Advanced security options

Hiding error stacks

By default, the DSS backend sends backend error stacks to logged-in users. This makes debugging and understanding easier.

This behavior can be disabled in the following way:

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "hideErrorStacks" : true
  • Start DSS
DATADIR/bin/dss start

Hiding version info

By default, the DSS backend sends DSS version information, even to non-logged in users.

This behavior can be disabled in the following way:

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "hideVersionStringsWhenNotLogged" : true
  • Start DSS
DATADIR/bin/dss start

Using secure cookies

By default, DSS login cookies do not carry the Secure flag (which would make them unusable over non-secured HTTP connections).

If you configure DSS to using HTTPS for all users, either natively or through a reverse proxy, you can enable the use of secure cookies. This further secures user connections by ensuring the browser never sends the session cookie over unsecured connections.

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "secureCookies" : true
  • Start DSS
DATADIR/bin/dss start

Expiring sessions

By default, DSS sessions do not expire. You can configure DSS to have sessions expire, either after a certain amount of time since login, or after a certain amount of inactivity.

Warning

Enabling sessions expiration also means that all user sessions are always terminated each time the DSS backend restarts

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/dip.properties file and add the following key: dku.sessions.storage=memory
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following keys: "sessionsMaxTotalTimeMinutes" and "sessionsMaxIdleTimeMinutes". Set them to the desired expiration timeout, respectively since login and on inactivity. 0 means no expiration for this kind.
  • Start DSS
DATADIR/bin/dss start

Forcing a single session per user

By default, DSS users can log in from multiple sessions at once. You can additionally configure DSS to only allow a single session. When a user logs in, all its other sessions are terminated.

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "forceSingleSessionPerUser" : true
  • Start DSS
DATADIR/bin/dss start

Restricting visibility of groups and users

By default, all logged-in DSS users can view the list of groups and users. This is useful for:

  • Allowing project owners to add groups to their projects
  • Allowing users to mention all users

You can select to restrict visibility of groups and users. The following rules apply:

  • If you are admin, you can see everything
  • You can see all groups to which you belong
  • You can see all users of groups to which you belong
  • In addition, you can see all users that are participants in projects in which you are participant
  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "restrictUsersAndGroupsVisibility" : true
  • Start DSS
DATADIR/bin/dss start

Note

This is a best-effort feature. Obvious listing of users are suppressed, but we do not guarantee perfect isolation.

Example general-settings.json file

With the previous options enabled, your general-settings.json could look like:

{
  "udr": true,
  "proxySettings": {
    "port": 0
  },
  "mailSettings": {},
  "maxRunningActivitiesPerJob": 5,
  "maxRunningActivities": 5,
  "ldapSettings": {
    "enabled": false,
    "useTls": false,
    "userFilter": "(\u0026(objectClass\u003dposixAccount)(uid\u003d{USERNAME}))",
    "displayNameAttribute": "cn",
    "emailAttribute": "mail",
    "enableGroups": true,
    "groupFilter": "(\u0026(objectClass\u003dposixGroup)(memberUid\u003d{USERNAME}))",
    "groupNameAttribute": "cn",
    "autoImportUsers": true
  },
  "computablesAvailabilityMode": "EXPOSED_ONLY",
  "globalCrossProjectBuildBehaviour": "STOP_AT_BOUNDARIES",
  "noLoginMode": false,
  "sessionsMaxTotalTimeHours": 0,
  "sessionsMaxIdleTimeHours": 0,
  "security" : {
    "hideVersionStringsWhenNotLogged" : true,
    "hideErrorStacks" : true,
    "secureCookies" : true,
    "sessionsMaxTotalTimeMinutes": 0,
"sessionsMaxIdleTimeMinutes": 20,
"forceSingleSessionPerUser": false,
"restrictUsersAndGroupsVisibility": true,
  }
}