What's the most secure way to completely disable Cuba REST API, so that I can only use the Portal Module to manually expose endpoints?
You can simply remove rest_api servlet in web and portal (if exists) modules, i.e. delete the following lines from web.xml:
<servlet>
<servlet-name>rest_api</servlet-name>
<servlet-class>com.haulmont.restapi.sys.CubaRestApiServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>rest_api</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
Related
I am a computer science student and have used Quarkus for several projects in the past year.
I recently received a new project where I have to create a rest API. Because I have to do a lot in a short time, I use Quarkus to easily do the job with RESTEasy for my web services.
But this API has to authenticate the user by using Apereo with protocols CAS or SAML2.
Moreover I have no experience in using Java security plugins.
I also searched about how to deal with that by using keycloak, Apereo Jboss client, Apero Spring boot client or by having a service along with Quarkus like a Tomcat that will do the authentication job. But I don't know which one would be the best and even which one would actually work.
Do you have any experience around that ?
Or what could I use to make my Quarkus API work with Apereo ?
Thank you very much for your time and help,
Best regards,
Thomas
Sorry for being late to the party, but I actually did a quarkus - apareo cas integration.
Basically I added quarkus-undertow extension to be able to use src/main/resources/META-INF/web.xml.
Also I used org.jasig.cas.client:cas-client-core:3.6.1 to have the cas filters.
And my web.xml contains something like this:
<context-param>
<param-name>serverName</param-name>
<param-value>${cas.redirect.url}</param-value>
</context-param>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>${cas.login.url}</param-value>
</init-param>
<init-param>
<param-name>ignorePattern</param-name>
<param-value>/proxy/</param-value>
</init-param>
<init-param>
<param-name>ignoreUrlPatternType</param-name>
<param-value>CONTAINS</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>${cas.base.url}</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Saml integration is similar, just use the SAML filters.
For more information on configuration options, please see java-cas-client
Off topic, why do you need to authenticate a API via CAS? It redirects you to that CAS login window, then it redirects you back. you cant use this API via postman or curl. Also an API doesn't store any session about the user, so this redirect dance happens every time. This is not how API's are secured. Web pages or web applications yes, but not API's.
In my lab I was asked to create a simple website using JSF framework and use REST as well. I did some research on those two. It turns out that for REST I have to use JAX-RS framework with Jersey. I was wondering how can I integrate these two frameworks, JAX-RS and JSF?
I've already the below servlet in web.xml for JSF:
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/test/*</url-pattern>
</servlet-mapping>
For Jersey I figured that I have to use the below servlet in web.xml:
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.jbm.rest</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
Now my concern is, to me it seems like this Jersey servlet will replace the Faces servlet in web.xml. This will change my application from JSF to JAX-RS. But I want to keep JSF and use JAX-RS as well. How can I do that?
This concern is unnecessary. You can safely have multiple servlets in a single web application, as long as their URL patterns do not clash with each other. Usually, if that were the case, a bit sane servlet container would already throw an exception during webapp's startup. In your case, you've registered the JSF servlet on /test/* (which is a strange, by the way, you usually use *.xhtml for that), and you've registered the JAX-RS servlet on /api/*. So you just have to call them using URLs matching those URL patterns.
And, to clear out a conceptual misunderstanding, you don't and can't "implement REST in JSF" at all. They are completely independent from each other. They can just easily run next each other in the same web application in all peace without knowing about each other. The only thing which they might share is the service layer or 'shared' (CDI) managed beans. But that's usually it. The design of the service layer is in turn independent from who's using it.
This specific problem is not related to JSF nor JAX-RS. It's just basic servlets. It might be as well worth the effort to take a step back to the basics and spend a bit time to learn more about the building stone of basically every Java EE web application.
You cannot directly have both in the same java class or layer.
I implemented it like below
|---> JSF Managed Beans(Inject logic here)
Database --> Daos --> Logic --|
|---> JAX-RS (Inject logic here)
Posting this for anyone trying to do this in XPages, there is a REST Control you can drop onto the page from the component library.
Like binding a ActionListener, you bind a java class to the component and set a url pattern.
See this note:
https://oliverbusse.notesx.net/hp.nsf/blogpost.xsp?documentId=2C4E
and sample app https://github.com/zeromancer1972/simplerest/blob/master/ODP/XPages/index.xsp
Inside a web application, I have 2 web services and 2 servlets. Some of these components are internal so we don't want to limit them but one client facing web services needs to be limited because it can crashes the server if too many clients call it. I have been trying to do it in the web.xml as you can see in the code below with no success unfortunately. The JSP servlet in dispatch properly to the right work manager but the sample web services is going to the default work manager.
<servlet>
<servlet-name>Normaljsp</servlet-name>
<jsp-file>normal.jsp</jsp-file>
<init-param>
<param-name>wl-dispatch-policy</param-name>
<param-value>WorkManager-Global</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>Sample</servlet-name>
<servlet-class>com.mk.sample.WebServiceSample</servlet-class>
<init-param>
<param-name>wl-dispatch-policy</param-name>
<param-value>WorkManager-Endpoints</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Sample</servlet-name>
<url-pattern>sample</url-pattern>
</servlet-mapping>
How can I isolate this last sample web service with its own work manager ?
Thanks,
I am new to jax rs implementation.
I had created RESTFUL application contains the web services using jax rs.
But I want to provide the authentication and authorization to some of the web services.
I am unable to configure the web.xml for the authentication.
Thanks in advance
You can use container-level authentication. For instance, in Apache Tomcat, you can configure HTTP-based authentication (e.g. BASIC, DIGEST, or even FORM-based though the latter does not make sense for APIs).
To configure HTTP BASIC authentication as an example you need to:
define users in a user store and connect Tomcat to it. By default Tomcat provides you with a tomcat-users.xml file which you can use to define users. You could also configure Tomcat to use LDAP as a source
update your web.xml file to add the security-constraint element
update your web.xml to add the login-config element
update your web.xml to add the security-role element
Here's an example snippet:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>basic-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>basic-user</role-name>
</security-role>
Note that there is a great answer already available here too: Easy way for Authentication and Authorization with JAX-RS Jersey
I have an application which exposes a RESTful API using RESTEasy. The user needs to authenticate using HTTP-Basic before any method can be invoked.
However, I want to add a method to the RESTful API which any user can invoke without authenticating. How do I do that? Is there some JAX-RS/RESTEasy annotation that I can add to the method declaration to indicate that authentication is optional for that method.
Thanks.
In your web.xml exclude REST paths, that does not need authentication
<security-constraint>
<web-resource-collection>
<web-resource-name>All Access</web-resource-name>
<url-pattern>/unchecked/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then your REST resource that does not need authentication should be something like
#Path("/unchecked")
public class NoAuthResource{
}