You have been redirected from an outdated version of the article. Below is the content available on this topic. To view the old article click here.

Security

Security

Search results for "Security"

JWT Auth

security.jwt.secrettype Selects the secret type that will be used to sign or verify a given access or refresh token.
security.jwt.secret Used if ‘security.jwt.secrettype’=secret. The secret that will be used to sign and verify all tokens issued and sent to Structr. Must have a min. length of 32 characters.
security.jwt.jwtissuer The issuer for the JWTs created by this Structr instance.
security.jwt.expirationtime Access token timeout in minutes.
security.jwt.refreshtoken.expirationtime Refresh token timeout in minutes.
security.jwt.keystore Used if ‘security.jwt.secrettype’=keypair. A valid keystore file containing a private/public keypair that can be used to sign and verify JWTs
security.jwt.keystore.password The password for the given ‘security.jwt.keystore’.
security.jwt.key.alias The alias of the private key of the given ‘security.jwt.keystore’.
security.jwks.provider The URL of the authentication system that issues JWTs. Structr will try to read the .well-known information of the service.

Two Factor Authentification

security.twofactorauthentification.level Sets whether 2FA is enabled, optional or disabled. Valid values are: forced, optional, off
security.twofactorauthentification.issuer Name of the 2FA issuer. Must be URL-compliant in order to generate valid QR codes.
security.twofactorauthentification.algorithm Respected by the most recent Google Authenticator implementations.
security.twofactorauthentification.digits Amount of digits in the 2FA code.
security.twofactorauthentification.period Defines the period that a TOTP code will be valid for, in seconds. Respected by the most recent Google Authenticator implementations.
security.twofactorauthentification.logintimeout Defines how long the two-factor login time window in seconds is. After entering the username and password the user has this amount of time to enter a two factor token before he has to re-authenticate via password.
security.twofactorauthentification.loginpage The application page where the user enters the current two factor token.
security.twofactorauthentification.whitelistedips A comma-separated (,) list of IPs for which two factor authentication is disabled. Both IPv4 and IPv6 are supported. CIDR notation is also supported. For example: 192.168.0.1/24 would whitelist 192.168.0.1 - 192.168.0.254

Password Policy

security.passwordpolicy.forcechange Indicates if a forced password change is active.
security.passwordpolicy.onchange.clearsessions Clear all sessions of a user on password change.
security.passwordpolicy.maxage The number of days after which a user has to change his password.
security.passwordpolicy.remindtime The number of days (before the user must change the password) where a warning should be issued. (Has to be handled in application code).
security.passwordpolicy.maxfailedattempts The maximum number of failed login attempts before a user is blocked. (Can be disabled by setting to zero or a negative number).
security.passwordpolicy.restfailedattemptspasswordreset Configures if resetting the users password also resets the failed login attempts counter.

Database Contents

Non-admin users are subject to node-level security, which you can read more about in the Security chapter. In short, a node can have an owner and a set of optional Security Relationships that determine the permissions of a user or a group on that node. Security Relationships are direct relationships between a user and some other node.

Application Security

application.security.resolution.depth Maximum number of nodes that are traversed for security resolution.
application.security.ownerless.nodes The user permission level on ownerless nodes. One or more of: read, write, delete, accessControl
application.xml.parser.security Enables various measures to prevent XML parsing exploits.

Authentication - JSON Web Tokens

To use JWTs with a KeyStore file you have to edit the following Structr configuration settings:

keyvalue
security.jwt.secrettype keypair
security.jwt.keystore [The name of your KeyStore file]
security.jwt.keystore.password [The password to your KeyStore file]
security.jwt.key.alias [The alias of the key in the KeyStore file]

Permission Grants

Permission grants are signified by a SECURITY relationship (user/group)-[:SECURITY {"allowed": ["read","write","delete","accessControl"]}]->(data) between users and/or groups and the data nodes. They indicate wether a user or a user group has access to a node. The SECURITY relationship for users is automatically created by Structr.

Unable to log in - Too many failed login attempts

By default, Structr auto-locks an account after 4 incorrect login attempts. Further login attempts (even with the correct password) result in the error message “Too many failed login attempts”. This security setting can be configured via the configuration setting security.passwordpolicy.maxfailedattempts. The default is 4 and the functionality is disabled for any number less than or equal to 0.

The number of failed login attempts is stored in the user node in the attribute passwordAttempts. Setting this attribute to 0 enables the user to log in again.

This can be done using the superadmin credentials (or any other admin account) by sending a PUT request to the appropriate resource (/structr/rest/User/[UUID_OF_USER]) with the body {"passwordAttempts":0}. It can also be solved by temporarily changing the setting to 0 and logging in.

