How to check Security Issues?
Steps |
---|
|
SSL
Enabling SSL would ensure that communication between the end user's browser to be server is secure. Please see Setting Up SSL on Tomcat to learn more.
What is SSL?
SSL ( Secure Sockets Layer ) is the standard security technology for establishing an encrypted link between a web server and a browser.
SSL ( 安全套接字层 )是在Web服务器和浏览器之间建立加密链接的标准安全技术。
Without SSL
Without the use of SSL between the end client and the server, any data sent between these 2 parties will be susceptible to data sniffing by hackers as the data packets travel from end to end.
如果在最终客户端和服务器之间没有使用SSL,那么在这两方之间发送的任何数据都将容易受到黑客的数据嗅探,因为数据包从一端到另一端。
Domain Whitelist for API Calls
API调用的域白名单
请参阅 “设置中的API域白名单” ,将使用Joget API的域列入白名单。
Advantage
By enabling this option, only servers white listed are able to communicate with the server.
通过启用此选项,只有列出的服务器才能与服务器通信。
Directory User Access Control
目录用户访问控制
Enabling Multi-Factor Authentication using TOTP is also an added strength to it.
保持良好的密码策略管理将确保用户的密码安全。 建议使用 安全增强型目录管理器 。在 安全增强目录管理 功能,加强用户管理的安全性和控制。
Advantage
By enabling this option, this will increase security of the user's login information.
通过启用此选项,这将增加用户登录信息的安全性。
Without SSL
Without the use of SSL between the end client and the server, login information will be sent in non-encrypted, clear text to the end server.
如果在终端客户端和服务器之间没有使用SSL,则登录信息将以未加密的明文形式发送到终端服务器。
Process Start White List
进程开始白名单
利用 Map Participants to Users 下的此功能 来限制谁可以启动流程实例。
UI Menu Permission Control
用户视图菜单权限控制
权限控制 用于在开发的Joget应用程序中对各种组件进行控制和管理访问。有4个主要组件/区域可以进行权限控制。他们是:-
UI
用户视图
UI Category
UI类别
Form
表单
Form Section
表单分区
Showing the App in App Center only after user is logged on
The most common practice is to list down apps in the App Center only if the user is logged in. To do so, head to the UI Settings of your app, and locate Permission Type and set it to Logged In User.
最常见的做法是仅在用户登录时在App Center中列出应用程序。为此,请到 您的应用程序的“用户视图属性 ”,然后找到“ 权限类型” 并将其设置为“ 登录用户” 。
As a best practice, the UI should be secure by default. You can set the UI permission as a whole to "Logged In User" before further hardening at each and every UI category, including the hidden ones. An unprotected UI allows anonymous users and even robots (i.e googlebots to cache the page) access the UI when the app is set to published.
"Hide From Menu" under UI Category does not mean it is not accessible. It is simply not visible to users.
Read more at Permission Control.
阅读 权限控制 。
Password Encryption
密码加密
在应用程序设计过程中,出于安全目的,任何敏感信息(如密码)均可能被加密 您可以更改Joget DX 8服务器中使用的密钥和salt,以进一步增强其安全性。
Making changes to the key and salt will render all passwords unusable in an existing server therefore it is only recommended to do during initial server installation.
对密钥和salt进行更改将使所有密码在现有服务器中不可用,因此建议在初始服务器安装期间执行。
Import/Export App
In an exported app, any password saved in the application design will be encrypted as well. Hence, when the app is imported into another server, be sure to reconfigure all saved password as servers with different key and salt would render the passwords unusable.
在导出的应用程序中,保存在应用程序设计中的任何密码也将被加密。因此,当应用程序导入到另一台服务器时,请确保将所有保存的密码重新配置为具有不同密钥和salt的服务器,否则会导致密码不可用。
Locate the file customApplicationContext.xml in \apache-tomcat-8.5.14\webapps\jw\WEB-INF\classes and add in line 6-9 as shown below.
在\ apache-tomcat-8.5.14 \ webapps \ jw \ WEB-INF \ classes中 找到 customApplicationContext.xml 文件 , 并在第6-9行添加,如下所示。
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd"> <bean id="dataEncryption" class="org.joget.apps.workflow.security.SecureDataEncryptionImpl"> <property name="salt" value="NEW-VALUE-GOES-HERE"/> <property name="key" value="NEW-VALUE-GOES-HERE"/> </bean> </beans>
Replace line 7 and 8 salt and key value to your own one.
将7和8行关键值替换为你自己的。