Security Access Control (SAC) is a utility to control access to available API. The control is focused around security concern in terms of addressing unauthorised access and DoS attacks.
SAC service is implemented as an extension to sacFilter through SYS.httpSecurityAccessControlService extension point. Default implementation is ServletRequestSecurityAccessControlServiceImpl, which allows:
- IP whitelisting
- IP blacklisting
- Throttling (global and by IP)
Default extension enablement:
Detailed configuration is accomplished via SYSTEM_EXTENSION_CFG_SECURITY system attribute.
Limit overall number of requests per minute (integer)
Limit number of requests per minute per IP (integer)
Offending IP addresses will be reported to alerts in admin app.
Comma separated list of "starts with" IP declarations to blacklist. Note that the declaration has to conform to the IP resolver (Recommended approach is to track IP addresses reported in alerts and add them). You can also blacklist networks by specifying only the beginning of the IP.
This setting is mutually exclusive to "HTTP.allowIPCSV"
Comma separated list of "starts with" IP declarations to whitelist. It is recommended to use this setting for the admin app to limit access only to known networks. You can also whitelist networks by specifying only the beginning of the IP.
This setting is mutually exclusive to "HTTP.blockIPCSV"
# Limiting Admin to access only from known IP ADM.HTTP.maxRequestsPerMinute=1000 ADM.HTTP.allowIPCSV=220.127.116.11 # Frontend (limits should include resources) SFG.HTTP.maxRequestsPerMinute=5000 SFG.HTTP.maxRequestsPerMinutePerIP=300 SFW.HTTP.maxRequestsPerMinute=5000 SFW.HTTP.maxRequestsPerMinutePerIP=300 # Blocking bad IPs from accessing frontend SFW.HTTP.blockIPCSV=18.104.22.168 # REST API (only API calls) API.HTTP.maxRequestsPerMinute=1000 API.HTTP.maxRequestsPerMinutePerIP=10