-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Properly securing the web console/rest api ? #245
Comments
Hi, Believe it or not the web console does not use the REST API so far. The reason are
For REST API, something (not standard) is proposed. You can secure with ApiKey or User/Password credentials. In the Securing accesses to API //[..] ff4j definition
ApiConfig apiCfg= new ApiConfig(ff4j);
apiCfg.setAuthenticate(true);
apiCfg.setAutorize(true);
// Sample to Create APIKey
boolean aclAllowRead = true;
boolean aclAllowWrite = true;
Set < String > setofRoles = new HashSet<>();
setofRoles .add("USER");
setofRoles .add("ADMIN");
apiCfg.createApiKey("sampleAPIKey1234567890", aclAllowRead , aclAllowWrite , setofRoles );
// Sample to Create User/password
apiCfg.createUser("myLogin", "myPassword", aclAllowRead , aclAllowWrite , setofRoles ); Accessing the secured API : FF4j ff4jClient = new FF4j();
ff.setFeatureStore(new FeatureStoreHttp("http://localhost:9998/ff4j", "apiKey")); Securing WebConsole : WebConsole does not provide anything by itself, it's a simple servlet, the authentication must be handled aside. Spring securtiy is indeed a good candidate but any servlet security mecanism would be correct : Filter or security constraints in Architecture tips : To my opinion, you should not register the web console servlet in every applications. I would recommend to create a dedicated backend application to handle Feature Toggling in a single place like below. Should be part of the documentation.... will update accordingly |
Documentation updated : https://github.com/clun/ff4j/wiki/Web-Concepts#securing-accesses-to-api |
Thank you for this very complete answer and the updated documentation :) |
Hi
I've implemented an AuthorizationsManager as per https://github.com/clun/ff4j/wiki/Core-Concepts#permissions-and-security. Tests work as expected.
However, I'm looking for the proper way to secure the web console/apis themselves, and not just the features. Note that I am not using Spring Security or Shiro, due to legacy code (basically, I'm stuck with the servlet/jsp apis under Tomcat, non EE). No iptables, no fw, no nginx or Apache interceptors. I'm already under full HTTPS. Which would be the best option between
?
The text was updated successfully, but these errors were encountered: