You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@manifoldcf.apache.org by kw...@apache.org on 2013/07/26 21:23:44 UTC
svn commit: r1507408 - in /manifoldcf/site/trunk: scripts/sitepatch.bat
src/documentation/content/xdocs/en_US/developer-resources.xml
src/documentation/content/xdocs/en_US/security.xml
src/documentation/content/xdocs/site.xml
Author: kwright
Date: Fri Jul 26 19:23:44 2013
New Revision: 1507408
URL: http://svn.apache.org/r1507408
Log:
Add security page.
Added:
manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/security.xml (with props)
Modified:
manifoldcf/site/trunk/scripts/sitepatch.bat
manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/developer-resources.xml
manifoldcf/site/trunk/src/documentation/content/xdocs/site.xml
Modified: manifoldcf/site/trunk/scripts/sitepatch.bat
URL: http://svn.apache.org/viewvc/manifoldcf/site/trunk/scripts/sitepatch.bat?rev=1507408&r1=1507407&r2=1507408&view=diff
==============================================================================
--- manifoldcf/site/trunk/scripts/sitepatch.bat (original)
+++ manifoldcf/site/trunk/scripts/sitepatch.bat Fri Jul 26 19:23:44 2013
@@ -3,3 +3,5 @@
"%JAVA_HOME%"\bin\java -jar c:\javadocpatcher\JavadocUpdaterTool.jar -R %1\release\release-1.1.1\api
"%JAVA_HOME%"\bin\java -jar c:\javadocpatcher\JavadocUpdaterTool.jar -R %1\release\release-1.0.1\api
"%JAVA_HOME%"\bin\java -jar c:\javadocpatcher\JavadocUpdaterTool.jar -R %1\release\release-0.6\api
+del /s %1\*.orig
+
Modified: manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/developer-resources.xml
URL: http://svn.apache.org/viewvc/manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/developer-resources.xml?rev=1507408&r1=1507407&r2=1507408&view=diff
==============================================================================
--- manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/developer-resources.xml (original)
+++ manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/developer-resources.xml Fri Jul 26 19:23:44 2013
@@ -25,7 +25,8 @@
<section id="source">
<title>Source Code</title>
- <p>The source files are stored using Subversion (see <a href="http://subversion.tigris.org/">http://subversion.tigris.org/</a> and <a href="http://svnbook.red-bean.com/">http://svnbook.red-bean.com/</a>)</p>
+ <p>The source files are stored using Subversion (see <a href="http://subversion.tigris.org/">http://subversion.tigris.org/</a> and
+ <a href="http://svnbook.red-bean.com/">http://svnbook.red-bean.com/</a>)</p>
<p>
<code>svn checkout http://svn.apache.org/repos/asf/manifoldcf/trunk mcf-trunk</code>
</p>
Added: manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/security.xml
URL: http://svn.apache.org/viewvc/manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/security.xml?rev=1507408&view=auto
==============================================================================
--- manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/security.xml (added)
+++ manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/security.xml Fri Jul 26 19:23:44 2013
@@ -0,0 +1,86 @@
+<?xml version="1.0"?>
+
+<!DOCTYPE document PUBLIC "-//APACHE//DTD Documentation V2.0//EN"
+ "http://forrest.apache.org/dtd/document-v20.dtd">
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<document>
+
+ <header>
+ <title>ManifoldCF Document Security</title>
+ </header>
+
+ <body>
+
+ <section>
+ <title>Document Security Issues</title>
+ <section>
+ <title>Overview</title>
+ <p>ManifoldCF provides a security model for documents which is typically enforced by the search engine the documents are indexed
+ with. Often, this search engine is Apache Lucene, but others may be used either now or in the future. This page describes
+ how document security is enforced, and what the limitations are of this technique.</p>
+ <section>
+ <title>How Search Engines Work</title>
+ <p>A standard search engine has one or more <em>indexes</em>, which associate <em>terms</em> with <em>documents</em>. A
+ <em>query</em> is issued to the search engine, which uses one or more of the indexes to generate a list of documents. The
+ list of documents is then <em>scored</em>, which means that they are given a numeric ranking value based on how closely they
+ match the query. The scoring operation typically also makes use of statistic measures, such as how frequently a term appears in
+ documents in the index.</p>
+ </section>
+
+ <section>
+ <title>Security Definitions</title>
+ <p>Complete definitions of security usually include elements of <em>confidentiality</em>, <em>integrity</em>, and <em>availability</em>.
+ Confidentiality has a strict definition, which not only prevents a user from seeing information belonging to another user, but also
+ prevents a user from even knowing about the existence of information belonging to another user. Integrity means that a user
+ can see everything they are allowed to see. And availability means that information is as available as possible to the user who
+ is supposed to have access to it.</p>
+
+ </section>
+
+ <section>
+ <title>How ManifoldCF Applies Security</title>
+ <p>Typically, documents are excluded by what is known as <em>query modification</em>. This means that the query presented to the
+ search engine is modified in such a way as to exclude the documents that the user is not supposed to see. This is typically done
+ by a ManifoldCF Plugin, which the system integrator must use to apply user-level security. The query modification is performed
+ in such a way that it does not affect the relative scoring of documents.</p>
+ </section>
+ </section>
+
+ <section>
+ <title>Potential Security Issues with ManifoldCF</title>
+ <section>
+ <title>Scoring-based Discovery of Document Keywords</title>
+ <p>One way that confidentiality can be breached in part with a search engine like Lucene relies on the fact that its scoring uses
+ global document statistics. It is theoretically possible to determine information about how many documents contain a term, or
+ whether the number of documents that contain the term changes over time, by submitting queries to the system and examining
+ the relative ordering of the results.</p>
+ <p>While this technically is a violation of the confidentiality principle, an attacker still cannot see the contents or extracts of
+ documents that are restricted. The ability of an unauthorized user to know about the existence of other documents with
+ certain keywords may or may not be of concern to the system designers, depending on the situation. But if it <strong>is</strong> a concern,
+ the right solution is to modify how the search engine does scoring, so that it either does not score documents based on global term
+ statistics, or perhaps it adjusts scores by a random factor, etc. There exist papers on this subject, which we encourage
+ especially security-conscious developers to consult.</p>
+ </section>
+ </section>
+ </section>
+
+ </body>
+
+</document>
Propchange: manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/security.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: manifoldcf/site/trunk/src/documentation/content/xdocs/en_US/security.xml
------------------------------------------------------------------------------
svn:keywords = Id
Modified: manifoldcf/site/trunk/src/documentation/content/xdocs/site.xml
URL: http://svn.apache.org/viewvc/manifoldcf/site/trunk/src/documentation/content/xdocs/site.xml?rev=1507408&r1=1507407&r2=1507408&view=diff
==============================================================================
--- manifoldcf/site/trunk/src/documentation/content/xdocs/site.xml (original)
+++ manifoldcf/site/trunk/src/documentation/content/xdocs/site.xml Fri Jul 26 19:23:44 2013
@@ -44,6 +44,7 @@
<dev label="Download" href="download.html" />
<mail label="Mailing Lists" href="mail.html" />
<dev label="Developer/Integrator Resources" href="developer-resources.html"/>
+ <dev label="Security Analysis" href="security.html"/>
<security label="Report Security Problems" href="ext:security"/>
</resources>