-
Notifications
You must be signed in to change notification settings - Fork 21
Keycloak Securing
Shanoir-NG takes security serious, therefore we introduced Keycloak into the application architecture.
All Spring Boot microservices share the same security configuration to protect access from outside for not authorized users.
Shanoir-NG follows the Keycloak documentation "Threat Model Mitigation" and takes into account all points to secure the application to a maximum.
- Ensured by Nginx
- Protect /auth/admin from the outside
- Shanoir-NG: in the nginx.conf the outside access to the admin console is blocked in line 75
-
Switch on BFD: Configure Realm Settings - Security Defenses - Brut Force Detection - Enabled:on use with standard options, but switch on
-
Shanoir-NG: shanoir-ng-realm.json contains the following lines to enable BFD by default
"bruteForceProtected": true, "permanentLockout": false, "maxFailureWaitSeconds": 900, "minimumQuickLoginWaitSeconds": 60, "waitIncrementSeconds": 60, "quickLoginCheckMilliSeconds": 1000, "maxDeltaTimeSeconds": 43200, "failureFactor": 30
Shanoir-NG follows a state of the art password policy.
Shanoir-NG sets specific headers into X-FRAME-OPTIONS and Content-Security-Policy.
Shanoir-NG uses SSL/HTTPS everywhere.
- Realm settings - Login - Require SSL -> all requests
- Shanoir-NG: has this enabled by default "sslRequired": "all"
As Shanoir-NG uses OpenID Connect with JWTs, there is no problem with CSRF attacks.
- Keycloak gives you fine grain control of session, cookie, and token timeouts. This is all done on the Tokens tab in the Realm Settings left menu item.
- Shanoir-NG: Access Token Lifespan is 5 minutes
- SSL/HTTPS is used everywhere
Shanoir-NG only uses specific redirect URIs within the authorization code flow.
Not necessary in the context of Shanoir-NG as we control all client applications connected.
Not necessary in the context of Shanoir-NG as we control all client applications connected.
Until today we are not aware of a SQL injection attack problem.