I implemented an Apache Camel based middleware application to manage authentication, authorization and also to dispatch the front end application calls to my several RESTful back end web services. I'm using Apache Directory as my Ldap server for authentication but I'm using it separately for each back end service.
My question is how to implement a single sign on SSO system to all my back end services.
Any ideas?
Thank you in advance!
I don't think this question is related to Camel directly.
If you want to build a SSO system, I think you can take a look at the oauth. Then you can pass the token as http uri parameter across the back end services.
Related
I'm having an issue with a project I'm working on. I have a Vue client which does API calls to my backend which is written in .NET Core 3.1. Both these applications are deployed on diffent servers.
Now the problem is that my backend server does not allow me to do API calls straight from the browser. So I have to do some kind of 'redirect' on the client server to reach my API.
So for example:
If I call backend_server/api/values I get an error (Firewall).
I think I should make like a second API or something, but I'm not sure how to handle this issue.
Does anybody have any experience on this? Any help is welcome!
Kind regards
You can have multiple options here
Remove the firewall rule -
This will allow your API to get hit from browser. If firewall is not managed by you you can't do this
Add IP or Port exception rule in firewall -
Instead of deactivating the entire inbound rule on server, you can allow specific ports or IP on firewall. Again if you have control on firewall
Create Proxy API -
Another way is you can create a middleware API that forwards your request and acts as a proxy. This will suffice performance, resource, time and compromise security. I recommend not to do this, But it's easily possible in .NET Core
Specify CORS policy -
If your Vue.js and API originates from same origin (IP), You can configure CORS in server which will restrict access to API only from same origin. That means only www.google.com can access GoogleAPI, Likewise. This will protect the API from other origins
Tunnel via VPN -
If security is a concern, Use a VPN service to tunnel your API requests. This can't be possible for every client using your web service.
The best way is to open a specific rule on server for your application if possible. Writing a proxy in between will have lot of disadvantages although can be accomplished.
I want to develop an application using microservices architecture. I'm really new at microservices and until now I've only worked with monolithich approach.
What I would like to do is to have a microservice which takes care of user authentication and have Proxy APIS to authorize the requests.
Authorizing the request in the Proxy API is pretty well documented on the IdentityServer4 docs, but, when the proxy api passes the request to the end microservice how do I authorize this request?
I know that if I setup the end microservice correctly, the same token used in the proxy api can be used to authorize the request at the end microservice. But how do I pass it? Do I grab the token from the request in the Proxy API and pass it down to the end microservice just like that? is it a good practice to do this?
Or is it a better option to block the end microservice to receive only requests from my proxy apis and have no authorization logic there?
PD: I would like to use asp.net-core
I know that if I setup the end microservice correctly, the same token
used in the proxy api can be used to authorize the request at the end
microservice. But how do I pass it? Do I grab the token from the
request in the Proxy API and pass it down to the end microservice just
like that? is it a good practice to do this?
Yes, it is very common to pass the JWT (or any) to pass around, proxy --> service --> proxy --> service.
And each layer can augment the token with additional details like UniqueId (for example when a request hits the first for the first time to track the chain of interactions, circuit breakers etc)
If you are application consists of multiple languages (frameworks), this approach really helps as you don't need to reimplement the authentication in each language and let proxy handle it, this especially useful with container architecture, just make sure that you leave proxy as light weight as possible, you can look into ideas based on Lyft's Envoy proxy.
I followed the tutorial deploy and run Service Stack application on Ubuntu Linux and I got my API quickly up and running. So far it's all plain-text though. I'd like to secure the API with SSL, especially the service receiving username and password, but maybe everything.
I'm using the regular CredentialsAuthProvider together with JwtAuthProvider at the moment, if it's relevant. Using a 3rd party OAuth2/OpenID Connect would solve the login problem, but not securing the remaining contents.
Also wonder how to selectively choose which services require SSL.
The stack is: mono, nginx and HyperFastCGI (and C# ServiceStack)
You'll want to configure SSL on nginx, i.e. your external-facing Web Server. What ASP.NET Web framework you're using is irrelevant as SSL will be terminated at nginx and any downstream Web Applications will still be receiving plain-text requests.
