Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision |
administration:security [2023/06/30 11:02] – [Allowing Access to the Solr Host] demiankatz | administration:security [2023/08/17 12:18] – [Securing User Credentials] demiankatz |
---|
| |
VuFind® stores some user information in its database. Starting with VuFind® 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials. The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind®'s auto-configuration pages. Enabling security is highly recommended. | VuFind® stores some user information in its database. Starting with VuFind® 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials. The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind®'s auto-configuration pages. Enabling security is highly recommended. |
| |
| VuFind® also supports configuration settings to enforce length and content restrictions on usernames and passwords. Review the settings in the [Authentication] section of [[configuration:files:config.ini]] for more details. It is recommended that you enforce complex passwords when possible, but depending on your authentication settings this may not be possible (e.g. if your login proxies your ILS, and your ILS does not support password restrictions) or may not be necessary (e.g. if you are using single sign-on, where passwords are managed entirely in a third-party system). |
| |
When using some [[configuration:authentication]] options, you have the ability to pre-populate user ILS credentials in the database. In some scenarios, it is possible to configure ILS drivers to look up users based only on usernames or other "public knowledge" fields. In these cases, you should disable direct user login using the allowUserLogin setting in the [Catalog] section of [[configuration:files:config.ini]] to eliminate the possibility of users attempting to impersonate one another. This setting was introduced in VuFind® 9.0. | When using some [[configuration:authentication]] options, you have the ability to pre-populate user ILS credentials in the database. In some scenarios, it is possible to configure ILS drivers to look up users based only on usernames or other "public knowledge" fields. In these cases, you should disable direct user login using the allowUserLogin setting in the [Catalog] section of [[configuration:files:config.ini]] to eliminate the possibility of users attempting to impersonate one another. This setting was introduced in VuFind® 9.0. |