(Migrated) New security mechanisms

(This message has been automatically imported from the retired mailing list)

Hi there,

here’s a bunch of chapters in the docs to describe security mechanisms
new in 2.0:

SSL/TLS

It’s possible to secure channels with client certificates, require
specific fields in certificates, validate CA certs, set minimal protocol
versions and make use of a lot of HAProxy or OpenSSL themselves offer in
regards to client connections.

The traffic from the load-balancer can now be secured with SSL/TLS,
including load-balancer’s own certificates.

It’s also possible to invoke SSL/TLS resources from outgoing connections

  • this includes client certificates and the validation of server
    certificates.

https://zato.io/docs/2.0/admin/guide/tls/overview.html
https://zato.io/docs/2.0/web-admin/security/tls/overview.html

RBAC (Role-based access control)

Takes security to another level. Clients can be grouped into roles.
Roles can be grouped into hierarchies with inheritance of permissions
for services granted to roles instead of each of the clients. CRUD
permissions built automatically out of HTTP verbs. Pretty powerful stuff
if you ask me :slight_smile:

https://zato.io/docs/2.0/admin/guide/rbac/overview.html
https://zato.io/docs/2.0/web-admin/security/rbac/overview.html

API keys, Amazon AWS, NTLM, OAuth and XPath security

Several new definition types that will come in handy as well.

https://zato.io/docs/2.0/web-admin/security/apikey.html
https://zato.io/docs/2.0/web-admin/security/aws.html
https://zato.io/docs/2.0/web-admin/security/ntlm.html
https://zato.io/docs/2.0/web-admin/security/oauth.html
https://zato.io/docs/2.0/web-admin/security/xpath.html