I'm looking at exposing separate services inside an application server, and all services need to authenticate with the same API key.
Rather than each request authenticating with the DB individually, I was hoping I could write the authentication service and configuration once, do some caching of the available API keys, and expose that auth service to the other services on the app server (TC, Glassfish, etc). I don't think HTTP loopback is a good choice, so I was looking at Spring Integration, JavaEE, RMI, etc.
There's lots of info available, but it's still not clear to me if this is something that Spring Integration can support after reading through some documentation and projects. It looks like Spring makes the assumption you're in-app, or MQ based (external MQ or embedded MQ.) I'm also not sure if this is something inherently available in EJB implementations with Jboss or Glassfish...It seems like it might be though.
While MQ's seem possible, they seem like overkill for what my purpose is. I really just need to pass a bean to my authentication service on the same box, and respond with a bean/boolean on whether the key was approved or not.
Anyone have some guidance on accomplishing something like this? (or maybe why I'm making the wrong decision?)
You can do it via plain PCT/IP or RMI.
But I don't see problem to follow with Micro Service Architecture principles and use the Spring Integration REST ability
Any networks access you always can restrict via firewalls and HTTP-proxies.
Related
I have a Spring application, and I have enabled JMX for some beans. For each beans, at least, I have a get operation and a set operation. I have read a little about Jolokia, and it provides an HTTP bridge between you and JMX. It provides a way to sent GET requests to read the value of managed beans, and POST request to set them as well.
I'm wondering if, either Jolokia ships with a way to autogenerate a web page, where you can read/write your managed beans from, or if there is already a tool for this.
For example, let's say Jolokia has this capability. So then, if you go, per say, to localhost:8080/jolokia/dashboard, you will see an autogenerated web page like this:
beanName1: vaue1 EditButton1
beanName2: vaue2 EditButton2
.
.
beanNameN: valueN EditButtonN
I think it can be such a nice tool, and it can be autogenerated. VisualVM does this in a great way, but in a HTTP world basis, it could be really good to monitor your application from your Mobile anywhere.
If you really want just a simple web ui for jmx management, have a look at https://github.com/lbovet/jminix
I was able to accomplish this by using JMinix
I have a Jersey based server that I want to secure with OAuth 2.0. There are two paths that I've seen as common:
Oltu - Is compatible with Jersey and seems to be supported, although not as well as Spring Security. This 2012 question seems to suggest this is the way to go, but I want confirmation on a 2016 context so I son't implement something not as well supported anymore.
Spring Security - It seems to be very popular, but this path implies changing the server into a Spring based MVC. I don't know if that is something recommendable based on the benefits of using something as widely supported as Spring and the cost of the refactoring.
With support I mean a project that is in continous development, well established community with tutorials, materials and some libraries for clients (web, mobile, server) already available.
Which one is a stronger option? Is there another option or options?
In any case. Is there a good reference material or tutorial to start implementing this?
UPDATE
After few hours of reading and understanding about both the OAuth Providers I had mentioned, I feel Apache Oltu's documentation did not guide me much as there are key components that aren't documented yet, but an example gave me a better picture on how Oltu must be implemented. On the other hand, going through Spring Security's material I got to know that it can still be built on a non-Spring MVC based java project. But there is a limited exposure of implementations/tutorials on Spring Security on a non-Spring based project.
Another approach:
I came up with an architecture that might be more stable and would not care about the implementation details of the inner server(the one already implemented using Jersey). Having a server that is dedicated for security purpose (authorizing, authenticating, storing tokens in its own database, etc) in the middle that acts like a gateway between the outside world and the inner server. It essentially acts a relay and routes the calls, back and forth and ensures that the client knows nothing about the inner server and both the entities communicate with the security server only. I feel this would be the path to move forward as
Replacing with another security provider just means plugging out the security server implemetation and adding the new one.
The security server cares nothing about the inner server implementation and the calls would still follow the RESTful standards.
I appreciate your suggestions or feedbacks on this approach.
Apache Oltu supports OpenID Connect but its architecture is bad. For example, OpenIdConnectResponse should not be a descendant of OAuthAccessTokenResponse because an OpenID Connect response does not always contain an access token. In addition, the library weirdly contains a GitHub-specific class, GitHubTokenResponse.
Spring Security is famous, but I'm afraid it will never be able to support OpenID Connect. See Issue 619 about the big hurdle for OpenID Connect support.
java-oauth-server and java-resource-server are good examples of Jersey + OAuth 2.0, but they use a commercial backend service, Authlete. (I'm the author of them.)
OpenAM, MITREid Connect, Gluu, Connect2id, and other OAuth 2.0 + OpenID Connect solutions are listed in Libraries, Products, and Tools page of OpenID Foundation.
