/wiki/Spring_Security> > > - DHIS 2 uses Bcrypt adaptive hashing of passwords. Read more > <https://en.wikipedia.org/wiki/Bcrypt>. > > - DHIS 2 can authenticate against the local database, using OpenID > <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch07.html#d5e1573> > (from 2.19) and LDAP > <http://dhis2.github.io/dhis2-docs/master/en/implementer/html/ch08s05.html> > server (from 2.21) > > - DHIS 2 supports OAuth2 > <http://dhis2.github.io/dhis2-docs/master/en/developer/html/ch01s02.html#d5e75> > and > basic > <http://dhis2.github.io/dhis2-docs/master/en/developer/html/ch01s02.html#d5e69> > authentication for Web API requests / integration with other systems, > > - DHIS 2 lets you configure password expiration under settings > <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch23.html#d5e4445>. > > - DHIS 2 allows for user account recovery / password reset with recaptcha > under settings > <http://dhis2.github.io/dhis2-docs/master/en/user/html/ch23.html#d5e4445>. > > - DHIS 2 access control is based on a standard solution with user roles > with authorities. > > > regards, > > Lars > > > > On Tue, Dec 8, 2015 at 12:48 PM, Calle Hedberg <[email protected]> > wrote: > >> Hi >> >> We have an urgent request from the SA Auditor General for a copy of the >> software code controlling/defining the password/security setup in DHIS2. >> >> 1. Is all of that code in one file or set of files, and if yes >> which/where can I quickly find it? >> >> 2. Is there a document available that provides a more conceptual >> description of the DHIS2 access/security features? >> >> Sorry to push, but this is urgent - I was only made aware of the request >> 2 minutes ago, and the deadline was 9am this morning.... (it's habitual >> for the AG to give extremely short deadlines, regrettably - and while I >> don't see them actually doing an in-depth assessment of that code, that >> seems to be what they want...) >> >> Regards >> Calle >> >> ******************************************* >> >> Calle Hedberg >> >> 46D Alma Road, 7700 Rosebank, SOUTH AFRICA >> >> Tel/fax (home): +27-21-685-6472 >> >> Cell: +27-82-853-5352 >> >> Iridium SatPhone: +8816-315-19119 >> >> Email: [email protected] >> >> Skype: calle_hedberg >> >> ******************************************* >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~dhis2-devs >> Post to : [email protected] >> Unsubscribe : https://launchpad.net/~dhis2-devs >> More help : https://help.launchpad.net/ListHelp >> >> > > > -- > Lars Helge Øverland > Lead developer, DHIS 2 > University of Oslo > Skype: larshelgeoverland > http://www.dhis2.org <https://www.dhis2.org> > > -- ******************************************* Calle Hedberg 46D Alma Road, 7700 Rosebank, SOUTH AFRICA Tel/fax (home): +27-21-685-6472 Cell: +27-82-853-5352 Iridium SatPhone: +8816-315-19119 Email: [email protected] Skype: calle_hedberg *******************************************
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : [email protected] Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