The question is as simple as the title. I have a webapp (I have no clue as to what technology it was built on or what appserver it is running on). However, I do know that this webapp is being served by an Apache Server/ IIS Server / IBM Http Server. Now, I would like to have a plugin/ module / add-on at the web-server end, which would parse/truncate/cut/regex the http response (based on the requested url's pattern), and mask(encrypt/shuffle/substitute) a set of fields in this response based on different parameters(user's LDAP permissions in the intranet / user's geo-location if on the internet, etc) and send the altered response back to the user.
So, Is there an easy answer to creating such plugins/modules/add-ons? How feasible is this approach of creating extra software at the webserver, when you want to mask sensitive information in a webapp without modfying the web-app code? Are there any tools that help you do this for Apache?
And, finally, is this just a really crazy thing to try?!
Each webserver will have its own way of doing so.
There is no universal plugin architecture for webservers.
In IIS you would write an HTTP Handler or HTTP Module, or possibly an ISAPI Filter. You can also directly interact with the http response using the Response object exposed by the HttpContext.
With apache, there are different modules that can do what you want (mod_headers, for example).
I don't know anything about WebSphere, but I am certain it also has similar mechanisms.
What you are asking is required by most web applications, so would be either built in or very easy to do.
The easiest way is to add a plug-in using the web application container. For example, if it's Tomcat, you can add a filter or valve.
If you want to plug-in to the web server, you'd need to write a custom module using the API of whichever web server is being used.
If all else fails, you could always wrap the entire server in a reverse proxy. All requests would go through your proxy and that would give you the opportunity to modify the requests and the responses.
Is there a clean way to expose a WCF REST service that requires basic authentication, but where we handle the actual validation of the username/password ourselves? It seems that when you tell WCF in config that you want to use basic authentication, it forces you to turn on basic authentication in IIS and IIS can only do basic authentication against window accounts.
The only hack we have found is to lie to WCF and tell it there is no security on the service and then do authentication outside of the WCF stack using a generic IHttpModule (which has a proprietary config file to indicate which URLs have which authentication/authorization requirements).
It seems like there should be a better way. Anyone have one?
The WCF REST Contrib library enables this functionality:
http://github.com/mikeobrien/WcfRestContrib
It also allows you to secure individual operations.
is the username and password set on the client like:
cc.ClientCredentials.UserName.UserName = ReturnUsername();
cc.ClientCredentials.UserName.Password = ReturnPassword();
Or are they embedded in the body of the REST message?
If the former, you can use a custom UserNamePasswordValidator:
http://msdn.microsoft.com/en-us/library/aa702565.aspx
If the latter, you can set the service to no security, and use a custom ServiceAuthorizationManager to validate the contents of the message:
http://msdn.microsoft.com/en-us/library/ms731774.aspx
Hope one or the other helps! I'd try to post sample code & config, but I'm # home and dont have access to code, which is all # work.
See Custom Basic Authentication for RESTful services. Pablo's approach uses the interceptor functionality that is provided via the REST starter kit to solve the problem. If you do not want to depend on the REST starter kit, then you can create your own service host and use the inteceptor functionality provided.
If you host it on IIS, using custom http module is the way to go. You can bring over the principal over to WCF side to do code access security. See HTTP Basic Authentication against Non-Windows Accounts in IIS/ASP.NET (Part 3 - Adding WCF Support). Also see Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008.
If you are not using IIS, you should be able to implement userNameAuthentication. See Finally! Usernames over Transport Authentication in WCF.
Yes absolutely there is a way. You need to configuring a custom userNamePasswordValidationMode value for your service and point it to a class with an overridden method that can inspect and validate the credentials provided. When making a RESTful call, these credentials when using Basic authentication in its proper form should be in the request header. With this custom method you can inspect the credentials and then authenticate the client to your service. No Windows accounts or domain even needed.
The nice thing is you can then take that security context to the next level and provide fine-grained authrization at the method level. You might have instances where a large pool of clients are able to access the service, but not all methods within (i.e. paid clients vs. unpaid). In this case you can also provide authorization at the method level as well if needed.
Below is a step-by-step solution (with too many steps to embed) by me that contains both the needed configuration and security required to have a complete solution. The problem is often Basic authentication is used without securing the Transport with a SSL certificate and this is bad. Make sure to follow all the steps and you will implement Basic authentication without the need of any type of Windows accounts or configuration on your WCF RESTful based service.
RESTful Services: Authenticating Clients Using Basic Authentication