After I successfully installed APISIX, I found that the configuration file contains admin key information and all control requests need to contain this credential, do I need to change this configuration? How do I make the change take effect?
for security reasons, we would encourage any users to generate a different API key before using Apache APISIX, please check its documentation[1].
NOTE: API Key is only a string, you can generate a new one in your preferred way. For me, I would use https://www.random.org/strings/.
[1] https://apisix.apache.org/docs/apisix/admin-api/
[2] https://github.com/apache/apisix/blob/master/conf/config.yaml#L46
Related
I have my SQ server running in Kubernetes (via Tectonic) and all is going well. We need to tighten the security of our SQ installation, so we have LDAP up and working. We are trying to get all of the projects to be Private by default (which we can do Via the GUI for each project).
However, trying to flip the switch in the GUI to make all new projects Private works, until you refresh the page, then it reverts back to Public.
I have been searching for a way to set this up via the sonar.properties file or sonar-project.properties file (first if the preferred). The server.properties file we use is encrypted as a secret (because the LDAP settings exposes a service account password) and I would like to keep settings there.
I have combed through documentation, posts, discussions and all that, but have not been able to find out what the value=key combination is.
Has anyone seen what this is or if we can even accomplish that? Is it a setting stored in the database? I'm kind of at a loss on this one.
Thanks!
In SonarQube 7.x you can find the public/private setting when you browse to Administration - Projects - Management. This only works for new projects. For existing projects you can use the "Edit the permissions" option on the same page and switch between public and private.
You can also use the web_api to achieve the same results. You can find the documentation when you add "/web_api/api/projects" after the sonarqube URL:
Example of the POST request body: project=MyProject&visibility=private
I have the following scenario:
Server A:abpWeb;
Server B:abpWeb;
A and B are based on MyCompanyName.AbpZero template, abp. Net core version 3.1.1;aspnetboilerplate
Browser access A:abpWeb and B:abpWeb. But after logging in, cookie shared is invalid.
A:User.Identity?.IsAuthenticated equals true after Browser access A:Login;
But refresh B:/index on the browser,B:User.Identity?.IsAuthenticated equals false;
The same browser domain for A and B is the same.
I created two new ASP.NET Core 2.0 MVC apps with ASP.NET Core Identity, using AddDataProtection for the normal shared cookie is ok.
I referred to:
https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?tabs=aspnetcore2x
I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.
Thanks in advance.
The keys that encrypt/decrypt your cookies are probably trying to be written to an invalid folder.
By default AddDataProtection tries to write these keys to:
%LOCALAPPDATA%\ASP.NET\DataProtection-Keys
As long as there is an environment variable being used to create the keys path, you will need to set the following config file setting to true.
Please also see my other answer here:
IIS - AddDataProtection PersistKeysToFileSystem not creating
Fix: Within %WINDIR%\System32\inetsrv\config\applicationHost.config set setProfileEnvironment=true. I think you have to restart IIS as well.
I'm trying to set a general password to my app, which means every user will have the same password to enter.
I've tried using the Project's settings - [Application.Current.Setting.Default.settingName] for the password - but then each user [in his own installed app on his PC] would have his own password, and that's not what I'm looking for.
Is there a way to set a 'general' setting to all app's instances? My project uses VSTS as well, if there's an option from there.
(I see there's a service called 'Web settings', is that it? If so, would you give me an usage example?)
Thanks!
The good way is that you can store password (can be encrypted) in the configuration file, such as app.config, web.config, then read it from configuration file before use it.
You may replace the password before deploy your app through Replace Token step (VSTS build/release)
I am curious if there's still possibility to create global keys for reCaptcha.
Documentation points it is possible, but I can find no way - no such option is there whenever I add a site.
Google made reCaptcha Global URL possible again in 2016 for the I'm not a Robot checkbox:
https://developers.google.com/recaptcha/docs/domain_validation
Now to get the keys to work on every URL you have to go to: "Advanced Settings" for your key, and untick the "Domain Name Validation" box:
https://www.google.com/recaptcha/admin
This is a security hole, so you are required to check the hostname field in your JSON response and reject any solutions that are coming from unexpected sources:
https://developers.google.com/recaptcha/docs/verify#api-response
This option has dissapeared. In fact, google is deleting that info from documentation step by step. There is an issue
Maybe we can ask to reopen that option, or at least, to obtain some info why this option its gone
Well the Secure Token would be the way to do this:
"A reCAPTCHA key is normally tied to a set of individual domains. However, you might have a large number of hosted domains and would like to have one key working on all of them - the solution is the secure token."
https://developers.google.com/recaptcha/docs/secure_token
A similar question (How can I use reCAPTCHA v2 on a large number of domains?) has a PHP sample and a Java sample is in GitHub https://github.com/google/recaptcha-java/tree/master/appengine
I'm working on a Web Service project to provide data to a partner. Our app is really light weight and has only a handful of APIs. Because of time constraint and in-house pre-existing knowledge we went the Spring MVC / Spring Security path to serve those restful APIs.
At any rate this is a B2B project where we are expecting only that partner to hit our servers. So it seems a little over kill to modify are very small db schemas to add tables that would contain only 1 user access record for that partner...
Heard someone say though that it's possible to use an encrypted file, or at least a file where the password information is encrypted, instead of the database to hold the Spring Security user access information... Is that true? If it is can anyone point me to some references? I couldn't find anything relevant on Google at first glance... :(
Thanks.
http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/
See the '' under the authentication-provider; this allows you to use encrypted passwords (use sha). If you only have a single user and you wanted the information in an external file, then you could use a property file configuration placeholder to simply specify
${user.1.id} ${user.1.passwordenc},etc... kinda hacky, but it would work.
It's VERY possible. In fact, you can do it without coding; it's pretty simple to include the credentials directly in the XML defining the Spring Security stuff. You usually see this in examples, followed by warnings to "DON'T DO IT LIKE THIS!"
If in-house security is no big deal and you're not worried that your developers can see your password (as if they needed it, heh!) and no one else is likely to access your configuration files, then this is a quick and easy yet workable solution.
I'm going to post this, but I'm off to go dig in the Spring Security documentation for the example I was talking about I'll be back!
Update
Trever Schick was a bit faster with the example. I had a different example in mind but his code shows exactly what I was talking about. You define your security provider in the XML and provide user ID/password right there. There are a number of utilities available on the 'net for you to MD5 or SHA encode your password for you so you can cut and paste it into the file.
You need to implement a new org.springframework.security.core.userdetails.UserDetailsService that reads the user's information (username, password, enabled flag, and authorities) from a file. I don't know if someone already implemented it.