[XD-1695] Research how to secure Admin's REST endpoints Created: 12/May/14  Updated: 17/Sep/14  Resolved: 17/Sep/14

Status: Done
Project: Spring XD
Component/s: REST
Affects Version/s: None
Fix Version/s: 1.1 M1

Type: Story Priority: Major
Reporter: Sabby Anandan Assignee: Marius Bogoevici
Resolution: Complete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Epic Link: Security
Story Points: 8
Rank (Obsolete): 243
Sprint: Sprint 34

 Description   

As a user, I'd like to have the option to provide security configurations so that I can access REST endpoints in a secured manner.

Ideally, all the listed REST endpoints needs to be wrapped within a security layer.

Scope of this spike:

  • Research Spring Security and Spring Boot and the OOTB features
  • Design considerations and approach for XD
  • Developer experience
    • How users will be configuring security credentials?
    • How DSL shell will be handled?
    • How Admin UI will be handled?


 Comments   
Comment by Mark Pollack [ 15/Sep/14 ]

Here are a few aspects that were discussed and AFAIK, are in scope.

1. Accessing the admin server endpoints generally over https. How to configure spring boot to serve up only https requests.

2. Securing all endpoints using Spring Security functionality provided by Spring Boot and supporting out of the box using a file based credential system. Can look at this outside the context of SpringXD (general security for apps) and how it applies to XD. See http://spring.io/guides/gs/securing-web/ and http://spring.io/guides/gs/authenticating-ldap/

3. Create unit/integration tests to make sure this works with file based system

4. Testing with LDAP was mentioned. Should we only provide high level reference docs on how to configure (via servers.yml)

5. Impact on shell and admin UI.

Comment by Marius Bogoevici [ 15/Sep/14 ]

6. Ensure sensible defaults to not break existing 1.0.0 functionality, if that is possible at all.

Comment by Gunnar Hillert [ 15/Sep/14 ]

Did a write-up on how I implemented authentication for my AngularJS/Spring Boot demo app using Spring Session:

http://hillert.blogspot.com/2014/09/secure-your-angularjs-apps-with-spring-session.html

Comment by Marius Bogoevici [ 15/Sep/14 ]

Thanks a lot, Gunnar!

Comment by Marius Bogoevici [ 17/Sep/14 ]

Marking this as done, since it has been broken into XD-2119, XD-2120, XD-2121, and XD-2122.

Generated at Sat Jan 25 16:50:00 UTC 2020 using Jira 7.13.8#713008-sha1:1606a5c1e7006e1ab135aac81f7a9566b2dbc3a6.