Password/security related code in DHIS2

Support - Assistance technique
1

Hi

We have an urgent request from the SA Auditor General for a copy of the software code controlling/defining the password/security setup in DHIS2.

  1. Is all of that code in one file or set of files, and if yes which/where can I quickly find it?

  2. Is there a document available that provides a more conceptual description of the DHIS2 access/security features?

Sorry to push, but this is urgent - I was only made aware of the request 2 minutes ago, and the deadline was 9am this morning… (it’s habitual for the AG to give extremely short deadlines, regrettably - and while I don’t see them actually doing an in-depth assessment of that code, that seems to be what they want…)

Regards

Calle

···

Calle Hedberg

46D Alma Road, 7700 Rosebank, SOUTH AFRICA

Tel/fax (home): +27-21-685-6472

Cell: +27-82-853-5352

Iridium SatPhone: +8816-315-19119

Email: calle.hedberg@gmail.com

Skype: calle_hedberg

2

Hi Calle,

security isn’t really confined to a few files and we don’t have a document specifically on that.

Since you need an urgent reply what you could say is:

  • Main security config files are found here:

http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml

http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml

  • DHIS 2 is using a fairly standard security setup based on Spring Security. Web site | reference | overview

  • DHIS 2 uses Bcrypt adaptive hashing of passwords. Read more.

  • DHIS 2 can authenticate against the local database, using OpenID (from 2.19) and LDAP server (from 2.21)

  • DHIS 2 supports OAuth2 and basic authentication for Web API requests / integration with other systems,

  • DHIS 2 lets you configure password expiration under settings.

  • DHIS 2 allows for user account recovery / password reset with recaptcha under settings.

  • DHIS 2 access control is based on a standard solution with user roles with authorities.

regards,

Lars

···

On Tue, Dec 8, 2015 at 12:48 PM, Calle Hedberg calle.hedberg@gmail.com wrote:

Hi

We have an urgent request from the SA Auditor General for a copy of the software code controlling/defining the password/security setup in DHIS2.

  1. Is all of that code in one file or set of files, and if yes which/where can I quickly find it?
  1. Is there a document available that provides a more conceptual description of the DHIS2 access/security features?

Sorry to push, but this is urgent - I was only made aware of the request 2 minutes ago, and the deadline was 9am this morning… (it’s habitual for the AG to give extremely short deadlines, regrettably - and while I don’t see them actually doing an in-depth assessment of that code, that seems to be what they want…)

Regards

Calle

Calle Hedberg

46D Alma Road, 7700 Rosebank, SOUTH AFRICA

Tel/fax (home): +27-21-685-6472

Cell: +27-82-853-5352

Iridium SatPhone: +8816-315-19119

Email: calle.hedberg@gmail.com

Skype: calle_hedberg

Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Lars Helge Øverland

Lead developer, DHIS 2

University of Oslo

Skype: larshelgeoverland

http://www.dhis2.org

3

Lars,

Thanks - much appreciated

Regards
Calle

···

On 8 December 2015 at 14:12, Lars Helge Øverland larshelge@gmail.com wrote:

Hi Calle,

security isn’t really confined to a few files and we don’t have a document specifically on that.

Since you need an urgent reply what you could say is:

  • Main security config files are found here:

http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml

http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/view/head:/dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml

  • DHIS 2 is using a fairly standard security setup based on Spring Security. Web site | reference | overview
  • DHIS 2 uses Bcrypt adaptive hashing of passwords. Read more.
  • DHIS 2 can authenticate against the local database, using OpenID (from 2.19) and LDAP server (from 2.21)
  • DHIS 2 supports OAuth2 and basic authentication for Web API requests / integration with other systems,
  • DHIS 2 lets you configure password expiration under settings.
  • DHIS 2 allows for user account recovery / password reset with recaptcha under settings.
  • DHIS 2 access control is based on a standard solution with user roles with authorities.

regards,

Lars

On Tue, Dec 8, 2015 at 12:48 PM, Calle Hedberg calle.hedberg@gmail.com wrote:

Hi

We have an urgent request from the SA Auditor General for a copy of the software code controlling/defining the password/security setup in DHIS2.

  1. Is all of that code in one file or set of files, and if yes which/where can I quickly find it?
  1. Is there a document available that provides a more conceptual description of the DHIS2 access/security features?

Sorry to push, but this is urgent - I was only made aware of the request 2 minutes ago, and the deadline was 9am this morning… (it’s habitual for the AG to give extremely short deadlines, regrettably - and while I don’t see them actually doing an in-depth assessment of that code, that seems to be what they want…)

Regards

Calle

Calle Hedberg

46D Alma Road, 7700 Rosebank, SOUTH AFRICA

Tel/fax (home): +27-21-685-6472

Cell: +27-82-853-5352

Iridium SatPhone: +8816-315-19119

Email: calle.hedberg@gmail.com

Skype: calle_hedberg

Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Lars Helge Øverland

Lead developer, DHIS 2

University of Oslo

Skype: larshelgeoverland

http://www.dhis2.org

Calle Hedberg

46D Alma Road, 7700 Rosebank, SOUTH AFRICA

Tel/fax (home): +27-21-685-6472

Cell: +27-82-853-5352

Iridium SatPhone: +8816-315-19119

Email: calle.hedberg@gmail.com

Skype: calle_hedberg