We're using the Camunda RestAPI to communicate with the camunda-engine in the backend, so far so good, but we haven't been able to enable the Camunda authentication service so that users/rolls can only instanciate/claim/complete/see (when requesting via http) the tasks and processes which are assigned to them or their groups.
We're also using the spring boot implementation of the configuration, we have tried several things, but non has work so far as anyone can do anything and it's not even asking for credentials, so I was thinking I may be doing something wrong considering how complicated it has been.
So the question is, what are the standard steps we need to take to make these services work?
Thanks in advance.
Camunda is running bundled with a Tomcat server which allows LDAP, so one way might be to let your Tomcat do the permission management. In other words, you might limit the user access via the hosting web server.
Related
We have one application which is running on the Spring boot, We don't like to add a new application in the environment to manage this application, to do so we like to add spring boot admin feature to the same application. I tried that and able to see the spring admin screen but the client is not getting loaded.
I don't know this is good idea or not.
Please provide your suggestion.
I can see it is working both spring boot admin sever and client both application in one.
But I dont know this is good idea or not. Please provide your inputs
The Spring Boot Admin is invented for monitoring multiple services. In my opinion you should separate them so everyone will has it's job to follow the single responsibility principle. With separation when your application will fail the Spring Boot Admin will catch logs and maybe some additional data, if they are together you won't know what might happen.
We are developing a spring boot application(generated with jhipster, with oauth) and we want to use camunda.
The camunda spring boot starter(with the process engine only) worked, however the we had problems with the other two starters(rest, web) in our current setup(although they work with a simple project like in the camunda examples).
We actually prefer using the embedded process engine like this, however, we would like the operational advantages of the camunda webapps.
The preferred solution we thought about was to connect to the same database another process engine(camunda standalone or springboot app with camunda web starter). This seems to be working in our tests.
The other solution would be to use camunda standalone and communicate via rest api, and subscribe to topics for service tasks.
Do you see any problems with the preferred solution?
Yes, it's perfectly fine running two engines against same database. Just make sure to set camunda.bpm.job-execution.enabled=false in the other instance(if you don't want it to pick up and execute jobs)
I am building a middle tier which will consume information from multiple downstream systems. The ask is to talk to them over 1 way SSL. I looked up samples but this concept is a bit if a mystery to me. Please help.
The question is too vague IMHO, I'll try to provide general insights
The answer may vary depending on the actual requirements in your organization security department and your actual spring boot configuration.
Spring Boot is a Java framework that usually allows the deployment architecture with an embedded tomcat, jetty or undertow servers that serve Http endpoints exposed by Spring MVC or without an embedded server at all (usually for legacy deployments)
If you in a "legacy" mode (build a WAR) - then HTTPs configuration should be done on the actual server and not in spring boot application.
If you use an embedded server, then the actual technical solution can actually depend on the server you use underneath, at least to some extent.
Indeed like Steffen Ullrich has stated in the comment section, there are many examples of doing this.
For example, take a look at This one
If you want to redirect HTTP requests to HTTPs you should configure your server to do so, and this solution is Tomcat specific.
Another thing to consider is whether you want to use SSL at the level of spring boot at all. Maybe you're running under the gateway / some kind of proxy. In this case, it can make sense to use https for accessing the proxy from outside, but from a proxy to java application you could use HTTP.
I know I'm just speculating about this solution, I've just decided to mention it because in my experience there are many organizations that work like this.
In addition, since spring boot is used for microservice development, the chances are that you have many spring boot artifacts that somehow "talk" to each other, so maybe running HTTPs between them is redundant.
If I have multiple Spring Boot embedded tomcat containers and each can have service endpoints like
http://localhost:8080/employeeSelfService/getDetails
http://localhost:8081/employeeSelfService/getDetails
How can do load balancing using 2 micro services such that clients can hit any of the URL's mentioned based on some load balancing startegy
One option thats come to my mind is to use NetFlix Curator (or) have a apache webserver acting as reverse proxy but with apache, when you create new instances of your services, you will have have an entry of that service as a member in httpd.conf
Does Spring Boot provides any service discovery and load balancing mechanism ?
Spring Boot does not provide this feature, as it is already usually provided by a reverse proxy such as apache/nginx running in front of the Spring Boot server.
See here for an example here how the commercial version of nginx provides the functionality of dynamically scaling and reducing the upstream nodes.
So in this case it's for the dynamic instance, in this case the Spring Boot process to signal it's presence/unregister itself to the upstream server at initialization/shutdown.
See here how to do so in the case of nginx, this procedure will be different from server to server.
Arguably it's not really an application's role to manage its own load-balancing, and Spring Boot focuses on the implementation of an application (or service, equivalently). We have been thinking about whether we could provide features in Spring (Boot or otherwise) to make it easy to write your own load-balancer, or service registry app, but even then I don't think that was what the question was really about (or was it?).
If I interpret the question, and the example use case, literally, I would say that the most natural answer is an out-of-the-box reverse proxy solution (as the other answers pointed out). I also note that such a reverse proxy is an essential and natural part of a PaaS solution, so if you need it to "just work" and don't want to know about the details, PaaS would be a natural path (e.g. see cloudfoundry as an example of such a solution that I happen to have worked on).
Indeed Spring Boot has not inherit support for load-balancing. Just to add to the list of available solutions for load-balancing, here are the instructions to configure an Apache for load-balancing.
I'm adding Spring security to an internal website. I've been asked to have the authentication be tied to tomcat-users.xml, so that we can cut down on the number of passwords to change/remember.
From what I've been able to Google up, this isn't very straighforward, if at all possible.
Things are working fine, for now, with a user + role hardcoded in springSecurity.xml.
You can treat container security as a pre-authenticated scenario.
There's a sample app in the codebase which uses this approach. It uses explicit bean configuration, but there is also a <jee> namespace element available.
This could be done as a pre-authenticate scenario as Luke indicates but I do not suggest that option. When you are using tomcat xml file you are using MemoryRealm but you could switch to JDBCRealm and have both users (Spring and Tomcat) stored in the database. I suggest this for maintenance, consistency and security. If you change your servlet container you will have to migrate your security users and roles.
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#MemoryRealm