I'm completing a python grpc server function-wise and being ready for deployment. Thusfar I have unsecure communication (pretty much the helloworld example when it comes to security). I thought I could put in place an authentication mechanism for my server in a reasonable amount of time after I observed that there was some documentation on this very topic provided by google. Closer investigation let me to believe otherwise.
The case is simple: Users (fellow colleagues of mine) login to their company mail (gmail) and use the resulting token (JWT, OAuth, OAuth2, I don't care) to gain access to the grpc server I wrote. No one else gets in.
Since googling grpc+authentication has been fruitless so far I believe I'm on the wrong track on how I should approach this kind of problem. So therefore the questions:
Given this use case, should my grpc server have any concern with authentication? If so, are there examples? Or should this be handled by a different system? If so, what system?
I noticed a lot of articles mentioning Envoy+gRPC. Can Envoy help me out here? Is it designed to deal with this?
The gRPC authentication can follow the same approach of a normal HTTP, the only thing you need to have in mind is that the authentication check would be placed in an gRPC interceptor and you will be looking at the metadata to get the creadentials. Unfortunately, I don't have an example to do it with Python but you can search in "how to add gRPC Server interceptors in Python" and then "how to work with gRPC metadata in Python"
Here an example in Golang, maybe it can give you the idea
Related
This may be a very simple issue but is (I think) complex to explain so, please bear with me.
We have a WCF API (written in C#) on our server which attaches to third-party APIs (a sort of one-stop place, if you will). These use a mixture of OAuth and certificates for security. The idea is that we don't have to put (the third party) certificates / security on all of our servers, just the one.
Therefore, the plan is for an application on one server to call the API on this server which calls the third-party API. This seems to work for all but one third-party.
If I use the Visual Studio (2017) inbuilt WCF Test Client on our API, it works fine. If I try to use our API from another application (by adding a service reference) even on the same server it fails with the above message.
Our API does not (yet) use https.
The plan is for use to release our API to others so we can't share any certificates / logins with them - this is the underlying reason for our API.
I have done a lot of Googling about this and all of the answers seems to point to the certificate has to be on the calling application which would seem to defeat the object of our "catch all" API
I have probably not explained this very well - sorry. Maybe the issue could be summed up as "how do I stop the security being "passed down" to the calling application?"
Seems that the culprit was the Application Pool Identity that "Our" API was running under. I changed that and now everything works as I would expect it to :)
I have a Spring-boot web application that uses Apache Shiro for security management. The web application also uses the Atmosphere framework for socket communication.
Whilst working with it I have a requirement to authenticate a user who is currently logged in when I receive /socket request to atmosphere. However, when trying to access the Shiro Subject I get the following error:
No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
I also have a filter added to my SecurityManager for /socket. Regardless, I continue to get the above error when I try to authenticate the user with atmosphere for socket connections.
I have searched up quite a lot on the web and haven't found an answer that explains what's happening thoroughly. I found many posts that mentioned something about the thread pool used by atmosphere is different from that which is allocated to servlet requests. Thus, async requests that reach atmosphere have no context of the original user. I also read a workaround here, which is quite old. I tried some of the things mentioned in the comments too.
Note: I am a newbie to the Spring, Shiro and Atmosphere frameworks. I understand things in a more systems-level perspective.
I would highly appreciate if I can get some explanation (or some link that might help) as to what is happening with each of these things and why it is producing the error above. Most of the online material I have read regarding this seems to be very vague and does not cover as an exclusive answer.
If I am not mistaken when the Spring application launches it also loads the Shiro and Atmosphere, related classes. The requests arrive at the Apache server and are delegated to a class based on annotations. Spring/Apache stores per request info (some cookie or session token) and subsequent requests are mapped according to this. However, the information stored between requests that hit the Atmosphere related (ex: onRequest) endpoints and the rest are not shared, hence I cannot use the same subject info.
I have sincerely searched a lot trying to understand and would like an elaborate explanation. I hope this question is not regarded unsuitable to the forum.
Thank you
Shabir
Take a look at the doc for Thread Association in Shiro
Your assumption seems correct (guessing as I've never used Atmosphere). The thread pools are different. There are generally two ways to deal with this. Some frameworks allow you to add data to a "context" and you can pull that data out from your running thread (much like a Servlet or Spring context). The other option (assuming you have access to manage the Atmosphere threads), you can wrap them in:
Subject.execute(...)
