-
Notifications
You must be signed in to change notification settings - Fork 276
-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Suggestion] Implement Simple WebSecurity for ff4j-console using springboot #371
Comments
I have another way I did it at work using the application.properties to configure the username and password (which we then set from our deployment software). I'll try to explain it tonight when I get home from work and add it to the Spring example code. Most of it is already there anyway. |
Thank you for this work. Will include security in next release for sure. |
I am working on a sample ATM. Spring Security with some static user list (user1, user2, user3):
Should be ready this week as covering multiple issues |
FYI I have created a sample following your idea @neillfontes-sl here : https://github.com/ff4j/ff4j-samples/tree/master/spring-boot-2x/ff4j-sample-secured-console Would make sense to make that part of the starter. Also some dedicated properties in |
Thanks for the update @clun. Good to see that! On our use-case here we implemented the user/pass combination via environment variables that are set in the helm charts ( |
But the In one of my project I also implement this small logic
|
I have it like:
And the configuration bean:
|
Thks, the part I needed was. Will create a set of env variables ui.username=${UI_USERNAME:defaultUserName}
ui.password=${UI_PASSWORD:defaulPassword} |
Will may close this ticket with In either case, a working sample here : |
After having a look at the documentation and doing some investigation with Spring Security I was able to come up with a very simple Authentication pattern for the WebUI. It consists of the following:
1- Add the following dependency to the
pom.xml
2- Add the following annotation to your SpringApplication:
3- Add this configuration Bean to your project
And pronto! If you want to access the
http://localhost:8080/ff4j-console
URL to manage the toggles you will be required to login using the credentials set in theBasicConfiguration
class.For the sake of versioning, these are the dependencies in the
pom.xml
.It is not great but at least allows one to secure the gui with minimal configuration efforts and to not fiddle a lot around.
Yes, one should never commit a password in a codebase, but this at least gives some guidance on how to extend it further, by e.g. customizing the AuthenticationManagerBuilder and adding a third-party storage for a credentials.
If it is useful, adding this to the documentation or a sample might help.
Disclaimer: If did not test if this affects clients fetching the toggles via REST. Also, would be nice to have the logged in user flushed to the
ff4j_event
table if you are using the Audit feature. This way one would know which user handle made a given change. Of course, this would imply in changes to the embedded ff4j.The text was updated successfully, but these errors were encountered: