You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@isis.apache.org by Stephen Cameron <st...@gmail.com> on 2016/10/30 10:46:06 UTC
Securing a publicly accessible Isis app
I have an isis app that will be publicly accessible.
I'd like to make is as secure as is reasonable.
Use of SSL is necessary of course.
Internet banking sites seem to make do with password authentication, but
expire dormant sessions very promptly and not show any account details in
the UI (so someone can see the account name and guess the password). Is
similar possible in Apache Isis?
I need to disable the RESTful objects interface too.
Thanks for any suggestions or tips.
Stephen Cameron
Re: Securing a publicly accessible Isis app
Posted by Ahmed Ragab <ah...@gmail.com>.
Hi Stephan,
In addition to the previous answer you can also set the servlet session timeout as follows in the web.xml
<session-config> <session-timeout>30</session-timeout></session-config>
Sent from my iPhone
> On 30 Oct 2016, at 19:10, Stephen Cameron <st...@gmail.com> wrote:
>
>> On Monday, October 31, 2016, Ahmed Ragab <ah...@gmail.com> wrote:
>>
>>
>>
>> Sent from my iPhone
>>
>>> On 30 Oct 2016, at 11:46, Stephen Cameron <steve.cameron.62@gmail.com
>> <javascript:;>> wrote:
>>>
>>> I have an isis app that will be publicly accessible.
>>>
>>> I'd like to make is as secure as is reasonable.
>>>
>>> Use of SSL is necessary of course.
>>>
>>> Internet banking sites seem to make do with password authentication, but
>>> expire dormant sessions very promptly and not show any account details in
>>> the UI (so someone can see the account name and guess the password). Is
>>> similar possible in Apache Isis?
>>>
>> I didn't understood what you want to achieve
>
> If a logged-in user stops interacting with the app for a period, the login
> gets expired and they have to enter their password again. I'm wondering if
> the time interval to expiry can be configured.
>
>>> I need to disable the RESTful objects interface too.
>>>
>> That one is as simple as removing the RESTful objects filter from the
>> web.xml
>>> Thanks for any suggestions or tips.
>>>
>>> Stephen Cameron
>>
Re: Securing a publicly accessible Isis app
Posted by Ahmed Ragab <ah...@gmail.com>.
Sent from my iPhone
> On 30 Oct 2016, at 19:10, Stephen Cameron <st...@gmail.com> wrote:
>
>> On Monday, October 31, 2016, Ahmed Ragab <ah...@gmail.com> wrote:
>>
>>
>>
>> Sent from my iPhone
>>
>>> On 30 Oct 2016, at 11:46, Stephen Cameron <steve.cameron.62@gmail.com
>> <javascript:;>> wrote:
>>>
>>> I have an isis app that will be publicly accessible.
>>>
>>> I'd like to make is as secure as is reasonable.
>>>
>>> Use of SSL is necessary of course.
>>>
>>> Internet banking sites seem to make do with password authentication, but
>>> expire dormant sessions very promptly and not show any account details in
>>> the UI (so someone can see the account name and guess the password). Is
>>> similar possible in Apache Isis?
>>>
>> I didn't understood what you want to achieve
>
> If a logged-in user stops interacting with the app for a period, the login
> gets expired and they have to enter their password again. I'm wondering if
> the time interval to expiry can be configured.
Should be configurable through apache shiro in the shiro.ini file. Here is a link for the documentation http://shiro.apache.org/session-management.html#SessionManagement-SessionTimeout
>
>>> I need to disable the RESTful objects interface too.
>>>
>> That one is as simple as removing the RESTful objects filter from the
>> web.xml
>>> Thanks for any suggestions or tips.
>>>
>>> Stephen Cameron
>>
Re: Securing a publicly accessible Isis app
Posted by Stephen Cameron <st...@gmail.com>.
On Monday, October 31, 2016, Ahmed Ragab <ah...@gmail.com> wrote:
>
>
> Sent from my iPhone
>
> > On 30 Oct 2016, at 11:46, Stephen Cameron <steve.cameron.62@gmail.com
> <javascript:;>> wrote:
> >
> > I have an isis app that will be publicly accessible.
> >
> > I'd like to make is as secure as is reasonable.
> >
> > Use of SSL is necessary of course.
> >
> > Internet banking sites seem to make do with password authentication, but
> > expire dormant sessions very promptly and not show any account details in
> > the UI (so someone can see the account name and guess the password). Is
> > similar possible in Apache Isis?
> >
> I didn't understood what you want to achieve
If a logged-in user stops interacting with the app for a period, the login
gets expired and they have to enter their password again. I'm wondering if
the time interval to expiry can be configured.
> > I need to disable the RESTful objects interface too.
> >
> That one is as simple as removing the RESTful objects filter from the
> web.xml
> > Thanks for any suggestions or tips.
> >
> > Stephen Cameron
>
Re: Securing a publicly accessible Isis app
Posted by Ahmed Ragab <ah...@gmail.com>.
Sent from my iPhone
> On 30 Oct 2016, at 11:46, Stephen Cameron <st...@gmail.com> wrote:
>
> I have an isis app that will be publicly accessible.
>
> I'd like to make is as secure as is reasonable.
>
> Use of SSL is necessary of course.
>
> Internet banking sites seem to make do with password authentication, but
> expire dormant sessions very promptly and not show any account details in
> the UI (so someone can see the account name and guess the password). Is
> similar possible in Apache Isis?
>
I didn't understood what you want to achieve
> I need to disable the RESTful objects interface too.
>
That one is as simple as removing the RESTful objects filter from the web.xml
> Thanks for any suggestions or tips.
>
> Stephen Cameron