The scenario is: from within a MobileFirst hybrid app, I need to show PDFs that will be residing on the server. For security reasons, I wouldn't like to just protect them by HTTP authentication (in Apache that I use as a reverse proxy to TomCat running MobileFirst).
What would be the simplest way to protect static resources by MobileFirst 8 authentication? Can I just configure TomCat to utilize it or do I have to code anything in Java? Processing them all the way through adapters (incl. base64-encoding) looks unnecessarily complicated to me.
You should save your files in a "resources server". You can protect this server with a confidential client in MobileFirst Foundation 8.0.
Read more about this, here: https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/confidential-clients/
But yes, this will require you to implement some code.
Related
I have checked that in the web response the server is IIS when I deploy ASP.NET5 to azure web app, so I guess the IIS platform handler is used to redirect it to Kestrel. So I am wondering if it is possible to run directly on Kestrel, and what benefits/drawbacks will that have (probably regardless if it's in Azure or not). I suppose it will be a bit faster since IIS will be excluded from the pipline, but it should not be too much overhead I suppose...
On Azure Web App, you cannot bypass IIS.
But in the general case, you can definitely run Kestrel directly. It is after all just dnx web and it's exactly what the XPlat version (Linux, OSX) will end-up using (almost).
What you lose from not using IIS
Security (newer component compared to IIS)
Easy setup of SSL
Kernel module that handle file/cache and other things (kernel = faster)
Application monitoring/Keep-Alive (what happens if Kestrel crash)
Multiple hostnames single-port (80) reuse
etc.
What you gain from not using IIS
Complete control over your process
Higher overall performance
Simpler installation/execution
What you should do if you choose not to use IIS
If you are OK with the "lose" points, I would still go and host your Kestrel behind a reverse proxy or an NGINX server. Kestrel was made to be "production ready" but it's not NGINX or IIS.
It will not keep itself alive as far as I know.
If I missed anything, please let me know.
Your question is a bit ambiguous, as it asks at the same time about Azure Web Apps and about the general case. #Maxime answered the general part, so I'll answer the Azure Web App part.
It is not possible to bypass IIS in Azure Web Apps. Stack that normally run without IIS are typically handled using HttpPlatformHandler (as is the case for ASP.NET 5), or in the case of Node some variant of that (iisnode).
I have implemented a Push Notification adpater and would like backend system to call the procedure in order to submit notification.
With reference to this post, http://server:port/dev/invoke?adapter=adapterName&procedure=procedureName¶meters=1,2,3 can be used but it works in development environment only.
At the end of the post it is mentioned that http://server:port/context/invoke?adapter=adapterName&procedure=procedureName¶meters=1,2,3 can be used to invoke the adapter.
(1) May I know whether it is supported in production environment only? Because it returned HTTP method GET is not supported by this URL in development environment.
(2) Noted that we might need to define securityTest="wl_unprotected" for the adapter and thus the adapter is not protected. What will be the best way to achieve the goal for backend sytem to call the adapter with security control?
In Worklight 5, Worklight Studio uses Jetty within and the usage of a context root is not required. Only once moving your project to an application server such as Tomcat, WebSphere, Liberty, you have to specify it (in worklight.properties and application-descriptor.xml).
So,
in development - no.
in production - yes.
In Worklight 6 where Jetty has been replaced with Liberty, context root is now part of your project whether you are in development or production.
You will have to add the "wl_unprotected" securityTest to your procedure in the adapter XML.
As for protecting the requests, my guess is that your IT department can isolate and protect specific URLs and not allow using them in certain scenarios. You already have the URL structure for them to use.
I want to make an app that displays new data whenever they arrive inside a folder via xml. I want to use html5 web sockets but I am confused on how it should be done. I am using xaamp on my machine for development. Do I have to install another server to use websockets? Is apache as it is compatible and if yes how do I make the connection with the client. Thank you in advance..
Your options are:
Use something like mod_websocket, as pointed out by Phillip Kovalev. Or pywebsocket. You could also try PHP WebSocket.
Use a dedicated self-hosted realtime web technology for realtime communication between server and client. If you do this you'll also need to define a way of application to realtime web server communications - normally achieved through message queues.
Use a hosted realtime web solution and offload the realtime push aspect of your application.
There are concerns about using Apache with this type of technology since this technology maintains long-running persistent connections between the server and client and Apache isn't know to be too great at this. So, the best solution may be to:
Go with a 2nd dedicated realtime web server in conjunction with using Apache as your application server
Use a self-hosted realtime web server that has the ability to handle many concurrent connections
Use a hosted service along with your Apache application server.
If you don't expect many concurrent connections or if you are just trying out the technology then it's possible that Apache alone will be all you need.
Look at mod_websocket. It supports latest and commonly implemented by browsers vendors protocol version.
I'm trying to setup “Certificate-Based Mutual Authentication” in my Java EE application. My requirement outline as follows,
Deploying a web application (Java EE on IBM Webshpere) which is pulicly available in www, but access privileges were given only for authenticated clients via certificates.
Can someone provide me a sample code & setps that I have to follow to achieve my requirement.
As Stas mentioned you haven't stated anything about your application (what is the app server etc).
If your set up is WebSphere and you want to set up SSL mutual authentication, then this paper should give you a good idea:
http://www.ibm.com/developerworks/websphere/techjournal/0612_birk/0612_birk.html#sec1
The references in this article also contain good information and they should help you out.
Regarding Web Server, SSL hops would be between your App Server and the web server on the other end (and not to the WAS Server running). This does not change any configuration or the set up but you should be aware that your SSL communication would be till the web server and the web server might talk SSL to the back end application server and this depends on how it is set up.
If you provide additional information then folks here would be able to help.
HTH
Manglu
LDAP authentication in different J2EE servers is different, unfortunately.
Eg. If I develop a code in JBoss for LDAP authentication with LDAP login module of JBoss, 99% chances are that it will not run in WebSphere or any other J2EE containers. Maybe if I import that library jar files, it might work. I’m looking at just porting the application and not having to worry about library files, unless we have written the libraries. Libraries of J2EE servers must not be copied from one server to the other. I don’t know if that could be called code ethics!!
Is there a J2EE server independent module for LDAP or way of programming for doing this?
Is the solution – code from scratch using JNDI the only method? Please advice.
I'd suspect that most J2EE container already have an LDAP module for the authentication, in which case the problem you're having isn't really about programming, but about adapting the configuration from one container to another. Little to no actual code should be required for this. It's not clear why you would develop your own code for LDAP authentication then.
If you really want this configuration to be container independent, you'll certainly need to embed the authentication within the webapp itself.
The Restlet framework, for example, can do that, but it's part of a wider architectural choice, which may or may not be what you're after.
Even if you program your own LDAP code via JNDI or JAAS for example, you're likely to have to tweak the configuration of the container, perhaps for its security manager to let the connections to your LDAP server through (if enabled) or at least to configure which LDAP server to use when deploying the application.
I think in the general case, it's probably wiser to use the container's module (which will vary depending on the container). It ultimately depends on how you configure your webapps when deploying them.