Applying Security Constraints Liberty for Java - single-sign-on

I have deployed an application to Bluemix, created a Single Sign-in Service, and Bound the service to the application.
The Help Documents tell me I should now...."To complete the configuration of the application, you must add security constraints.."
We do not have anyone with these skills in our organisation, is this something that IBM can help us with? even if its on a billable basis?

Security constraints are not specific to Liberty or Bluemix. It's a way to define access to url mappings using web.xml. If you google "Java ee security constraints", you should find a lot of useful information. See this blog post for a basic definition in relation to bluemix.

Related

Service Fabric .NET Framework services and ApplicationInsights.config endpoints for Azure gov

I have a service fabric application that hosts api’s with app insights enabled. The api services are .Net framework 4.8 webapi projects and they are native fabric stateless and stateful services. I don’t use the app insights service fabric specific packages, but do have the standard app insights for webapi packages. I have always been in Azure commercial and logs have worked just fine there.
Now that we are in azure gov, the only way to point a .Net Framework app to the gov app insights endpoints is by modifying the ApplicationInsights.config file.
So I’ve modified the file as per msdn, verified it is deployed with the fabric deploy package and its there next to the rest of the dlls on the vms. Yet my services still won’t log to azure gov app insight instances. Nothing is coming through. We set the instrumentation key programmatically, not in applicationinsights.config, could that be an issue? I noticed some of the msdn examples showed instrumentationkey being included in the config file, but would think that is optional.
Had anyone had experience pointing .net 4.8 fabric services to gov app insights?
When using a government cloud, you need to use a connection string instead of an instrumentation key.
Important
Sovereign clouds, such as Azure Government, require the use of the
Application Insights connection string
(APPLICATIONINSIGHTS_CONNECTION_STRING) instead of the instrumentation
key. To learn more, see the APPLICATIONINSIGHTS_CONNECTION_STRING
reference.
More info here and here.
This ended up being an issue with my gov configuration file. The MSDN document wasn't very clear on where the new config sections go. It made it look like they are all nested under the top level node of the config file. Turns out the TelementyChannel override has to go inside the default TelemenySinks node. I contacted microsoft on github about clarifying this in their docs.
Link to the unclear documentation
https://learn.microsoft.com/en-us/azure/azure-monitor/app/custom-endpoints?tabs=net
Link to github issue to get it fixed
https://github.com/MicrosoftDocs/azure-docs/issues/80066

Authentication and authorization using Google login in Drools' business-central

My organization has decided to use Drools as a decision management framework. We are using the new UI business-central which is deployed as a WAR file in WildFly server for managing the rules and the assets related to the rules.
We have licensed Gsuite for our emails and other activities. We want to use Google login for the users of the business-central system instead of the username and password-based auth provided.
One way to do it is by using a Keycloak server which will provide us a way to manage users and authentication. But we do not want to maintain an extra server just for authentication.
Can someone please help me in achieving this authentication? Also, it would be helpful if I can know in advance the pitfalls of such a type of authentication approach.
Here are the version details for the drools system:
Java: openjdk version "1.8.0_242"
Drools: 7.33.0.Final
After doing a lot of trial and error and quite a bit of googling around. I have reached the conclusion that providing social login in business-central should be done via Keycloak if you are using Wildfly.
There are a lot of security-related features that you will get out of the box and you won't have to tweak around the drools code and later on finding out that you have missed a use case.

SPNEGO on Bluemix Liberty

On the Bluemix Liberty feature list, it says Spnego-1.0 is supported. Does anyone have any Bluemix documentation (not plain Liberty, because this would mean I installed the Liberty server on my own enterprise domain) on how to even begin to use this? It seems to me that if SPN are locked down to a domain name, how would this even work for an app running on a domain such as this: "www.ng.bluemix.net"?
Does this mean there is a requirement to have Bluemix infrastructure installed onto our enterprise infrastructure to even begin thinking about Spnego?
SPNEGO makes sense if you're trying to achieve SSO between say a Microsoft Desk Top and say a WASaaS (WAS or Liberty) running a web app in a Softlayer VM behind a private firewall, then a SPNEGO solution would work. In a more public setting, OpenID Connect should be considered as an option.
If SPNEGO really needs to be used, see the Liberty documentation. You can then customize a Liberty server.xml file in Bluemix to get this to work. To use a custom Liberty server.xml file, see the info noted under standalone applications.

Typo3 on Bluemix

Is it possible to run a Typo3 application on Bluemix?
I've already seen an approach to run a WordPress application on bluemix. But does some kind of service or integration exist to do the same with typo3?
Thank you for your help!
Anything that relies on a persistent file system will not be a good fit for a CF app and would need the extra considerations that you've already brought up regarding WordPress deployments.

Some questions regarding UDDI

Currently, I am learning SOA and come across UDDI. I have several questions around this and hope someone can help:
By searching in the Internet I come across some interesting products e.g. WSO2 Governance Registry. Is it an UDDI if I only deploy SOAP services to it? How do people find the services then?
I have also come across a product called WSO2 API Manager. It looks like a tool for publishing API/web services. If someone can already find the web services using Governance Registry, what is the use of API Manager?
WSO2 Governance Registry is more about service metadata management. It is much about design time governance and not much about runtime governance. It is a SOA tool. It supports UDDI through JUDDI but that is not a first class support. WSO2 Governance Registry defines its own database based meta model.
WSO2 API Management is about runtime management of APIs. It comes with design time tools, to help wrap services as APIs to be exposed to the outside world. However, the key functionality is about the runtime monitoring, management, and security of the API calls via the API Gateway.