Does any one have idea about the best way(implantation) to send Bulk Google Cloud Messaging on a Linux server. (Personally I like non-java implementation) Any help, link or suggession appreciated.
Edit
I didn't try any method for bulk messaging. I know there is a php implementation for GCM too, But I like to know what should I consider before go for an implementation. Like, How to handle failed messages, Is there any limitation on http requests goes to GCM server, etc.
Finally, I found the best answer for my own question. We can send a message to 1000 Google could message recipients using one http request. Sending bulk messaging Shouldn't be that much complicated. Any language or tool are capable of sending appropriate http request to the GCM server is enough.
GCM allows you to attach up to 1,000 recipients to a single message,
letting you easily contact large user bases quickly when appropriate,
while minimizing the work load on your server.
As shown by this example, it seems that the server-side code can even be written in C#. This question also confirms that this approach works. Other people seems to be able to setup standalone Java applications, as shown here.
If you have to setup a Linux server to send GCM push notifications, you can freely chose to use C# or Java at your own discretion.
For what concerns C/C++, however, things are a little more complicated. This question (PHP) shows that GCM notifications can be sent using CURL, so I suspect that a "C/C++" implementation using libCurl could be possible. However you'll have to tweak it yourself, given that it does not seem to be the "standard way" to use GCM.
If you are familiar with PHP than implement it in PHP. Since GCM uses only 2 GETs with HTTPS, you can easily implement it in any language, even batch processing with curl (i am using this for testing). You can find the calls here.
Note that you need a curl.exe which is capable of doing HTTPS. The link from Avio's answer shows you how to do that in PHP, stick to that and do not use C++.
Is there a single sign-on solution with completely RESTful API installable on my server? I have looked at OpenAM, which have some of the API available through HTTP/JSON, but not all (and seems too heavy, but if it had all the API, I'd not care).
Do you know of solution for authorization, authentication and identity management that can be used for single sign-on and has all (maybe without setting admin password and such critical issues) its API available though HTTP(S)/JSON?
I have no need for Java API etc., HTTP(S)+CLI for setup is only thing I look for. That is, I doin;t realkly care what the solution is implemented in (no need for Java EE etc.) as far as it does its job and it is secure.
Have you seen Mozilla's new Persona solution built on BrowserID? It does a lot, but it's hard to know if it's sufficient for you without more details about how integrated you need the authorization to be.
You might want to look at Stormpath. They're the largest identify management service (for developers) -- and they are all REST + JSON API backed.
I have been tasked to implement a WCF service that makes use of NetMsmqBinding. I wrote the service and it works fine. The problem is that in the last minute they told me that there will be no Active Directory integration. So I don't know how to configure the security of the service. There is a VPN tunnel between the service's and the client's machines but they do not use the same active directory. Please advice. Any kind of help or tutorials would be appreciated.
The problem is that the service is not always online. That is why using WCF over MSMQ is preferred for this scenario. So I am sending one way messages through MSMQ - which works fine. My only problem is that I am new to WCF and am not familiar with WCF security. I would like to be able to sign and encrypt the messages since the information to be sent to the service is confidential. I would like to make sure that only authorized clients call the service. Any suggestions?
I'm not sure I understand your question so correct me, if I'm wrong. I have recently been woring on a WCF service that was hosted on a computer with no Active Directory available. We secured it using certificates. Is it an option for you? It's pretty painless (if you get past the 'put the certificate in the store and give the correct user access to it' part).
You should be able to take advantage of network transparency.
Use webservices to communicate from one system to the other. You might have to deal with extra latency, but it should still be usable.
Well first, you can use WCF's security, the WS-* stuff. Some info here:
http://blogs.msdn.com/motleyqueue/archive/2007/10/06/complementing-msmq-security-with-wcf.aspx
Second, you might find this blog to be helpful:
http://blogs.msdn.com/johnbreakwell/default.aspx
One of the articles there about cross-domain sending mentions this article (Cross-Enterprise Support):
http://msdn.microsoft.com/en-us/library/ms705127(VS.85).aspx
Which might help you configure it in general.
Thank you, Michael, but this information wasn't helpful...
I found this: http://www.codeplex.com/WCFSecurityGuide/Release/ProjectReleases.aspx?ReleaseId=14070 - a book from "Microsoft Pattern & Practices" which describes in detail the security in WCF - a must-read for every WCF developer.