Comments (1)
Login mechanism
We will provide UI login by OpenIDConnect and technical access via apiToken.
So login to OpenID provider is necessary for UI but not for technical access like done for jenkins builds using sechub - means: If OpenID provider is down a build server is still able to access sechub...
How do we handle UI login and apiToken access parallel?
- WebUI will have own spring boot application (called "UI backend")
- uiToken is never given to client side, only resides in server session (so wellknown here)
- UI backend will communicate by existing REST API to sechub server
- REST calls do not differ: everything possible by rest api is also available by ui, we only
differ authentification way! - Oauth provider will create access token with timeout.
- The access token and timeout information will be stored by UI backend (bcrypt encrypted like apiToken, but wellknown inside user session of UI backend). Storage will be done via technical user, maybe new role necessary "system" is necessary.
- UI backend must handle 401 by recall to open id provider and reset uiToken inside auth
- REST calls do not differ: everything possible by rest api is also available by ui, we only
Technology decisions
- we use simple MVC approach (spring boot standard)
- Template engine (we use Thymeleaf, which supports also layouts etc. see https://www.thymeleaf.org/doc/articles/layouts.html)
- later we will use this UI also for users and owners
- Basic Auth over HTTPS is also used for ui token handling so UI and apiToken based is possible parallel
Issue-Tracking
- we will integrate paging on server side for dedicated use cases by dedicated issues
- this issue tracker is main issue and will reference sub issues
from sechub.
Related Issues (20)
- Enlarge project_id database varchar field
- SarifImporter in Sereco shall handle version control data in run and gitleaks revision information
- Fix thymeleaf warnings
- Release Server 1.9.0
- Release Client 1.5.0
- Release PDS 1.6.0
- SecHub gh-action: Default to client v1.5.0
- Add false positive limit to documentation HOT 1
- Improve user message coming from pds-gitleaks
- Perform multiple requests to mark false positives if the false positives list exceeds the accepted limit of the SecHub server
- Enrich email body when mail address of user gets changed
- Provide a subframework to encrypt data at rest
- SecHub gh-action: Integration tests with client 1.5.0
- Improve remote Data validator
- sechub-api.sh: no authentication on anonymous api calls
- Remote Data Section - Documentation
- Issue in github action documentation
- Implement first version of a spring application that helps to categorize and verify secretscan results
- Reduce visibility of deployment variables inside PDS caller scripts
- Ignore whitespaces when parsing github action scan types
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sechub.