How do you initialize a Solace Binder with Spring Cloud Stream where the connection AUTHENTICATION_SCHEME is AUTHENTICATION_SCHEME_GSS_KRB?
solace:
java:
host: tcp://.....
msgVpn: myvpn
client-username: username
apiProperties:
AUTHENTICATION_SCHEME: AUTHENTICATION_SCHEME_GSS_KRB
KRB_SERVICE_NAME: HOST
JaasLoginContext: SolaceGSS
Error Response (403) - No matching configured Authorization Group was found
The error indicates that the Client Authorization is failing. Client Authorization is different from Client Authentication.
Once a client connection to a Message VPN is successfully authenticated, access to the event broker resources and messaging capabilities within that Message VPN must be authorized for the client.
The default authorization method is Internal. It looks like you have set LDAP as the authorization method but there is no matching LDAP group for your client.
You can refer to the Solace documentation for more information on configuring LDAP Authorization.
Related
We use a elytron/token-realm with a elytron/http-authentication-factory and the BEARER_TOKEN mechanism to authenticate users. The system consists of two applications, running in separate wildfly instances. One application remotely invokes EJBs of the other application. We would like the identity of the current user to be propagated over the remote EJB call.
I am trying to set up Identity propagation according to the JBoss documentation.
BEARER_TOKEN is listed as a supported mechanism. The ejb system is configured to use the new HTTP transport (call target is http://server:port/wildfly-services), instead of the remote+http protocol.
I would expect the bearer token to be added as an HTTP “Authorization: Bearer” header by the forwarding server, when making the ejb call to the receiving server, however this does not happen and the HTTP response is 401.
This is the configuration of the forwarding server:
/subsystem=ejb3/application-security-domain=other:write-attribute(name=security-domain,value=ApplicationDomain)
/subsystem=elytron/authentication-configuration=remote-ejb-configuration:add(security-domain=ApplicationDomain)
/subsystem=elytron/authentication-context=remote-ejb-context:add(match-rules=[{authentication-configuration=remote-ejb-configuration}])
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-partner-ejb/:add(host="server",port="8080")
/subsystem=remoting/remote-outbound-connection=remote-ejb:add(outbound-socket-binding-ref=remote-partner-ejb, authentication-context=remote-ejb-context)
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=jwt-http-authentication)
And here is the error seen on the forwarding server side:
Caused by: javax.naming.AuthenticationException: WFHTTP000013: Authentication failed (full response ClientResponse{responseHeaders={Connection=[keep-alive], WWW-Authenticate=[Bearer realm="jwt-realm"], Set-Cookie=[JSESSIONID=0BAxZeBpW-RuStmtGFylfbYBpypUJYsqLMlsrw04.partner-as-76d77b7f5c-6bcb6; path=/wildfly-services], Server=[nginx/1.23.3], Content-Type=[text/html], Content-Length=[77], Date=[Mon, 09 Jan 2023 10:34:00 GMT]}, responseCode=401, status='Unauthorized', protocol=HTTP/1.1})
There is a quickstart showing identity propagation, but it uses SASL authentication, which does not support BEARER_TOKEN mechanism
Has anyone had luck with a setup like this?
I'm starting out with Kafka.
I see that I'm able to pass headers when producing messages.
Traditionally one would have a web client (single page app) where to user logs in via some remote oidc idp and receives a token. That token is then sent via Authentication: Bearer token-here header to some RESTful backend where the token is checked for validity and the payload is processed, saved to database or other and something is returned or not.
Now there's Apache Kafka. It has a REST proxy. I can pass headers to the REST proxy and produce messages, or consume them, but I'm interested in the "secure my RESTful JSON API" part.
Currently, without Kafka, I have either a oidc proxy (using keycloak, that's keycloak-gatekeeper) that does the filtering of which request makes it to the backend, or I have a oidc client that does token validation as some middleware function inside the backend. In any case invalid requests doesn't get "logged" as they would in Kafka, I assume.
Where does oidc token validation and request filtering fit in the Kafka/Confluent ecosystem?
Assume we have a SPA that talks to the Confluent REST Proxy. Some logged in user wants to post messages and some non-logged in user should not be able to.
How does Kafka and/or its tools deal with that scenario?
Kafka commonly uses SASL and other Authorization plugins to prevent access.
Certificates would be distributed amongst clients (here, that is the REST Proxy). You would need other proxies or plugins around that to prevent further access or audit the requests, as with any other web server.
