The documentation says that the Mailman rest interface provides http basic authentication. Is it possible to configure the rest API to accept (only?) SSL connections? The documentation, for example, https://docs.mailman3.org/en/latest/prodsetup.html says that the REST interface should never be exposed on the public internet but the Mailman service may be in a different host that other processes using the REST api, so securing the Basic AUTH is still desirable.
Related
I have implemented microservices architecture in Spring Boot. All services are accessible from the front-end. There are 2 types of API in few Microservices -
Public - (Directly Accessible from the front-end)
Internal - (for inter-service communication)
I have implemented JWT based authentication. But I want to know how to implement auth for internal APIs?
In internal API we will not get the JWT token. Auth is needed because someone can mock a private API.
For Authentication, we are using an auth service. All other services call the Auth service before every API call to authenticate the request.
Auth is needed because someone can mock a private API
While this may be true, an attacker would need to be inside your network already.
However, assuming you still need secure intra-service communication, you could look at service discovery to mediate this communication. Service registry platforms such as Eureka or Consul, will allow you to set up service discovery.
Eureka is commonly used in sprint boot applications, and is fairly lightweight, but weighted toward AWS hosting.
In addition to other benefits, such as configuration management, failure detection, and load balancing, these platforms will also enable you to secure your intra-service communication.
Here is the authorization service. It has endpoints to login and receive a JWT using either a custom username/password or social OAuth (Facebook, GitHub etc.).
I have a Eureka server setup and Zuul gateway service. From what I understand, there are two ways to go about implementing secure microservices. You either proxy requests through the auth service, or you send requests to the requested service (Ex. Service A) and service A authorizes using the auth service.
I would like to use the second way, however I'm having trouble implementing it. Is my understanding correct? Is there a way to setup service A somehow so that certain paths (configured using Ant matchers) will have to authorize using the auth service, which will set the SecurityContext appropriately and inject a UserPrincipal into the request. If anyone can point me to a good guide for this that would be much appreciated.
I would like to build a web based application using Spring Boot micro service. I am planning to use OAuth2 and OpenID Connect to implement authentication and authorization in my application. What grant type I have to choose to implement OAuth2 if my application is going to be single page application (Angular.js for front end Spring Boot services for backend)?
You can use Implicit or Authorization Code flow with a single page app :
In order for a single-page app to use the Authorization Code flow, it must be able to make a POST request to the authorization server. This means if the authorization server is on a different domain, the server will need to support the appropriate CORS headers. If supporting CORS headers is not an option, then the service may use the Implicit Flow instead.
oauth.com
but it's recommanded to use Authorization Code flow :
It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead. oauth.com
I'm wondering what to do with an API Endpoint when using a API Gateway. For example when you following the tutorial here: https://wiredcraft.com/blog/securing-components-in-a-microservice-context
You are using keycloak and kong (api-gateway) to secure the api. With kong you're getting an new Endpoint under http://localhost:8000/data. But the "original" express Server is still listening on http://localhost:3001/data.
That means that when a user/attacker knows the url of the "orignal" service and doesn't use the kong url (port 8000) he/she can still work with the api.
So my question is about the strategy and what to do with the original api? How could that be secured. Shall we implement the keycloak request on the api as well? But where are the benefits of kong then?
Your API gateway gives you a single entrypoint that simplifies how client applications access your services. You could add keycloak security on the gateway and not on the services behind - perhaps if you've a setup where you can block network access for clients to any services except the gateway. But even then you might still want the gateway and keycloak on the services behind.
The reason you might put keycloak on the services behind is because they are likely to need to know the identity of the user making the request. If they are going to read the token anyway then it might be most straightforward to add keycloak to them. And you'd still want the gateway to simplify life for clients. You'd then also want the gateway to forward the token to the services behind the gateway. (We're using keycloak and spring cloud gateway on the Activiti Cloud project and this is essentially how we decided to secure the services themselves with keycloak and have the gateway forward the token to them.)
I am trying to use hazelcast rest api (hazelcast version 3.9.1) to gather caching information. I am exposing Rest endpoint in my application (e.g. http://localhost:8080/cache/info) using which the caching information will get collected (using hazelcast rest api e.g. /cache/localinfo) but ever time I hit the endpoint it pop up "Authentication Required" dialog and entering same credential which I used to set group config name and password doesn't work.
I am wondering how to first disable authentication (if possible).
If not what credential it is looking for ? Shouldn't it be same what is being used to setup group config name and password while configuration hazelcast ? e.g. Config config = new Config();
config.getGroupConfig().setName("hazel-instance"); config.getGroupConfig().setPassword("password");
Hazelcast doesn't offer the possibility to secure the REST API by using credentials. Hazelcast is not designed to be open to the public internet. If you want to have it for internal authentication we recommend to put nginx in front of the Hazelcast REST API and use a proxy mechanism.
Anyhow the REST API is considered a legacy API for situations where the programming language doesn't have a native client. The REST API doesn't know about the internal partitioning and therefore will not offer best possible performance.