Vinyl Security Overview¶

Overview¶

Vinyl promotes the rapid development of secure applications along with their ability to be quickly deployed in a secure environment. Native security features and configuration options available within the Vinyl platform enable developers to configure and secure their applications.

Vinyl supports the following security options:

HTTPS¶

Vinyl mandates HTTPS. When HTTPS is enabled, cookies are set with the Secure flag. This prevents the browser from transmitting the cookie across an unsecure (HTTP) channel. Cookies are set with the HttpOnly flag by default. The HttpOnly flag mitigates Cross-Site Scripting (XSS) attacks.

Single Sign-On (SSO) Provider¶

Vinyl recommends delegating authentication to a Single Sign-On (SSO) provider. Vinyl supports various industry standards, including SAML SSO and WS-Federation. These use the PKCS #1 digital signature specification with SHA-256 digests.

Claims-Based Authentication¶

User authentication providers pass claims into Vinyl. Security administrators map the claims to user attributes, including group membership. Documentation:

• Claims

Local Authentication and Password Configuration¶

Vinyl also supports a local, password-based authentication mechanism. Password storage is documented on the following page:

• Security Provider - Local User

In short, passwords are stored using the PBKDF2 key derivation function with the SHA-256 hash algorithm, a key length of 16 bytes, a salt length of 16 bytes, and 10,000 iterations.

The Local Authentication provider supports the following security features:

• Password Policies
• Password Expiration
• Account Lockout
• Password Reset

Security Tokens and Data Encryption¶

Vinyl encrypts and validates security tokens, such as session cookies. As well, Vinyl encrypts server and security provider credentials (passwords). Encryption provides confidentiality; validation, authenticity (a.k.a. tamper-proofing). Vinyl encrypts data using AES-256 in the CBC block cipher mode with PKCS #7 padding. Vinyl ensures the integrity of the encrypted data using HMAC-SHA256.

The same encryption and validation can be used to protect application-level data at rest.

• Application-Level Column Encryption

Vinyl supports encryption of data at rest via the vendor's native implementation of Transparent Data Encryption.

• Transparent Data Encryption

Vinyl now uses FIPS validated cryptographic implementations and algorithms.

Sessions¶

Vinyl provides configurable session storage policies. By default, Vinyl persists session information to the database. Administrators can view sessions and forcibly sign out user sessions. Tracking sessions guards against certain vulnerabilities, such as cookie-replay attacks.

• Sessions

Roles-Based Security¶

Access to data can be controlled using roles-based security. A user's group membership determines the user's roles. The user's roles determine permission to business data. Groups organize users; roles organize permissions.

• Privileges and Permissions

In Vinyl, realms allow administrators to delegate administrative tasks such as the user provisioning and group membership. These operations are constrained to the realm.

• Realms

Related Links¶

Security Topics¶

• Anonymous Access
• Claims
• Password Expiration
• Password Policies
• Password Reset
• Privileges and Permissions
• Providers and Identities
• Realms
• Self-Service
• Sessions
• Users and Groups
• User and Group Provisioning
• Client Authentication

How-tos¶

• Access Security Logs
• Change Password on Logon

Resources¶

• User Authentication Methods
• User and Group Management