This file provides guidance for working with the Security documentation section.
Sign in to like and favorite skills
This file provides guidance for working with the Security documentation section.
This section documents ThingsBoard's security infrastructure:
09-security/ ├── README.md # Security overview and architecture ├── authentication.md # JWT, OAuth2, 2FA, session management ├── authorization.md # RBAC, authorities, permission model ├── tenant-isolation.md # Defense-in-depth isolation layers └── rate-limiting.md # API limits, rate controls, quotas
Security engineers and platform administrators implementing secure deployments. Assume familiarity with security concepts but not necessarily with ThingsBoard's specific security patterns.
Security documents should include:
For security concepts:
## Security Feature **Purpose**: What it protects ### Threat Model | Threat | Protection | |--------|------------| | ... | ... | ### Configuration \`\`\`yaml # Security settings \`\`\` ### Best Practices 1. Recommendation with rationale 2. Configuration guidance 3. Monitoring suggestions ### Common Pitfalls | Pitfall | Risk | Mitigation | |---------|------|------------| | ... | ... | ... |
Use Mermaid diagrams to show:
sequenceDiagramgraph TBgraph TBsequenceDiagramFocus on security concepts and configuration, not implementation:
DO: "JWT tokens expire after 15 minutes by default, requiring refresh token exchange" DON'T: "JwtTokenFactory.setExpTime() uses System.currentTimeMillis() + 900000"
DO: "Tenant isolation is enforced at API, permission, actor, queue, and database layers" DON'T: "TenantId.isNullUid() check in AbstractEntityService.checkTenantId()"
DO: "OAuth2 authentication redirects users to the configured identity provider" DON'T: "OAuth2AuthorizationRequestResolver builds AuthorizationRequest from OAuth2ClientRegistration"
When updating this section, cross-reference:
~/work/viaanix/thingsboard.github.io-master/docs/user-guide/oauth-2-support/~/work/viaanix/thingsboard-master/application/src/main/java/org/thingsboard/server/service/security/~/work/viaanix/thingsboard-master/common/data/src/main/java/org/thingsboard/server/common/data/security/~/work/viaanix/thingsboard-master/dao/src/main/java/org/thingsboard/server/dao/user/06-api-layer/authentication.md01-architecture/multi-tenancy.md02-core-concepts/entities/device.md05-transport-layer/Ensure all
See Alsogrep -r "\.\.\/" docs/09-security/ | grep -o '\.\./[^)]*' | sort -u
Use these skills when working on this section:
| Skill | Command | Use For |
|---|---|---|
| security-engineer | | Security architecture, compliance, DevSecOps |
| jwt-expert | | JWT implementation, token security, validation |
| technical-writer | | Clear security documentation |
/jwt-expert/security-engineer/technical-writer/security-engineerWhen documenting security, emphasize:
| Concept | Key Points |
|---|---|
| JWT Structure | Header, payload, signature; access vs refresh tokens |
| Token Lifecycle | Issuance, validation, refresh, expiration |
| Authority Levels | SYS_ADMIN > TENANT_ADMIN > CUSTOMER_USER hierarchy |
| Tenant Boundaries | API, permission, actor, queue, database layers |
| Device Credentials | Access token, X.509, MQTT basic auth, LwM2M |
| OAuth2 Integration | External IdP, SSO, token mapping |
Ensure documentation covers these security issues:
| Pitfall | Description |
|---|---|
| Token in URL | JWTs exposed in query strings are logged and cached |
| Long-lived tokens | Extended expiration increases attack window |
| Missing refresh | Not implementing refresh flow causes session drops |
| Weak secrets | Using default or weak JWT signing secrets |
| Authority confusion | Misunderstanding TENANT_ADMIN vs CUSTOMER_USER scope |
| Missing tenant check | Forgetting tenant ID validation in custom extensions |
| Rate limit bypass | Not applying limits to all API paths |
| OAuth2 redirect | Insecure redirect URI configuration |
For authentication docs, ensure coverage of:
| Flow | Content |
|---|---|
| Login | Username/password → JWT pair |
| Refresh | Refresh token → new access token |
| OAuth2 | External IdP → JWT mapping |
| 2FA | Second factor verification |
| Device Auth | Access token / X.509 / MQTT auth |
For authorization docs, ensure coverage of:
| Aspect | Content |
|---|---|
| Authorities | SYS_ADMIN, TENANT_ADMIN, CUSTOMER_USER |
| Permissions | Entity-level access control |
| Inheritance | Permission flow in customer hierarchy |
| API Access | Which endpoints each role can access |
For isolation docs, ensure coverage of:
| Layer | Content |
|---|---|
| API Layer | Request validation, tenant context |
| Permission Layer | Entity access verification |
| Actor Layer | Tenant actor isolation |
| Queue Layer | Message routing by tenant |
| Database Layer | Query filtering by tenant ID |
For rate limiting docs, ensure coverage of:
| Aspect | Content |
|---|---|
| Limits | Message count, API requests, WS connections |
| Scopes | Per-device, per-tenant, global |
| Configuration | YAML settings and defaults |
| Monitoring | Limit violation alerts |
| Recovery | Behavior after limit reset |
~/Projects/barf/repo/SKILLS/README.md