As said in the title, is there a way to add application users in Thorntail WilFly server, much like you would do with "add-user.sh -a" script in the full server distribution?
I understand you can provide an external configuration file to Thorntail but that seems a bit of overhead just for specifying where users are located.
Thanks
The answer by Thomas Herzog is very good from a conceptual point of view -- I'd especially agree with securing the application using an external Keycloak, potentially with the help of MicroProfile JWT. I'm just gonna provide a few points in case you decide not to.
You can define users directly in project-defaults.yml, like this:
thorntail:
management:
security-realms:
ApplicationRealm:
in-memory-authentication:
users:
bob:
password: tacos!
in-memory-authorization:
users:
bob:
roles:
- admin
The project-defaults.yml file doesn't have to be external to the app, you can build it directly into it. Typically, in your source code, the file will be located in src/main/resources, and after building, it will be embedded inside the -thorntail.jar. It can be external, of course, and if this is something else than a throwaway prototype or test, sensitive data like this should be external.
You can also use the .properties files from WildFly:
thorntail:
management:
security-realms:
ApplicationRealm:
properties-authentication:
path: .../path/to/application-users.properties
properties-authorization:
path: .../path/to/application-roles.properties
It depends on for what you need the users? Thorntail creates standalone Microservices, which are different to hosted applications in a wildfly-server.
Is there are a management console in thorntail?
Yes there is, but I have never used it.
https://docs.thorntail.io/2.2.0.Final/#_management
https://docs.thorntail.io/2.2.0.Final/#_management_console
The users you maybe able to create there shouldn't be persistent, because there is no wildfly-server installation as you are used to with a standalone wildfly-server installation, it is all packaged in the jar. A Microservice shouldn't need to be configured after its deployment anymore, at least not like this.
How to secure my application?
I would recommend to use an external user management via keycloak, which is integrated in thorntail via the keycloak fraction. With the keycloak fraction you can define security constraints to your endpoints similar in a web.xml.
https://docs.thorntail.io/2.2.0.Final/#_keycloak
Another way is to use the security fraction which provides you JAAS support for your microservice.
https://docs.thorntail.io/2.2.0.Final/#_security
The configuration is done via the thorntail specific project-defaults.yml configuration file, where you can configure the fractions via YAML.
What is a thorntail fraction?
A thorntail fraction is similar to a spring boot start dependency with spring, whereby the fraction provides the API for the developement and bundles the implementation and integration into thorntail. The fraction actually is a jboss module which is packaged into the standalone Microservice during re-packaging phase.
Where can I find examples?
See the following links for examples how to use security in thorntail. You should take a look at them.
https://github.com/thorntail/thorntail-examples/tree/master/security
Take a look at the src/main/resources/projects-defaults.yml which contains the configuration for thorntail fractions and the pom.xml which defines the used fractions.
Related
I am in need of using a bpmn2.0 standard engine, and among the options Camunda seemed the best for offering almost everything for free and open-source.
But I don't want to use Camunda's user management and authentication system. I want to use my own module that I have made in NodeJS + MongoDB. From what I was seeing there is a Camunda activatable plugin to use LDAP servers for user authentication.
Will I have to redo my entire module to be an LDAP server?
Should I synchronize user information stored in Mongo on an LDAP server?
Is Camunda the best option or should I think of a NodeJS library? (The libraries I've seen so far have a confusing syntax, so I'd prefer use the Camunda REST API, but I'm open to recommendations).
Thanks in advance!
Camunda internally uses an IdentityService (Java interface) for group and user management. The default implementation is using jdbc tables to store the data.
The LDAP plugin is an alternative implementation based on that interface that uses LDAP.
You can easily provide a custom implementation of the same interface that uses something completely different for user/group storage and authentication.
But since camunda is a java library/application, all of those will have to be java implementations. If you want to use mongo/node you will have to set up an IdentityService that connects to mongo or uses a node.js REST interface.
This will be custom code, I am not aware of any existing solutions.
There are some examples and forum discussions online if you want to explore further, for example: https://github.com/hashlash/example-camunda-custom-identity-service
I need to restrict one of my Ignite Cache with user level access permissions, couldn't find the reference for the same. any assistance on this is very much helpful.
Apache ignite provides only the possibility of authentification with password out of the box. It described here:
https://apacheignite.readme.io/docs/advanced-security
In case if you require for specific security that could grant some access permissions then you can implement the GridSecurityProcessor interface as part of a custom plugin or choose to use a 3rd party implementation (e.g. Gridgain).
Apache Ignite does not provide these kinds of security capabilities with its open-source version. As mentioned by #Andrei, you can either implement it on your own or use commercial Gridgain distribution.
Here, you can find steps to implement a custom plugin.
You would need to implement GridSecurityProcessor which would be used to authenticate the joining node using authenticate() and cache level access permissions can be managed using authorize() API.
This blog has more details and custom security plugin source code.
https://www.bugdbug.com/post/how-to-secure-apache-ignite-cluster
I have a Java web app running on EC2 under Tomcat (a WAR) that requires various sensitive configuration parameters - for example, the credentials associated with various other AWS services. I had been setting these as environment variables, but then discovered that running Tomcat as a service removes almost all environment variables. So currently I use a simple configuration file to store these values.
I don't believe this is a wise choice going forward, however, and would like to find an alternative. What is the right way to handle this kind of sensitive information?
IAM Roles are going to be your best friend here. The official docs here will point you in the right direction. There's also a post on the AWS security blog about it here.
I need a recommendation for a framework/library for building web services on a Linux system. I have the following requirements:
It should have minimal dependencies, e.g. preferably not require any VM like Java or Mono.
My service implementation should have access to the native system APIs, preferably it should be possible to call C APIs directly.
If possible, the solution should not depend on a large web server installation. As I understand, Axis/C++ would require an Apache server, right? Is there anything that allows for writing some kind of "self-hosted" web service like in .NET (ServiceHost) on Linux? I would really like something that works as a standalone daemon in the end.
The resulting services should be standard-compliant as I need to make cross-platform calls. Most importantly, I need WS-Security.
The solution must be Open Source, the actual licence is less important.
If you have any suggestions, please post (web links would be nice ;-))
Thanks in advance,
Christoph
What about Twisted? http://twistedmatrix.com/trac/
I started to use Jackrabbit in my project. As i found out there is no complex LoginModule and AccessManager given. I mean we can find SimpleLoginModule but it is just a mock.
What i need is a simple LoginModule which can be configured eg from a file with users, passwords and groups. I know that i can implement my own classes, but it is hard to believe that after so many years there is no ready solution...
there are a couple Jackrabbit based open source / closed source projects out there that use JCR as their reference implementation and have implementations. Most probably you're best of choosing one of them in order to not reinvent the wheel. For a complete list: http://en.wikipedia.org/wiki/Apache_Jackrabbit
Are you running inside an app server or web container? If so, you would usually expect the container to provide a JAAS implementation. For example, for instructions on how to set it up with Jetty, storing user information in a database, a properties file, or LDAP, see:
http://www.eclipse.org/jetty/documentation/current/jaas-support.html