Security Settings

The Security Settings tab contains all settings controlling the security properties of a Structr application. In particular they include properties such as two factor authentication, password policies and let’s encrypt configurations. The Security Settings are subdivided into the following subsections:

Authentication - JSON Web Tokens

keyvalue
security.jwt.jwtissuer Defaults to ‘structr’
security.jwt.expirationtime Defaults to 60 minutes
security.jwt.refreshtoken.expirationtime Defaults to 1440 minutes

Resource Access Grants

This part of Structr’s backend UI is the place where the entry points of Structr’s HTTP REST Service can be configured.

While the security system of Structr is focused on users and their security context (i.e. does the user has access to a given database entity?), the checking of resource access grants is focused on the URL path (the resource) of an HTTP request.

More precisely, if a user requests all entities of a given schema type via Structr’s REST interface with a call to the URL /structr/rest/SchemaType, Structr will check if the user is logged into the system and if a GET request on the resource /SchemaType is permitted for authenticated users. If the user is not logged into the system the GET permission for non-authenticated users has to be set for that resource.

Only when the permission for the resource is set, Structr will then check if user has grants for the actual database content and the entities of the type SchemaType.

Node-level security

Every entity created by Structr in the underlying graph database is stored as a node with different relationships to other nodes. Following this concept even files, folders, users, groups, pages etc. always have a node representing them in the database and Structr makes use of this for its security system to provide security on the level of those nodes.

Resource Access Grants

While the security system of Structr is focused on users and their security context (i.e. does the user have access to a given database entity?), the checking of resource access grants is focused on the URL path (the resource) of an HTTP request.

Permission Grants

The creation of SECURITY relationships can be skipped for admin users by setting the skipSecurityRelationships flag on the admin user node. To skip the creation of the relationship for non-admin users a lifecycle method onCreate can be created with the content:

This lifecycle method has to be created on every schema type the creating user should not have a SECURITY relationship to.

Note: If both OWNS and SECURITY are skipped for non-admin users, the user probably has no rights to even see the node after creating it. Using Access Control Functions grant() or copy_permissions() the user/group can get rights to the node.

Authentication

Access to the REST endpoints is prohibited by default and can be obtained through different authentication methods. Please refer to the Security chapter below to learn more about Structr’s Security System, Authentication Headers, Resource Access Grants and HTTP Basic Authentication.

Access Control and Visibility

The Access Control and Visibility dialog provides access to the security settings of a node. In this dialog, you can set, edit or remove the owner of the node, set visibility flags and configure security releationships.

Two Factor Authentification

Warning: Changing the security.twofactorauthentification.algorithm or security.twofactorauthentification.period after users are already confirmed will effectively lock them out. Set the attribute twoFactorConfirmed to false on the user objects to show them a new QR code.

Access Control and Visiblity

The Access Control and Visibility dialog provides access to the security settings of a node. In this dialog, you can set, edit or remove the owner of the node, set visibility flags and configure security releationships.

Deployment Format

folder / filedescription
componentsContains the shared components of the pages editor of Structr.
filesContains all files out of Sturctr’s virtual filesystem. Folders and files in the virtual filesystem are not being exported by default. If you want to include a folder or file into the export you have to set the flag includeInFrontendExport on each file or folder. Each file or folder will inherit this flag from its parent folder.
mail-templatesContains the mail-templates.
modulesContains the application configuration and definition of additional modules of Structr e.g. the flow engine.
pagesContains the created pages in the pages editor of Structr.
schemaContains the schema definition and code entered in the schema and code section of the Structr UI.
securityContains the resource access grants defined in the security section of the Structr UI.
templatesContains all template elements of the pages editor of Structr.
application-configuration-data.jsonContains the configured schema layouts of Structr’s schema editor.
components.jsonContains the settings e.g. visiblity flags, contentType or uuid for each file in the components folder of the export.
deploy.confContains information about the Structr system that created the export of the application.
files.jsonContains the settings e.g. visiblity flags, contentType or uuid for each file in the files folder of the export.
localizations.jsonContains the localizations that where created in the localizations section of the Structr UI and that can be used in server side scripting with the localize() function of Structr.
mail-templates.jsonContains the settings e.g. visiblity flags, locale or uuid for each file in the mail-templates folder of the export.
pages.jsonContains the settings e.g. visiblity flags, contentType or uuid for each file in the pages folder of the export.
pre-deploy.confScript that is run before deployment import. Use this to create users who are granted access to nodes in the export files.
post-deploy.confScript that is run after deployment import. Can be used to start any tasks which are necessary after import.
sites.jsonContains sites that are configured in the pages section of the Structr UI.
templates.jsonContains the settings e.g. visiblity flags, contentType or uuid for each file in the templates folder of the export.
widget.jsonContains the widgets that were created in the pages section of the Structr UI.