Properly securing the web console/rest api ?

[laurentperez]

Hi

I've implemented an AuthorizationsManager as per https://github.com/clun/ff4j/wiki/Core-Concepts#permissions-and-security. Tests work as expected.

However, I'm looking for the proper way to secure the web console/apis themselves, and not just the features. Note that I am not using Spring Security or Shiro, due to legacy code (basically, I'm stuck with the servlet/jsp apis under Tomcat, non EE). No iptables, no fw, no nginx or Apache interceptors. I'm already under full HTTPS. Which would be the best option between

1. writing custom Tomcat Valve or Filter to restrict the console/apis urls
2. extending or forking FF4jDispatcherServlet to inject a bare SecurityManager plus securing the rest api with JJWT
3. writing a custom Filter (i.e outside of Tomcat)

?

[clun]

Hi,

Believe it or not the web console does not use the REST API so far. The reason are

• The web console existed before the REST API
• I sucks at Javascript. As a consequence, to secure REST API and administration console there will be different strategies.

For REST API, something (not standard) is proposed. You can secure with ApiKey or User/Password credentials. In the ApiConfig object please enable the authenticated flag and create expected Api Keys OR user/password credentials depending on what you prefer.

Securing accesses to API

//[..] ff4j definition

ApiConfig apiCfg= new ApiConfig(ff4j);
apiCfg.setAuthenticate(true);
apiCfg.setAutorize(true);

// Sample to Create APIKey
boolean aclAllowRead = true;
boolean aclAllowWrite = true;
Set < String > setofRoles = new HashSet<>();
setofRoles .add("USER");
setofRoles .add("ADMIN");
apiCfg.createApiKey("sampleAPIKey1234567890", aclAllowRead , aclAllowWrite , setofRoles );

// Sample to Create User/password
apiCfg.createUser("myLogin", "myPassword", aclAllowRead , aclAllowWrite , setofRoles );

Sample here : https://github.com/clun/ff4j/blob/master/ff4j-webapi-jersey2x/src/test/java/org/ff4j/web/api/test/it/SecuredJersey2Application.java

Accessing the secured API :

FF4j ff4jClient = new FF4j();
ff.setFeatureStore(new FeatureStoreHttp("http://localhost:9998/ff4j", "apiKey"));

Securing WebConsole :

WebConsole does not provide anything by itself, it's a simple servlet, the authentication must be handled aside. Spring securtiy is indeed a good candidate but any servlet security mecanism would be correct : Filter or security constraints in web.xml are ok to me. If you implement something reusable I would be happy to integrate to the solution.

Architecture tips : To my opinion, you should not register the web console servlet in every applications. I would recommend to create a dedicated backend application to handle Feature Toggling in a single place like below.

Should be part of the documentation.... will update accordingly

[clun]

Documentation updated : https://github.com/clun/ff4j/wiki/Web-Concepts#securing-accesses-to-api

[laurentperez]

Thank you for this very complete answer and the updated documentation :)