Appearance

Security Configuration Reference

General

security.allow_anonymous_user  :: on|off
Default = onSince v0.8.8

Defines whether Bondy allows the anonymous user.

WARNING

We strongly recommend disabling anonymous for production use or at least restrict the network locations from which an anonymous connection can be established. See Source API documentation reference.

Notice that disabling the anonymous disables the anonymous authentication method as an option for Authentication and Authorization.

security.automatically_create_realms  :: on|off
Default = offSince v0.8.8

Defines whether Bondy creates a new realm when a session wants to attach to a non existing realm.

WARNING

We strongly recommend to disable this option and only enable it for development or testing purposes.

Password options

Options used by those authentication methods based on password.

security.password.protocol  :: cra|scram
Default = craSince v0.9.0

Defines the default password protocol to be used for new user password creation. Notice the user API allows a caller to define the protocol to be used. This default is used when the caller does not specify a protocol.

security.password.protocol.upgrade.enabled  :: on|off
Default = offSince v0.9.0

Controls whether a password protocol upgrade is performed during password migrations. A password migration occurs when Bondy changes the internal representation of the password object to accommodate new protocols, features or bug fixes. Normally some of this changes can be done without user input, but when these changes include a re-calculation of the salted hash they can only happened during authentication or when the user changes the password.

If this option is set to on, then Bondy will try to upgrade the password protocol of an existing password to the protocol defined by the security.password.protocol option using the default parameters defined in the security.password.{SelectedProtocol}.{Option} options.

security.password.min_length  :: 6..254
Default = 6Since v0.9.0

Defines the minimum length for newly created passwords. The value should be at least 6 and at most 254.

security.password.max_length  :: 6..254
Default = 6Since v0.9.0

Defines the maximum length for newly created passwords. The value should be at least 6 and at most 254.

security.password.scram.kdf  :: pbkdf2|argon2id13
Default = pbkdf2Since v0.9.0

Defines the default key derivation function (KDF) to be used with SCRAM.

security.password.cra.kdf  :: pbkdf2
Default = pbkdf2Since v0.9.0

Defines the default key derivation function (KDF) to be used with CRA. The only option is pbkdf2.

security.password.pbkdf2.iterations  :: 4096..65536
Default = 1000Since v0.9.0

Defines the default number of iterations to be used with the pbkdf2 key derivation function. It should be an integer in the range 4096..65536.

security.password.argon2id13.iterations  :: alias|4096..4294967295
Default = moderateSince v0.9.0

Defines the default iterations to be used with the argon2id13 key derivation function. It should be an integer in the range 4096..4294967295 or one of the following named alias configuration:

  • interactive (2)
  • moderate (3)
  • sensitive (4)
security.password.argon2id13.memory  :: alias|8192..1073741824
Default = interactiveSince v0.9.0

Defines the default memory to be used with the argon2id13 key derivation function. It should be an integer in the range 8192..1073741824 or a named alias configuration:

  • interactive (64MB)
  • moderate (256MB)
  • sensitive (1GB)

Notice

The underlying library allows up to 4398046510080 (3.9 TB) but we have restricted this value to avoid a configuration error to enable a DoS attack.

Authentication: OAuth2

oauth2.client_credentials_grant.duration  :: string
Default = N/ASince N/A
oauth2.code_grant.duration  :: string
Default = N/ASince N/A
oauth2.config_file  :: string
Default = N/ASince N/A
oauth2.password_grant.duration  :: string
Default = N/ASince N/A
oauth2.refresh_token.duration  :: string
Default = N/ASince N/A
oauth2.refresh_token.length  :: string
Default = N/ASince N/A

Authentication: Ticket

security.ticket.authmethods  :: enum
Default = allSince v0.9.0

Defines the a comma separated list of authentication methods that a user can use to establish a session that is allowed to issue tickets to be used with 'ticket' authentication.

The possible values are the names of the authentication methods:

  • "cryptosign"
  • "password"
  • "ticket"
  • "tls"
  • "trust"
  • "wamp-scram"
  • "wampcra"

The option also allows a single value "all" in which case all the methods above will be allowed.

Notice

"anonymous" and "oauth2" methods are NOT allowed in this list as they are incompatible with the idea of tickets.

security.ticket.allow_not_found  :: on|off
Default = onSince v0.9.0

Defines whether Bondy will allow a valid ticket to be used for authentication when a local copy of the ticket has not been found in storage. This might happen if the ticket data has not yet been synchronised to the node handling the authentication request.

security.ticket.expiry_time  :: time_duration_units
Default = 30dSince v0.9.0

The default expiration time on or after which authentication ticket MUST NOT be accepted for processing.

security.ticket.max_expiry_time  :: time_duration_units
Default = 30dSince v0.9.0

The maximum expiration time on or after which authentication ticket MUST NOT be accepted for processing.

security.ticket.scope.local.persistence  :: on|off
Default = onSince v0.9.0

Controls whether local scope tickets are persistent. If enabled the ticket will be stored in Bondy's database. Otherwise the ticket is not stored.

security.ticket.scope.sso.persistence  :: on|off
Default = onSince v0.9.0

Controls whether SSO scope tickets are persistent. If enabled the ticket will be stored in Bondy's database. Otherwise the ticket is not stored.

security.ticket.scope.client_local.persistence  :: on|off
Default = onSince v0.9.0

Controls whether client-local scope tickets are persistent. If enabled the ticket will be stored in Bondy's database. Otherwise the ticket is not stored.

security.ticket.scope.client_sso.persistence  :: on|off
Default = onSince v0.9.0

Controls whether client-SSO scope tickets are persistent. If enabled the ticket will be stored in Bondy's database. Otherwise the ticket is not stored.

Realm Static Configuration

security.config_file  :: path
Default = '{{platform_etc_dir}}/security_config.json'Since v0.8.8

The filename of a security JSON configuration file, which allows you to statically configure realms and its users, groups, sources and permissions.

Bondy Security can be completely configured dynamically via API, read more about this in the Security section.

This options is for those cases when you want to ensure a given configuration is applied every time Bondy restarts.

WARNING

Notice that every node will apply the security configuration on startup persisting it to the embedded replica of the database. Eventually, when joins a cluster this will trigger an actiove-anti entropy exchange, synchronising the data with peer nodes.

This is not a major problem when the configuration file has static data. However, the Realm object will generate signing keys if those are not provided in its definition, which means every new node will create new keys, effectively disabling the previous ones, this might trigger authentication tickets obtain in other nodes to be invalidated.

At the moment the way to avoid this is by either not this option and using dynamic configuration via HTTP or WAMP Admin APIs instead, or by configuring the signing keys in the Realm object, so that Bondy always applies the same keys.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-ShareAlike (CC-BY-SA) 4.0 International license.
Bondy and Leapsight are registered trademarks of Leapsight Technologies Ltd.

Copyright © 2022 Leapsight