Can I create a walled garden allowing only my organisation's users/ clients to use my ejabberd instance/ service.
This includes registration of users done only by my backend and preventing other clients' users to register or access the server. Additionally users of another server can not be added by existing users.
This includes registration of users done only by my backend
Then probably limit mod_register using the options access_from and ip_access:
https://docs.ejabberd.im/admin/configuration/modules/#mod-register
And then write your custom web application that sends ReST or XMP-RPC queries to ejabberd's
https://docs.ejabberd.im/developer/ejabberd-api/#understanding-ejabberd-commands
and executes the "register" API command:
https://docs.ejabberd.im/developer/ejabberd-api/admin-api/#register
and preventing other clients' users to register
If you use your custom web to show a formulary, that's your duty.
or access the server.
Additionally users of another server can not be added by existing users.
You may want to disable S2S (server-to-server), so communication from/to your XMPP server to other XMPP servers is not allowed.
Related
I am using a mobile application that connects directly to the database instance (Postgres), as such, I have to keep the ports open for traffic that is generated from the internet (4G, mobile app).
This mobile app (QFIELD, mobile version of QGIS) has a direct connection to the database, this is the reason why the database is reachable from the internet on a public ip but this is a critical issue for the security of the data and the requests that can be sent to the database.
I would like to proxy the requests so that the database is only available to local machines and not open for connections directly.
The mobile appp would send the request to an HTTP url which would send the request to the local ip and port, this way I would avoid to have the database exposed on the internet.
Ideally, I would like to go from this app (which uses a postgres connection string to connect to the server) to an HTTP server that routes the request locally, as such:
APP connects to https://myproxy/postgres
Request is proxied to a local server
Can I do this with Apache2? Any ideas?
At the moment I cannot write a middleware that proxies requests from the APP to the local postgres.
If your application is expecting to connect directly to a PostgreSQL database and you don't want to change that then you need to connect to something that "speaks" PostgreSQL's client protocol.
You can place a proxy such as pgbouncer or pgpool in front of it, but they aren't a guarantee of greater security just by themselves. This is the same problem as with any proxy - it is just forwarding requests and responses to your actual server so any vulnerability is still exposed.
What you can do is:
restrict the number of connections at the proxy point
restrict which users can connect non-locally to your PostgreSQL cluster
restrict where they can connect from to just your proxy
restrict those users permissions within the database(s)
That last point is particularly important - assume any user account your application can be used maliciously. Restrict the account to prevent mass updating or deleting of data. Also take special care to restrict access to other users' data.
If I was forced to allow access like this, I would want one PostgreSQL user account per actual user at the very least. In practice I wouldn't get to this point with a production application.
I have an authentication server using oauth2.
I use it for :
Authentication from the other services, subscription, change and retrieve password etc.
As resource server to store and retrieve more users and groups informations. I have a ManyToMany relationship between users and groups.
Should I seperate the second part of functionalities of this app on another standalone service that will work as resource server only. And only keep the authentication part on the authorization server?
That way I could horizontally scale these two services separately.
Yes, the better idea would be to have the configuration as a separate standalone service running on cloud. With configuration server as a separate service you can add all the authorization and other sort of details like DB details, API details, messaging queue configuration etc, and get connected to N number of services.
We are designing security for a green field project with a UI web module (Spring MVC) - the client, and a RESTful services web module (CXF) - the server, to be deployed as separate war files in the same Websphere app server. The system should be secured with Spring Security, authenticating against LDAP and authorizing against a database. We have been looking for the best solution to share the security context between the 2 apps, so a user can authenticate in the web UI and invoke its AJAX calls to the secured RESTful services. Options found:
OAuth: seems overkill for our requirements, introduces a fairly complex authentication process, and reportedly some enterprise integration issues
CAS: would amount to setting up an enterprise SSO solution, something beyond the scope of our engagement
Container-based (Websphere) security, although not recommended by Spring Security, and we're not clear if this could provide a solution to our specific needs
We're looking for a simpler solution. How can we propagate the Security Context between the 2 apps? Should we implement authentication in the UI web app, then persist sessions in the DB, for the RESTful services to lookup? Can CXF provide a solution? We read many threads about generating a 'security token' that can be passed around, but how can this be done exactly with Spring Security, and is it safe enough?
Looking forward to any thoughts or advice.
You want to be able to perform the REST web services on the server on behalf the user authenticated in UI web module.
The requirements you described called SingleSignOn.
The simplest way to do it is passing the HTTP header with the user name during REST WS calls.
(I hope your REST client allows to do it).
To do it in secure way use one of the following:
Encrypt the user name in REST client and decrypt it in REST server
Ensure that the header is sent from the local host (since your application deployed on the same container)
Therefore, protect both application using SpringSecurity authenticate against LDAP.
In the first application (Rest Client) use regular Form Authentication
In the second application (Rest Server) add the your own PreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167
Edited
The “Authentication” is the process of verifying of a principal’s identity.
In our case both REST Client (Spring MVC application) and REST server (CXF application) verify an identity against LDAP. LDAP “says” OK or Not. LDAP is a user repository. It stateless and does not remember the previous states. It should be kept in applications.
According to my understanding, a user will not access directly to REST server – the user always access REST Client. Therefore, when the user access REST Client he/ she provides a user name and a password and REST Client authenticate against LDAP. So, if REST Client access REST server the user is authenticated and REST Client knows his name.
So, if request come to REST server with a user header name - REST server for sure knows that the user was authenticated and it should not authenticate it again against LDAP.
(The header should be passed in the secured way as described above).
Rest Server should take the user name, to access to LDAP and to collect related user information without providing of the user password (since the user already authenticated).
I installed Ejabberd server and configured ExAuth for a php script. I am checking the chat with pidgin chat client on ubuntu and windows xp(in virtualbox). I am able to login via ExAuth (where users listed in my mysql database) in both ubuntu and windows with different users.
However They are unable to chat each other as each other status is showing as Not Authorized.
Early I checked with internal auth_method. Where i added two users via web admin, and then login both at windows and linux machine. When i add buddy, then request goes to other user, After request approval by other user, Chat was worked. But in ExAuth Even after sending request, Other user did not receive any request.
If any body know where can be the problem area ?
I think you are confusing authentication (allowing to open an XMPP session on the server) and presence subscription as defined in the roster (you should still be able to chat presence subscription is Independant from messaging).
I am using "openfire" as xmpp server. And I am implementing the xmpp client in my APP to provide the chat service to all members. The openfire has its own database said db1. My iOS APP also has its own database said db2. How can I sync up the user tables between these two databases (db1 and db2)? For example, when user signup my APP, I would like to create the same account in xmpp server database. And when user login into my APP service, I would like to have user login into xmpp server automatically.
Don't try to synch the databases, you need to write a custom authentication provider for Openfire to use db2.
As for the login, you will just have to login to both at the same time. It can't be done via the other service since that cannot create a connection between you client and the XMPP server.