I was trying to set up a Zuul proxy using a Spring boot application which can either produce mock response or reaching out to an external endpoint. The communication to the external endpoint uses mutual authentication where we need to present truststore and keystore files. The implementation of SimpleHostRoutingFilter default route filter doesn't seem to have any implementation to present the certs in newConnectionManager() method.
I tried to override that method by extending SimpleHostRoutingFilter, but no luck.
How do we overcome this? Please help
From Spring Cloud Edgware release, there is a way to provide your own HttpClient. If you are using Apache Http Client (it's default), you can create a bean of type ClosableHttpClient. If it is provided as a Spring Bean, SimpleHostRoutingFilter will be created with your own Http client. You can handle any your requirement with this.
You can find the brief note about this here.
You can find the code related to this change here.
Related
The REST API for Kafka Connect is not secured and authenticated.
Since its not authenticated, the configuration for a connector or Tasks are easily accessible by anyone. Since these configurations may contain about how to access the Source System [in case of SourceConnector] and destination system [in case of SinkConnector], Is there a standard way to restrict access to these APIs?
In Kafka 2.1.0, there is possibility to configure http basic authentication for REST interface of Kafka Connect without writing any custom code.
This became real due to implementation of REST extensions mechanism (see KIP-285).
Shortly, configuration procedure as follows:
Add extension class to worker configuration file:
rest.extension.classes = org.apache.kafka.connect.rest.basic.auth.extension.BasicAuthSecurityRestExtension
Create JAAS config file (i.e. connect_jaas.conf) for application name 'KafkaConnect':
KafkaConnect {
org.apache.kafka.connect.rest.basic.auth.extension.PropertyFileLoginModule required
file="/your/path/rest-credentials.properties";
};
Create rest-credentials.properties file in above-mentioned directory:
user=password
Finally, inform java about you JAAS config file, for example, by adding command-line property to java:
-Djava.security.auth.login.config=/your/path/connect_jaas.conf
After restarting Kafka Connect, you will be unable to use REST API without basic authentication.
Please keep in mind that used classes are rather examples than production-ready features.
Links:
Connect configuratin
BasicAuthSecurityRestExtension
JaasBasicAuthFilter
PropertyFileLoginModule
This is a known area in need of improvement in the future but for now you should use a firewall on the Kafka Connect machines and either an API Management tool (Apigee, etc) or a Reverse proxy (haproxy, nginx, etc.) to ensure that HTTPS is terminated at an endpoint that you can configure access control rules on and then have the firewall only accept connections from the secure proxy. With some products the firewall, access control, and SSL/TLS termination functions can be all done in a fewer number of products.
As of Kafka 1.1.0, you can set up SSL and SSL client authentication for the Kafka Connect REST API. See KIP-208 for the details.
Now you are able to enable certificate based authentication for client access to the REST API of Kafka Connect.
An example here https://github.com/sudar-path/kc-rest-mtls
I have 3 applications
old JSP based java app
Spring Boot webapp
SPA
5 java micro services REST API built using Spring Boot
I need to secure all of them at the same time. I have picked keycloak as it seemed like a good idea. As we are using Apache for reverse proxy. We have picked mod_auth_openidc to limit access to services at reverse proxy level.
We have built Extensions for Spring Webapp and old JSP app to use headers provided by mod_auth_openidc to handle active users and aithentication.
At this point now we have run into the issue that the we also secured the APIs using mod_auth_openidc headers. Although this has a serious drawback as APIs can not talk to each other just using JWT tokens as the reverse proxy needs them to be authenticated.
Should we secure the APIs using JWT only instead ?
Any mod_auth_openidc guru knows the best approach to this scenario?
I need the REST API to be able to talk to each other without any user interaction. E.g. only using tokens.
Our webapps ( JSP and SPA ) are always fully secured e.g. the user has to be logged in to access any part of it.
I would appreciate any suggestions.
Thanks
Friends,
Recently I have created one web-services application using spring-boot and now its having few unsecured entry points. (This is a pure rest based application having only rest entry points doesn't have any UI components).