**UPDATE** for the update of the question
RFC 6749 (The OAuth 2.0 Authorization Framework) distinguishes an authorization server from a resource server. In short, an authorization server is a server that issues an access token, and a resource server is a server that responds to requests which come along with an access token.
For a resource server, API Gateway is one of the recent design patterns. Amazon, CA Technologies, IBM, Oracle and other companies provide API Gateway solutions. API Gateway architecture may be close to your idea. Some API Gateway solutions verify access tokens in their own ways (because the solutions issue access tokens by themselves) and other solutions just delegate access token verification to an external server (because the solutions don't have a mechanism to issue access tokens). For example, Amazon API Gateway is an example that delegates access token verification to an external server, which Amazon has named custom authorizer. See the following for further information about custom authorizer.
Introducing custom authorizers in Amazon API Gateway (AWS Blog)
Enable Amazon API Gateway Custom Authorization (AWS Document)
Amazon API Gateway Custom Authorizer + OAuth (Authlete article)
If an authorization server provides an introspection API (such as RFC 7662) that you can use query information about an access token, your resource server implementation may be able to replace (plug-out and add) an authorization server to refer to comparatively easily.
For an athorization server, gateway-style solutions are rare. It's because such a solution must expose all the functionalities required to implement an authorization server as Web APIs. Authlete is such a solution but I don't know others.
I think, it's far simplier to use the oauth connectors that are implemented inside jersey itself!
Have you considered using jersey own OAuth (already linked inside jersey) server / client ?
https://eclipse-ee4j.github.io/jersey.github.io/documentation/latest/security.html#d0e13146
Please take a look to :
16.3.2. OAuth 2 Support
hope helped. :)
I've got a question about hawt.io security.
I've installed hawt.io as a web application (currently its embedded jetty but we have an option to use tomcat in an embedded / regular mode as well).
Hawt.io visualizes the JMX mbeans tree of the same process, we don't connect to remote servers, everything is local.
What I would like to do is to find the best way to provide an authentication and authorization mechanism to be used:
User's authentication: should be done preferably via LDAP
User authorization: some users can gain full access to all mbeans, others are restricted to not execute mbean operations, but only read attributes.
I thought that I can install a web filter, in jetty I can do it outside the web.xml and check requests, but since hawt.io uses POST web method to communicate to its internal jolokia, the identifier of the operation execution is inside the body of the request, so I don't really have an access to it from within the web filter since in Java Servlets I can read the request body only once. I know I can provide a 'fake request', but maybe there exists a better solution.
Maybe someone can provide relevant configuration snippets for configuration of such an installation. Thanks a lot in advance
For role based authorization you can query up-front if the user has access to a given mbean/operation/attribute. If you implement this interface
you can probably integrate with some server-side authorization for JMX. By default hawtio uses a dummy implementation that lets everything through. This all was originally designed to work with the JMX guard stuff implemented for Apache Karaf which exposes the same mbean but actually does restrict access via ACL configuration. Anyways, the client-side javascript is set up to locate this mbean by scanning for "type=security;area=jmx", just set a higher 'rank' attribute in your mbean and the javascript will use it.
I am using ActiveMQ to connect a number of application modules written in Java.
I eventually would have a web interface for the application, developed in either Grails, Struts2, or Rails.
My 2 main concerns are:
to have an external security module that is not bound to the Web Framework in use.
to have an independent security db
Any recommendations for this Architecture?
You should place all your components within a secured firewall. Then you wouldn't need to worry about any kind of security for ActiveMQ. If not a firewall, you should have a way to whitelist your components so only you can connect to them.
For the database, I recommend having one user that read data and one user that writes data. Separating this permissions will be a closer step to someone deleting you data.
You need to secure both parts of your application. For the first part go with Amir Raminfar's answer, and insure that your running on secure servers. Also make sure to use what ever security features are built into MQ to allow the components to communicate securely. For Web Security there is no good way I know of to have a framework agnostic security setup. An option for you may be Spring Security You should be able to integrate it with Struts and there is a Grails Plugin This should make it easier to do security in a relatively common way whether you use Struts or Grails but you will probably not be able to easily use Spring Security from Ruby.
I've been tasked with creating a Security Proxy service. The idea is that if the backend security provider changes there is no impact on the main application. This ideally is what the backend security provider is for, but I have been tasked with creating a seperate service which will affectively be a proxy to the backend security provider.
I don't want to have to write a complete security module to do something that is already done by a dozen services. I want to be able to set up a service that can be updated if needs be.
I am wondering if anyone knows of a solution which can take care of this with minimal coding/configuration?
Any help would be useful, if you want more information please comment and I'll try and enrich as best I can.
[Front end is Tomcat Web Application written in Java (and GWT), Spring Security is preferable]
[Backend is SiteMinder (at the moment)] http://www.ca.com/us/internet-access-control.aspx
[I have been looking at CAS but wanted to ask a learned community before deciding how best to proceed]