Security Guidelines¶
This section describes the security mechanisms of calServer -- from password management to session control to access control.
Password Policies¶
calServer enforces configurable password requirements. The settings are maintained under Administration > Basic Settings.
| Parameter | Description |
|---|---|
password_expiry_days |
Password validity period in days |
warning_password_expiry_days |
Warning period before expiration in days |
minimal_number_characters |
Minimum password length |
minimal_number_lowercase_characters |
Minimum number of lowercase letters |
minimal_number_uppercase_characters |
Minimum number of uppercase letters |
minimal_number_special_characters |
Minimum number of special characters |
minimal_number_digit_characters |
Minimum number of digits |
Password changes are logged in FrontendPasswordAudit, so that reuse of previous passwords can be detected.
Login Security¶
calServer provides safeguards against brute-force attacks:
| Setting | Description |
|---|---|
activate_number_of_failed_login |
Enables lockout after failed login attempts |
number_of_failed_login |
Number of allowed failed attempts before account lockout |
Failed login attempts are recorded in FrontendLoginSecurity. After exceeding the limit, the user account is temporarily locked.
Captcha Integration¶
Two captcha methods are available for the login and registration forms:
| Method | Settings |
|---|---|
| Google reCAPTCHA | enable_google_recaptcha, recaptcha_site_key, recaptcha_secret_key |
| Friendly Captcha | enable_friendly_captcha, friendly_captcha_site_key, friendly_captcha_secret_key |
Only one method can be active at a time.
Role-Based Access Control (RBAC)¶
calServer uses the Yii RBAC system with database-based management (KCDbAuthManager). The hierarchy is structured as:
- Operations -- Granular permissions (e.g., read inventory, create calibration)
- Tasks -- Bundle multiple operations
- Roles -- Assigned to users
The types are defined in constants.php:
Permission checking is performed in KCAccessControlFilter, which is included as a filter in every controller.
User Groups and Release Groups¶
In addition to the RBAC system, calServer supports:
- User groups -- Organizational grouping of users
- Release groups -- Control data access to inventories and calibrations within a tenant
Tenant Isolation¶
Tenant isolation is ensured at the database level: each tenant works with its own MySQL database. The database connection (KCDbConnection) is established at runtime based on the tenant context.
Session Management¶
PHP sessions are managed server-side. Session duration and configuration are controlled via the PHP-FPM settings in configs/php.ini. Sessions are automatically terminated upon inactivity.
API Authentication¶
Access via the REST API requires the transmission of three HTTP headers:
| Header | Description |
|---|---|
HTTP_X_REST_USERNAME |
Username |
HTTP_X_REST_PASSWORD |
Password |
HTTP_X_REST_API_KEY |
API key (generated in the user profile) |
For more information, see API Authentication.
SSO Integration¶
calServer supports Single Sign-On via:
- SAML 2.0 -- Configuration in
config/saml.php, implementation viaonelogin/php-saml - LDAP/Active Directory -- Integration via
adldap/adldap
For setup details, see SSO and LDAP.
Cookie Consent¶
calServer provides a configurable cookie consent management system:
| Setting | Description |
|---|---|
enable_cookie_banner |
Enables the cookie banner |
cookie_storage_days |
Storage duration of consent in days |
cookie_consent |
Consent configuration |
Management is handled via the models FrontendCookieCategory and FrontendCookieItem.
Duplicate Record Checking¶
To prevent duplicates, calServer offers optional uniqueness checks:
| Setting | Description |
|---|---|
disable_double_asset_number |
Prevents duplicate inventory numbers |
disable_double_booking_number |
Prevents duplicate order numbers |
Audit Logging¶
All relevant changes are logged in the FrontendAudit table. The logging covers:
- User who made the change
- Timestamp of the change
- Type of change (create, update, delete)
- Affected record and field
- Old and new value
The log length is controlled via the parameter log_summary_length (default: 120 characters).
SSL Certificate Management¶
calServer manages SSL certificates via the CLI command insertcert, which detects certificates on the server and registers them in the ssl_certificate table. SSL termination is handled at the Nginx reverse proxy.