Add THREAT_MODEL.md per the Apache security threat-model rubric#1224
Open
jamesfredley wants to merge 1 commit into
Open
Add THREAT_MODEL.md per the Apache security threat-model rubric#1224jamesfredley wants to merge 1 commit into
jamesfredley wants to merge 1 commit into
Conversation
Introduces three new top-level documents binding the 8.0.x branch: - THREAT_MODEL.md: prose threat model covering all eight plugins (core, acl, compat shim, ldap, cas, oauth2, rest/jwt, ui) and the REST token-storage backends. Follows the Apache security-team rubric with sections for scope, trust boundaries, configuration variants, inputs, adversaries, properties provided and disclaimed, downstream responsibilities, misuse patterns, known non-findings, conditions that would change the model, triage dispositions, and open questions for the PMC. - threat-model.yaml: machine-readable companion indexing components, config knobs, entry points, adversaries, claimed and disclaimed properties, false friends, known non-findings, and the closed disposition set. - SECURITY.md: disclosure-process artifact pointing reporters at the ASF Security Team and cross-referencing the threat-model sections that govern triage. Status is DRAFT; section 14 lists open questions for PMC ratification. Assisted-by: claude-code:claude-4.7-opus
Contributor
Author
|
https://github.com/apache/grails-spring-security/pull/1224/changes section §14 has some open questions that we will need to answer and then can regenerate those missing portions. @bkoehm @matrei @codeconsole |
bkoehm
reviewed
May 20, 2026
Contributor
bkoehm
left a comment
bkoehm
left a comment
There was a problem hiding this comment.
The SECURITY.md text looks fine to me. I cannot comment on threat-model.yaml as I am not familiar with this.
Contributor
Author
|
This PR is the last step before Mythos review of grails-spring-security. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces three top-level documents binding the 8.0.x branch:
THREAT_MODEL.md- prose threat model following the Apache security-team rubric, covering all eight plugins (core,acl,compat shim,ldap,cas,oauth2,rest/jwt,ui) plus the four REST token-storage backends. Sections cover scope, trust boundaries, configuration variants, per-input trust, adversaries, properties provided (P1-P15), properties disclaimed, downstream responsibilities, known misuse patterns, known non-findings, conditions that would change the model, the closed set of triage dispositions, and open questions for the PMC.threat-model.yaml- machine-readable companion indexing components, config knobs, entry points, adversaries, claimed and disclaimed properties, false friends, known non-findings, and the closed disposition set. Intended for automated triage tooling.SECURITY.md- disclosure-process artifact pointing reporters at the ASF Security Team (security@apache.org) and cross-referencing the threat-model sections that govern triage.Status
DRAFT. Section 14 lists open questions for PMC ratification, grouped into three waves (scope, trust boundaries, misuse patterns) plus three meta questions. Once answered, the matching(inferred)tags promote to(maintainer)and the questions are deleted.What it claims (§8 summary)
P1-P15 across the eight plugins. The most security-critical claims:
rejectIfNoRule: true).alg=noneopen-question flagged for wave 1.What it disclaims (§9 summary)
Highlights that surface frequently in scans of this codebase:
/login,/register,/forgotPassword,/api/login.JwtTokenStorageService.removeTokenis a no-op).state(current implementation usesjava.util.Random).X-Forwarded-For/X-Forwarded-Portawareness inIpAddressFilterandPortResolverImpl.ldap.context.serveris plaintextldap://.@Secured, no default Requestmap rows).Drafting methodology
Multi-agent code analysis across the eight plugins:
plugin-core: filter chain composition, authentication/authorization machinery, password encoders, session security, remember-me, channel security, IP restrictions, role hierarchy, autoconfig exclusion.plugin-acl+spring-security-compat: ACL services, object identity, voters, run-as, channel processors, expression-based pre/post advice.plugin-rest: REST filter chain, JWT generation/validation, token storage backends, CORS, refresh tokens, OAuth callback flow.plugin-ldap+plugin-cas+plugin-oauth2: external IdP integration patterns, ticket validators, OAuth state generation, PKCE absence, callback URL handling.plugin-ui: controllers, forms, command objects, GSP files, registration/reset flows, CSRF (useToken/withForm) coverage.Cross-referenced against per-plugin
docs/src/docs/*.adocfiles for the(documented)provenance tags.Open questions for the PMC
The 22 questions in §14 are the load-bearing ratification gate. Wave 1 (scope / intended use) drives section 2-3 wording and the disposition for the
alg=noneandcas.useSingleSignoutcases. Wave 2 (trust boundaries) covers proxy-awareness and OAuth2 hardening. Wave 3 covers misuse-pattern policy and known non-finding curation.Companion change in grails-core
Pairs with
apache/grails-core#15664, which introduces the equivalent document at the framework level. References to "Grails plugin orgrailsprofile" are aligned across both PRs.Assisted-by: claude-code:claude-4.7-opus