I need create fake CAS server on localhost. I copy this repo and I run this. But now I have problem with access to Administration panel or something like that on user: casuser and password: Mellon.
Is there any UI to manage CAS? How can I configure CAS to use this as localhost authentication server?
Is there any UI to manage CAS?
There is a UI that would allow one to manage application registrations and policies with CAS, but as of this writing, there is no UI to manage the CAS configuration itself. The Spring Boot Admin project might be an option to research.
Today, CAS configuration more or less is a source-driven process where you configure modules via build.gradle file and relevant configuration via a cas.properties file. You'll need to edit these by hand to prep your deployment.
Related
I'm deploying my Spring boot application into Heroku server via git deployment. There are passwords and api secrets in my application.yml. Those properties are encrypted with Jasypt. One thing I don't understand is: how to pass jasypt decryption password into deployed application for startup?
Heroku has Config Vars, but they do not seem secure, considering that all of them could be revealed on the dashboard
Is there a secure way to send a password into deployment?
the Config Vars is the accepted mechanism to pass runtime information to the apps upon deployment;
It is pretty secure if the access to the Dashboard is controlled of course (those settings are never exposed or logged), only the owner can reveal the values.
I am implementing SSO into our SonarQube. Due to our company having so many users I want to only allow users that are within a specific security group e.g. SonarUsers. To have access to SonarQube and would be associated with a SonarUsers SonarQube Group and the same for SonarAdmins.
How/Is this possible?
Using SonarQube 6.2 and SSO Plugin 1.5.1
From a single-sign-on perspective, your only option would be to have your SSO system refuse to authenticate them. But that's probably not what you want.
On the SonarQube side, since you're delegating authentication your only option would be to refuse them permission to see anything once they've authenticated. Do that by restricting who can Browse your projects
I have already installed Websphere Applcation Server 8.5.5 on my machine without username password.
But for some reason now after using it for several days without any problem, today I got a problem where I am asked to enter username and password in one of the applications which I deployed on WAS8.5.5.
Now how can I create a username and password in an already installed WAS 8.5.5?
If you want to disable application security,
in Security -> Global Security section, uncheck Enable application security
else you want to enable application security, configure User account repository with available realm definitions.
I was wondering how people are handling security aspects when using Spring Cloud Config.
I'm planning to use Spring Cloud Config Server and Client together with Spring Boot. From an implementation point of view this is quite straight, but how do you deal with the risk of disclosing password/access to every developer.
e.g. you run one central configserver containing configurations for all environment. In the bootstrap.yml of the config client app you'll have to configure the username/password to access the configserver. So far so good, but when I know commit the username/password in the respective yml file, then every developer has potential access to all environments by just switching the profile from e.g. development to production (please let's not start a discussion why not every developer needs access to production).
I'm aware that I can encrypt all passwords in the configuration, we do this, but that's not what I'm looking for. Encryption is just a feature to not have the passwords being stored plaintext in the files, but the user does not really need to know the plain password to get access if he has access to the configserver in the first place.
This is also about avoiding mistakes during development... its just to easy to switch the local environment to connect to production or any other environment.
So how are people dealing with this? Do you inject a different bootstrap.yml in development then in other environments? if so how do you administrate/propagate these?
Do you set the password for the configuration user on the comandline?
...?
We use variables and default values for config server URL, user and password
${config_username:user}:${config_password:password}#${config_server:conf.mydomain.com}
Default values can be valid credentials for development environment this way you simply run it while you develop. When you deploy to production simply set those environment variables and your application will connect to a different config server
I was thinking about this myself and came up with 3 options. In all cases, use {cipher} values in repos for sensitive data and disable various actuator endpoints that would allow decryption or property value lists.
Have two config servers, one for dev and one for prod, with no dev access to the prod server, controlled by credentials provided to the prod client at runtime.
Perform the decryption client side, using a secret provided to the prod client at runtime.
Explicitly define a prod profile and block access to URLs containing that profile from non-prod servers.
I'm testing owncloud. It is very nice system. I have to test authentication with ftp server with plugin "External user support". When I enable it in web admin panel nothing is happening. I don't know where to set up things that will enable authorization with my ftp server.
Depending on which version of ownCloud you are using, see either
http://doc.owncloud.org/server/5.0/admin_manual/configuration/custom_user_backend.html
or
http://doc.owncloud.org/server/4.5/admin_manual/custom_user_backend.html