Here is a collection of frequently asked questions about Tidbits:
Tidbits has been designed to hold personal and private information, so security is important when considering how to deploy Tidbits. Generally, Tidbits relies on procedures outside of the application itself to secure the data, such as encrypting the information that is stored.
There are several places where Tidbits stores potentially sensitive information:
Tidbits does not encrypt data directly, but it can be configured so that all data is stored in encrypted forms.
Tidbits is quite flexible with respect to how users are authenticated and granted access to the application. Keep in mind that Tidbits is designed so that all users who are granted access are then authorized to view all information stored in Tidbits. That is, the information a user can see is not limited to just the information they created — all users can see all information in Tidbits.
Tidbits relies on the Spring Security
framework to handle authentication and authorization. This means you have a great deal of flexibility in how you grant
users access to Tidbits. The following sections detail various ways of configuring authentication, which
refer to the Tidbits security configuration file WEB-INF/classes/security-context.xml
.
No matter what authentication approach is taken, Tidbits only requires that users are granted a ROLE_USER authority to access the application.
In this form, usernames and their associated passwords and granted authorities are stored in clear text directly
in the security-context.xml
file. This approach is only recommended for testing
purposes.
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="detailsService">
</authentication-provider>
</authentication-manager>
<user-service id="detailsService">
<!-- A login == test, password == test -->
<user name="test" authorities="ROLE_USER" password="test"/>
</user-service>
In this form, usernames and their associated passwords and granted authorities are stored directly in the
security-context.xml
file, but the passwords are stored as secure SHA-256
cryptographic hashes. In this way the passwords are secure, but the usernames are
still stored in plain text. This method is always preferred over the non-hashed
configuration described in the previous section.
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="detailsService">
<password-encoder hash="sha-256"/>
</authentication-provider>
</authentication-manager>
<user-service id="detailsService">
<!-- Login = test, password == test -->
<user name="test" authorities="ROLE_USER"
password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"/>
</user-service>
There are many ways to generate SHA-256 hashes from password strings, including online web pages that can generate the hash text for you.
In this form, a directory service is used to authenticate and authorize users, using the LDAP protocol. Tidbits will authenticate the username and passwords supplied by users with the directory server, and the directory server is expected to then return the granted authorities for that user.
There are two configuration elements to use for LDAP-based authentication:
<ldap-server url="ldap://localhost/dc=example,dc=com"
manager-dn="cn=Authenticator,dc=example,dc=com"
manager-password="450934jerpiojr0937o"/>
<authentication-manager alias="authenticationManager">
<ldap-authentication-provider
group-search-filter="(&(uniqueMember={0})(cn=Tidbits,ou=Groups,dc=example,dc=com))"
group-search-base="ou=Groups"
user-search-base="ou=People"
user-search-filter="uid={0}"
group-role-attribute="businessCategory"
/>
</authentication-manager>
In this configuration, Tidbits uses the cn=Authenticator,dc=example,dc=com
DN to connect to
the directory server. That user must have permission to search for users and compare password values, which
is configured in the ldap-authentication-provider element. Here users are searched by
looking for matching uid attributes within the ou=People,dc=example,dc=com
tree. If found, and the supplied password matches, and the user is a member of the
cn=Tidbits,ou=Groups,dc=example,dc=com
then the user is granted the authorization
defined by the businessCategory attribute of that group, which must be
USER
in order to access Tidbits.
Simply put, this configuration lets any user that is a member of
the cn=Tidbits
group to access Tidbits.
Here is an example LDIF formatted data for the relevant objects used in this example configuration:
version: 1 dn: cn=Authenticator,dc=example,dc=com objectClass: person objectClass: top cn: Authenticator sn: Authenticator userPassword:: e1NIQXLDKuyLdplkdeno83hjd09dsJSu7jPOJSPAOJF8 dn: cn=Test User,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson cn: Test User sn: User uid: test givenName: Test userPassword:: e1NIQX1rbm5FUEJnRJVa3zRiMFFucXJlK1AwMXRDeVk9 dn: cn=Tidbits,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Tidbits uniqueMember: cn=Test User,ou=People,dc=example,dc=com businessCategory: User