I have a need to provide a secure connection to Redis from my microservices.
So if I want to add the ability to support authentication so that a client can send an AUTH command with a password. See http://redis.io/topics/security
How can I do this with the Spring Data Redis implementation?
Just set the password on LettuceConnectionFactory or JedisConnectionFactory, depending on which driver you're using. If you use Spring Boot, set spring.redis.password=… in your application configuration (see Common application properties.
With the latest version of Jedis client, setting the password to the JedisConnectionFactory is deprecated. Therefore you should set the Redis authentication password to the RedisStandaloneConfiguration, RedisSentinelConfiguration or RedisClusterConfiguration.
Related
I want to use keycloak as openId Connect implementation via docker with a postgres db.
I could not find a resource where it is documented whether keycloak stores user data encrypted. Only passwords seem to be hashed.
Postgres provides pgcrypto as a way to execute encryption and decryption at runtime.
Is there a way to enable crypto for user data with keycloak?
Keycloak provides an option called User Storage SPI https://www.keycloak.org/docs/latest/server_development/#_user-storage-spi
With this, you can build a bridge between keycloak and your DB.
You will have the freedom to store your data in DB as per your convenience and when keycloak invokes the User storage SPI method you will have to return as per keycloak's specifications.
I have managed to set up a Keycloak server embedded in a Spring Boot Application successfully, following this tutorial:
Keycloak Embedded in a Spring Boot Application
in order to avoid setting it up manually.
Since I am dealing with an old implementation that already has it's own DB, I decided to use Keycloak's User Storage SPI to connect to an external postgresql DB and use this for authentication instead of Keycloak DB.
To do this, I followed the tutorial on Keycloak documentation, but it envolves a standalone Keycloak server, creating a .jar with the custom provider and injecting it to <pathToKeycloak>/standalone/deployments/.
I have created an implementation that works with a standalone Keycloak server, but now I want to include it to the embedded one. Is it possible to use a Keycloak server Embedded in a Spring Boot Application and also have an embedded custom User Storage Provider, to avoid setting up manually?
If you have already implemented the provider and the provider factory, you only need to declare the provider factory class in the resources/META-INF/services/org.keycloak.storage.UserStorageProviderFactory file.
Then you can log in to the administration console and enable user storage provider on the User Federation page.
I have a spring application running on Jboss. I have passwords that I dont want to store in the DB. Those passwords are used inside the application code e.g. Email account password to send emails via Java mail API.
I would like to store the passwords in the JBoss Vault.
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html/how_to_configure_server_security/securely_storing_credentials#password_vault
My question is does this tool have a java API? Can I store and retrive the password inside my application code?
I know that I can call the vault.bat from my java code, but I was checking for a better idea.
The Vault mechanism
Hello, so you can use the Vault to encrypt the data that are appear on the configuration files of JBoss. You can use for example to encrypt the DB password that you use on the standalone.xml configuration. It is not an API perse.
Application Encryption
That vault mechanism is not appropriate to encrypt application side data, you will need to do this you can follow the answer provided by Johannes Brodwall seems very complete and the complementary answer by user1007231 will help you with the Master password.
Credential Store
As the Guide Suggests on 3.1 Credential Store, it is recommended to use a Credential Store.
We have an application that is deployed into CloudFoundry/Bluemix. The application reads its database connections from the VCAP_SERVICES environment variable. The db password stored in the environment variable is encrypted and we decrypt it when the application boots up.
We are looking at Spring Cloud Service Connectors. Do the cloud connectors provide any hook, so that we can decrypt the password from VCAP_SERVICES before the DataSource instance is created?
Why do you want to do this? Where does the app get its decryption key from? If it's hard-coded in the app, that's an antipattern that will make it hard to rotate the key. If it's through an environment variable, then it's no more secure than storing the database credentials unencrypted as services in Cloud Foundry - services in CF are nothing more than domain-specific groups of environment variables. I can't see that encrypting them adds any security.
To answer the question: Not out-of-the-box, but you could probably intercept the flow of Spring components that act on the environment variables that Cloud Foundry provides to your app.
The abstract class that creates ServiceInfo instances is CloudFoundryServiceInfoCreator. You could look at maybe providing a custom implementation of this? There is a blog post describing how Spring Cloud Connectors works. You might be able to extend CloudFoundryConnector too.
I am current using spring security oauth2 and configured the oauth2 as using the clients from inMemory, how to get the client id/client secret from mongodb and use mongodb as the store for the client details and how to configure spring oauth2 using that.
One approach I was thinking was to use mongo template to read the client details and configure the inMemory client details using those values. Will this be a way to go about this?
Is there another way to get client details from mongodb and configure the clients for spring security oauth2?
Try
this link. You will have to create custom client details storage along with custom access and refresh token implementation.