HTTPS certificates would be used to secure traffic to the REST proxy, but seems you're asking about something more specific.
There is no reference to OpenID in the documentation, only LDAP RBAC, as a commercial offering
How to implement logout of client side services after idle timeout?
Services are secured by Keycloak + Application gateway.
The Gateway is node.js app which protects services' urls using Keycloak node.js adapter, so that authentication will be required on browser access to the urls. (redirect to login url)
Services enforce authorization locally by inspecting roles present in the access token gateway receives and attaches to the request after successful authentication.
Keycloak is behind gateway too.
I thought about adding custom event listener in Keycloak code which would notify all the services interested in session timeout event via some message bus.
Thanks in advance.
Keycloak informs all clients participating in a session that gets terminated (by timeout or explicit logout request). The only prerequisite is that the "Admin URL" is set for the client (see Keycloak admin console - client settings).
Since you're using the Keycloak node.js adapter it should be able to handle the logout request from Keycloak.
See Keycloak Server Administration Guide (look for "Admin URL").
Given that I would create an OAUTH2 authentication server.
Given that I would to have separate resource servers, exposing REST APIs.
What are the best communication practies between the authentication server and the API servers?
To explain OAUTH2 server would be a proxy authenticating the user and forwarding requests to different API servers, that are not third party, but under the hood of the OAUTH2 proxy, relying on it to know the agent (user) requesting for the given command\query.
The simplest would be that the authentication server will forward the user id (that is stored with ACL rules also on each API server) under a secure connection, and that access would be restricted to request forwarded from authetication server to resource API servers.
The auth server would in this case forward the user id, but this seems suceptible to mand in the middle attack (altought firewall on API servers would be configured to accept requests only from the authentication server).
Another problem would be compromission of the OAUTH proxy, giving automaticly grant to any request coming from it.
Are there ready solution and patterns to deal with this scenario?
Thanks!
Check the User Account and Authentication Service (UAA) from CloudFoundry. Maybe will help you. It is also available as a stand-alone OAuth2 server.
API Documentation, GitHub
I would like to know whether OSB plays a crucial role in terms of security apart from just behaving as a middle-ware.
Inbound Security:
Inbound security ensures that Oracle Service Bus proxy services handle only the requests that come from authorized clients. (By default, any anonymous or authenticated user can connect to a proxy service.) It can also ensure that no unauthorized user has viewed or modified the data as it was sent from the client.
You set up inbound security when you create proxy services and you can modify it as your needs change. For outward-facing proxy services (which receive requests from service consumers), consider setting up strict security requirements such as two-way SSL over HTTPS. For proxy services that are guaranteed to receive requests only from other Oracle Service Bus proxy services, you can use less secure protocols.
For each proxy service, you can configure the following inbound security checks:
Transport-level security applies security checks as part of establishing a connection between a client and a proxy service. The security requirements that you can impose through transport-level security depend on the protocol that you configure the proxy service to use.
For example, for proxy services that communicate over the HTTP protocol, you can require that all clients authenticate against a database of users that you create in the Security Configuration module of the Oracle Service Bus Administration Console. You then create an access control policy that specifies conditions under which authenticated users are authorized to access the proxy service.
Custom Authentication for message-level security. Oracle Service Bus supports client-specified custom authentication credentials for inbound transport- and message-level requests. The custom authentication credentials can be in the form of a custom token, or a username and password.
Message-level security (for proxy services that are Web Services) is part of the WS-Security specification. It applies security checks before processing a SOAP message or specific parts of a SOAP message.
Outbound Security
Outbound security secures communication between a proxy service and a business service. Most of the tasks that you complete for outbound security are for configuring proxy services to comply with the transport-level or message-level security requirements that business services specify.
For example, if a business service requires user name and password tokens, you create a service account, which either directly contains the user name and password, passes along the user name and password that was contained in the inbound request, or provides a user name and password that depend on the user name that was contained in the inbound request. For more information, see Section 2.1.15, "Creating Service Account Resources."
If a business service requires the use of PKI technology for digital signatures, or SSL authentication, you create a service key provider, which provides private keys paired with certificates. For more information, see "Service Key Providers" in the Oracle Fusion Middleware Administrator's Guide for Oracle Service Bus.
More info (Oracle Official Documentation):
https://docs.oracle.com/cd/E29542_01/dev.1111/e15866/model.htm#OSBDV1476