Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
bgColor#F0F0F0

On this page:

Table of Contents
maxLevel5

...

RestAPI APIKey for SAML authentication

If you have enabled SAML authentication mode for your CAST Security Dashboard/RestAPI deployment, some clients applications may not be able to authenticate. This is because SAML is designed as a single sign-on mode for browsers and therefore non-browser clients cannot use the protocol. In order to resolve this issue, CAST provides the ability to define an API Key in the CAST Security Dashboard/RestAPI that can be used to bypass SAML authentication.

How does this work?

  • SAML authentication mode is enabled and configured for your CAST Security Dashboard/RestAPI deployment
  • In addition, an API Key is defined in the security.properties file in your CAST Security Dashboard/RestAPI deployment
  • The API Key is used instead of a password to authenticate
  • Clients must use two specific HTTP headers to ensure that the API Key is used
    • X-API-KEY: the API Key matching the key defined in the security.properties file
    • X-API-USER: a defined user name to obtain a CAST Security Dashboard/RestAPI role and data authorization
  • When an API Key is used to bypass SAML mode, the user will be automatically granted the "ADMIN" role even if this role has not explicitly been granted to the user in question.

You can find out more about this in CAST Dashboard Package - in RestAPI authentication using an API key.

GUI updates for Quality Standards and custom tags

It is now possible to:

  • add one or more custom tiles to the dashboard that will display the number of violations (critical/non-critical violations according to the filter enabled) under a specific Quality Standards tag or custom tag manually injected)
  • configure a list of tags (Quality Standards tag or custom tag manually injected) that can be displayed in a drop down filter in the Risk Investigation view.

...

Code Block
languagetext
%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json

Configuration

  • type: tile type has to be SecurityTile
  • parameters:
    • business: must always specify the metric 60016
    • rule: the Quality Standards or custom tag you wish to view
    • title: Title of the tile
    • id: the Quality Standards or custom tag you wish to view
    • description: a free text field to describe what the tile shows (not shown in the dashboard)
  • color: tile color
  • other parameters for sizing and positioning of the tile - see Tile see Tile Sizing and Positioning

Example

This example will display a tile showing the number of violations tagged with a custom injected tag called CUSTOM-TAG:

...

Code Block
languagetext
%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json

Add the feature in the "configuration": { section at the start of the file:

...

See also: Health Results Resources - 1.11.0x.

Easy method for locating violations added to Action Plan or Exclusions list

...

It is now possible to configure a tile to display Background Facts that you have manually configured and uploaded during the snapshot generation (see Background Facts and Business Value Metric upload). The tile can display information about one metric that you have defined in the uploaded Background Facts file. See CAST Dashboard Package -  See Engineering Dashboard tile management for more information about configuring the tile.

...

  • when drilling down in the Risk Investigation view
  • when drilling down in the Action Plan and Exclusion lists
  • when clicking More Violation Paths for security based rules

To enable the role, see Configuring user User roles. When enabled, a message is displayed in the Dashboard as follows:

...

When the filter headings are clicked, a drop-list will be displayed offering various options as follows:

  • Priority - available options are taken from are the same as those provided when adding a violation to the Action Plan, with the addition of All tags. These tags are defined in the ced.json file , for example: All tags, low, moderate, high, extreme.under the "tag" item - see Engineering Dashboard json configuration options.
    • low
    • moderate
    • high
    • extreme
    • All tags

  • Status - options are set by default and cannot be edited: added, pending, solved.

...