Skip to Content

Vinyl security overview


Vinyl promotes the rapid development of secure applications along with their ability to be quickly deployed in a secure environment. Native security features and configuration options available within the Vinyl platform enable developers to configure and secure their applications.

Vinyl supports the following security options:


Vinyl mandates HTTPS. When HTTPS is enabled, cookies are set with the Secure flag. This prevents the browser from transmitting the cookie across an unsecure (HTTP) channel. Cookies are set with the HttpOnly flag by default. The HttpOnly flag mitigates Cross-Site Scripting (XSS) attacks.

Single sign-on (SSO) provider

Vinyl recommends delegating authentication to a Single Sign-On (SSO) provider. Vinyl supports various industry standards, including SAML SSO and WS-Federation. These use the PKCS #1 digital signature specification with SHA-256 digests.

Claims-based authentication

User authentication providers pass claims into Vinyl. Security administrators map the claims to user attributes, including group membership. Documentation:

Local authentication and password configuration

Vinyl also supports a local, password-based authentication mechanism. Password storage is documented on the following page:

In short, passwords are stored using the PBKDF2 key derivation function with the SHA-256 hash algorithm, a key length of 16 bytes, a salt length of 16 bytes, and 10,000 iterations.

The Local Authentication provider supports the following security features:

Security tokens and data encryption

Vinyl encrypts and validates security tokens, such as session cookies. As well, Vinyl encrypts server and security provider credentials (passwords). Encryption provides confidentiality; validation, authenticity (a.k.a. tamper-proofing). Vinyl encrypts data using AES-256 in the CBC block cipher mode with PKCS #7 padding. Vinyl ensures the integrity of the encrypted data using HMAC-SHA256.

The same encryption and validation can be used to protect application-level data at rest.

Vinyl supports encryption of data at rest via the vendor's native implementation of Transparent Data Encryption.

Vinyl now uses FIPS validated cryptographic implementations and algorithms.


Vinyl provides configurable session storage policies. By default, Vinyl persists session information to the database. Administrators can view sessions and forcibly sign out user sessions. Tracking sessions guards against certain vulnerabilities, such as cookie-replay attacks.

Roles-based security

Access to data can be controlled using roles-based security. A user's group membership determines the user's roles. The user's roles determine permission to business data. Groups organize users; roles organize permissions.

In Vinyl, realms allow administrators to delegate administrative tasks such as the user provisioning and group membership. These operations are constrained to the realm.

Security topics