Is there a security overview? How is data communicated and secured between SpecLog client and server?
With the exception of the server admin tool (SpecLog.ServerManager.exe), all access to the SQL server goes through the SpecLog server. The SpecLog server accesses the SQL server using the service account. Other users do not require any access to the SQL server, and all requests are handled and forwarded by the SpecLog server using the service account.
The command line tools and SpecLog client can communicate with the SpecLog server via HTTPS and SSL. The SpecLog server communicates with the SQL server using the SpecLog service account (admin). This communication is secured using TDS: either Active Directory or SQL Security.
The tokens generated by the SpecLog server and used to authenticate the clients use PPK encryption. The corresponding private key used by the SpecLog server to decrypt the token is stored on the SQL server and only accessed by the SpecLog server using the service account.
In contrast to the other command line tools, the server admin tool SpecLog.ServerManager.exe requires direct access to the SQL server; requests are not handled by the SpecLog server. Direct access is required, as this tool is used to first set up the service account required by the SpecLog server.
The SQL database contains the access permissions defined per
user and repository, the authorisation tokens (encrypted via PPK as mentioned
above) and the private key required by the SpecLog server to authenticate the
tokens.