Now I would like to add CAS client with this application for securing the rest entry points.
My CAS server is ready and its up and running. And I have configured CAS Rest protocol as well in my cas server to access TGT/ST through rest call and I'm in the planning of using only the rest call rather than using login pages.
So, when an user tries to access my rest application, I'm going to call CAS rest entry points internally (by using restTemplate) to validate user credentials and generating TGT and ST.
Available CAS entry points are (from jasig reference docs),
POST /cas/v1/tickets HTTP/1.0
username=battags&password=password&additionalParam1=paramvalue
POST /cas/v1/tickets/{TGT id} HTTP/1.0
service={form encoded parameter for the service url}
DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0
I think, I'm little clear on this part. Please correct me if I'm wrong.
And now my query here is, what should I do to add a ST ticket validator in my spring boot application? Do I need to add any filters using spring-security? Or do I need to call any other rest api for validating the ST? Please guide me to proceed further.
You can use existing Spring boot cas starter:
cas security spring boot starter
cas client autoconfig support
That will configure for you and magically your spring boot app with CAS authentication (and thus your application will be able to read ST or PT without effort).
I'm author of cas security spring boot starter, so I won't influence your choice but main difference from that project and cas client autoconfig support developed by Unicon is about Spring security integration.
Indeed cas security spring boot starter is fully compliant with spring security, thus you will be able to use any feature you know from spring security. Whereas cas client autoconfig support will instantiate and configure Apereo (Jasig) filters that is not designed to work out of box with Spring security.
You don't need a service ticket unless you want to call another service from your web service. Validating the received credentials via the CAS REST API is enough.
If you are looking for a security library to protect your web service via the CAS REST API, you should give a try to: https://github.com/pac4j/spring-webmvc-pac4j and especially this configuration: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L74
I have deployed some proxy services in WSO2 ESB because I have to ask the endpoint for several responses (dataset), according to different soap action. Every response must be set in a file, so I set an appropriate sequence in the outSequence of the proxy service, and this sequence writes the soap answer into a file.
In this way i have to deploy a proxy service and a sequence for EVERY soapAction, so i ask: is there a way for deploying a single proxy service for a given web service and using it with several sequences according to the soapaction to perform?
My question was born by the need to implement several scheduled tasks that take a dataset from an endpoint (webService) and write it into a file, but i don't want to deploy so much proxy service for every kind of dataset I have to request to the web service!
I hope my question is clear.
You do not necessarily create a diffrent proxies for each and every soapAction. You can utilize the filter mediator in the OutSequence of single proxy and do the header base routing to relevant VFS endpoint.
So i have a assignment to write some REST client calls to a REST web service which does not exist.
To work around it i created a mock web service using Jersey. But i am not sure what technology the actual REST service would use.
Please advise on what technology should i use to send down the REST calls to the server.
Also if possible also give me a sample of how to send down a XML GET request to the REST service.
Thanks much for the help.
Please advise on what technology should i use to send down the REST calls to the server.
REST is HTTP. You can use anything that sends HTTP requests:
Jersey Client
Any web browser
cURL
telnet
carrier pigeon
...
Also if possible also give me a sample of how to send down a XML GET request to the REST service.
It's just an HTTP GET request. How it's built/generated/sent depends on what library and programming language you're writing the client in. But the actual request itself would look something like this:
GET /foo/bar/baz HTTP/1.1
Host: www.example.com
Accept: text/xml
As far as I know Both Java and .Net environment has the tools to generate WebServices (SOAP and rest). What's your client development language ?
REST :Representational state transfer in simple terms used to send data between client and server . As
Client use some persistent URL for communication and it is stateless communication .
Java uses Jersey, the reference implementation of JAX-RS, implements support for the annotations defined in JSR 311, making it easy for developers to build RESTful web services by using the Java programming language.
So All u have to use for creating services is just some dependencies , bean configuration and some annotations (To Expose Service ) .
For calling REST Service , u can either call from browser . Browsers like (chrome ,mozilla ) provide some plugins to calling REST service or u can create a client to call REST Service .