+1 on this effort. Let’s keep it simple for adding more advice… that was the benefit of the wiki doc. If there’s an acceptance criteria implied for adding more information, please share that rubric. Ie what are the extension points in the documentation.
Eg if a bank is running something like an LDAP server for existing roles and they implement Fineract, what documentation would answer “how should this be done?” Or “what RBAC exists and where is that documentation?” The security CVE fixes will continue to be listed on wiki and in email. AFAIK Thanks again Jame a On Mon, Jun 9, 2025 at 7:46 PM Adam Monsen <meonk...@apache.org> wrote: > I'm looking for feedback and suggestions for improvement on my > work-in-progress security documentation > <https://github.com/apache/fineract/compare/develop...meonkeys:security-doc>. > I don't have much farther to go, I think mainly just carefully going over > the content I moved from the wiki. I'll make a squashed PR soon so this > will be the last chance to see individual commits. The relevant ticket is > FINERACT-2310 <https://issues.apache.org/jira/browse/FINERACT-2310>. > > The goals of this work are to: > > 1. gather all security-related documentation in one place in the > official (asciidoc) docs to reduce sources of truth and ease future > maintenance > 2. update and improve anything outdated or inaccurate so we have a > good fresh starting point > 3. clarify the security responsibility Fineract itself (writing code > that is "secure by design") vs. those hosting/deploying Fineract > (securing/hardening a deployment) to guide ourselves and others with > respect to new potential vulnerabilities > > Feedback welcome on the FIXME comments – those aren’t super important so > I’ll just remove them if I’m unable to resolve them. > > Here are some highlights: > simplified readme > > The top-level readme > <https://github.com/apache/fineract/blob/develop/README.md> has sections > about oauth, 2FA, and “SSL” (now “TLS”, one would hope). I want to move > this all into the asciidoc and refer users there: > > see attached readme.png > added intro > > I added intro text in the security chapter. > > see attached security-intro.png > content moved from wiki > > I ported over Securing Fineract > <https://cwiki.apache.org/confluence/display/FINERACT/Securing+Fineract> > from the wiki into asciidoc and made a few improvements. If my patch is > accepted my intent is to change the wiki page to link to the official docs > deployed to https://fineract.apache.org/docs/current/, similar to the > readme. > > see attached content-from-wiki.png > table of contents > > New sections for HTTP Basic Authentication, 2FA, and Securing Fineract > (content from the wiki). > > see attached toc.png > fix swagger intro text > > I just reformatted this as Markdown so the links work. > > see attached swagger.png > other > > - fix oauth URL for new Keycloak > - fix legacy-docs links > - move all asciidoc config to one place (:hardbreaks: is now in > config.adoc) > - update keycloak example for 26.2.5 (I tested this procedure locally) > - use asciidoc auto-numbering > > >
