With AppScale with is there a facility with AppScale to "secure" an application deployed with it, that is for instance an application can only be accessed through some sort of secure connection?
So we won't have to put too much security logic (like Spring security) on the application, especially to those apps that the sole purpose is to provide Restful key-value access to the datastore like this: http://bit.ly/RvLUTw and http://bit.ly/PTZkW. And the purpose is not really a web application but a "datastore appliance."
Sure, since AppScale just runs Google App Engine apps, anything that you do for an App Engine app works when running on AppScale. If by "secure connection" you mean HTTPS, then you could take your app.yaml file and add secure:always on each route to force HTTPS. Here's an example:
handlers:
- url: /youraccount/.*
script: accounts.py
login: required
secure: always
If by "secure connection" you mean authenticated access, you can use the Users API to restrict access to logged in users or users on a white-list. If you need it to be programmatically accessed, you can log in to the AppLoadBalancer via your script (as it has a RESTful interface), save the cookie it gives you, and then use that when you make requests to your app.
Related
I have a question about integrating authentication into my web application.
First let me give the relevant technology background of my web application -
Application/Web Server - Tomcat 8.5
Underlying OS - CentOS 7.x 64-bit
Programming technology - Java Servlets 3.1
JDK version - 1.8
UI technology - Browser based; Developed using Angular2/Javascript/HTML/CSS
Web application users - Targeted at enterprise users
As of now, there isn't an authentication system built into the web application. However as I build this web application, I need to include an authentication module.
My main points to consider as I decide on authentication system/technology are -
I preferably do not want my application to deal with the storage and protection (on disk) of the user credentials
I preferably do not want my application to deal with enforcing password complexity, history, expiration policies etc.
My application will have to provide for -
A login page to allow the user to login
A change password page
A create user page
Based on the above, I am currently thinking of deploying a Windows Server 2016 instance as the Active Directory(AD) server that will hold the credentials for the application users. Note that at this point, this Windows server is not planned to be shared with any other application to support a single sign-on experience across applications.
I am planning to configure my Tomcat server with a JNDI realm to authenticate users (against the AD) and then use some kind of Java AD library that will allow me to create an user and change a user's password in AD via my application's create user and change password page.
My application will support its own custom roles and authorization constraints so i am not looking to use AD's group membership for authorization within the web application.
My questions are -
With the above setup, are there any reference authentication systems/libraries/modules that might be better suited (than AD) to integrate within my web application?
If I go with the above Windows AD server approach then are there any Java (inbuilt or community developed) AD libraries that allow for creating an user in AD, changing user password in AD etc. I have used the JNDI realm before so I am sure that it can be used to authenticate the incoming user against AD
I am not an expert in Spring Security and my web application does not currently use Spring Security but I am open to using it if Spring Security includes a solution to my problem described above.
I am also not worried about supporting single sign-on as such and its totally fine in my scenario if the application users have a separate login for my application.
Since my web application is targeted at enterprise users, I don't want to leverage Facebook authentication. As much as possible I want to ensure that the credentials are maintained in a server within the deployment infrastructure rather than the credentials being hosted and maintained by a 3rd party service
Thank you for your help and suggestions
I've got a question about hawt.io security.
I've installed hawt.io as a web application (currently its embedded jetty but we have an option to use tomcat in an embedded / regular mode as well).
Hawt.io visualizes the JMX mbeans tree of the same process, we don't connect to remote servers, everything is local.
What I would like to do is to find the best way to provide an authentication and authorization mechanism to be used:
User's authentication: should be done preferably via LDAP
User authorization: some users can gain full access to all mbeans, others are restricted to not execute mbean operations, but only read attributes.
I thought that I can install a web filter, in jetty I can do it outside the web.xml and check requests, but since hawt.io uses POST web method to communicate to its internal jolokia, the identifier of the operation execution is inside the body of the request, so I don't really have an access to it from within the web filter since in Java Servlets I can read the request body only once. I know I can provide a 'fake request', but maybe there exists a better solution.
Maybe someone can provide relevant configuration snippets for configuration of such an installation. Thanks a lot in advance
For role based authorization you can query up-front if the user has access to a given mbean/operation/attribute. If you implement this interface
you can probably integrate with some server-side authorization for JMX. By default hawtio uses a dummy implementation that lets everything through. This all was originally designed to work with the JMX guard stuff implemented for Apache Karaf which exposes the same mbean but actually does restrict access via ACL configuration. Anyways, the client-side javascript is set up to locate this mbean by scanning for "type=security;area=jmx", just set a higher 'rank' attribute in your mbean and the javascript will use it.
I have 2 different web applications that uses spring and are running on the same tomcat (maybe later to be separated to different tomcat for each)
My first webapp is a straight forward web application that users can login, create account, and do stuff.
The other webapp is actually executing periodically http requests (rest api) towards the first app.
My problem is i must ensure that these requests are actually legitimately being executed from webapp#2 and not from another hostile requestor.
1) How can i do that?
How can i make sure in webapp #1 that it must serve only requests from webapp #2?
I don't want to rely on IP address alone.
2) Does spring security can help me achieving this?
3) Does authenticating from web app #2 against webapp#1 via the standard spring security authentication mechanism is a viable solution? (username/pass that is only known to both webapps)
For a login you can use a service all form most facing web portal, and once authentication is successfully done than you can transfer on a spring login authenticated page and its pass access for user as well
I'm planning to build a two-tier application, with a back-end (java, possibly spring MVC) which delivers JSON up to a front-end (PHP, Drupal7). I only want the front-end application exposed to the outside world and in a traditional environment I would probably stick the back-end on some ports inside the firewall (assuming both parts run within the FW).
Is this possible to do in the Google App Engine environment?
It's not possible to run GAE inside your firewall. It runs on Google's servers.
You can do basic things like blocking IPs but its not really necessary. Since your 'front end' has the php backend you can call from there your appengine with a secret parameter (as in "myapp.appspot.com?key=sE34sdJSjUy" ) Its very simple security and since no one can see that url (in your php backend), its as good as any other authentication method.
I'm deploying a java application built with spring on a windows network. The network uses Active Directory so the users login to their desktops with their active directory user names.
Now, I'm trying to add a feature so that when the user opens the browser to access this application (which is deployed on the same network) the application automagically picks up their username and authenticates them.
During my research I came across this blog post: http://blog.springsource.org/2009/09/28/spring-security-kerberos/ However, I think this approach might not be required in my scenario since I'm deploying the application to the same windows network.
Question
What could be some ways to simply access the user token so that my web app can authenticate the users?
We use NtlmHttpFilter.
You configure it as a filter in your web.xml, tell it where your domain controllers live, and it pretty much just works. Internet Explorer will provide credentials without you taking any action, Firefox (and I suppose Chrome) will prompt you for a login.