Security aspects

The VisionHub Api-Server manages users and all authenticatation/authorization tasks. All client communication is handled by the Api-Server and forwarded to sub-systems (Tile-Server, Objects-Server etc) only after successful authentication and authorization. All client communication is hidden behind a proxy-component that takes care of HTTP/S communication to external clients. VisionHub-Users are required to login via the WebApp-Client. A JWT session cookie is used to allow secure communication between WebApp-Client/Interactive Viewer and Api-Server.

The API-Server utilizes a configurable role-based model (default roles: admin, manager, user) to manage users. External authentication authorities (LDAP, AD, OAuth2) can be integrated.

For Authorization the API-Server combines:

• RBAC/permission authorization: configurable application/user rights that are not bound to a specific entity (e. g. userXX/roleYY is allowed to upload/register files), and
• entity specific ACLS: (e. g. userXX/roleYY is allowed to view dataset ZZ)

The WebApp-client provides a permission UI for each authorizable entity to define it’s ACLs.

arivis ensures that all VisionHub’s publicly available routes pass the current OWASP TOP 10 security risks check list.