Giter Site home page Giter Site logo

softinstigate / restheart-security Goto Github PK

View Code? Open in Web Editor NEW
8.0 6.0 2.0 1.61 MB

Authorization and Authentication microservice for RESTHeart

Home Page: https://restheart.org/docs/security/overview/

License: Apache License 2.0

Shell 1.26% Java 94.58% Dockerfile 0.11% Gherkin 3.96% JavaScript 0.09%
iam microservice authorization authentication access-management restheart security gateway-microservice java

restheart-security's Introduction

archived

On 6/3/2020 we decided to use a mono repo to manage all restheart code. restheart-security has been merged in restheart and archived.

RESTHeart Security

Build Status Docker Stars Docker Pulls

restheart-security is a security microservice for RESTHeart v4, the Web API for MongoDB. It acts as a reverse proxy for HTTP resources, providing Authentication and Authorization capabilities.

restheart-security enables developers to configure security policies in standardized micro-gateway instances that are external to API and microservices implementations, avoiding coding security functions and a centralized gateway where scalability is a key concern.

restheart-security can also be used as a micro-gateway for Identity and Access Management in any HTTP-based microservices architecture.

Think about restheart-security as the "brick" that you put in front of your API and microservices to protect them.

Plugins

restheart-security is built around a pluggable architecture. It comes with a strong security implementation but you can easily extend it by implementing plugins.

Building a plugin is as easy as implementing a simple interface and edit a configuration file. Plugins also allow to quickly implement and deploy secure Web Services.

Maven artifacts

You can find pre-built Maven artifacts on Jitpack.io. That allows to add RESTHeart Security as a dependency on you own POM and build new plugins.

https://jitpack.io/#SoftInstigate/restheart-security

Documentation

Find the documentation at https://restheart.org/docs/security/overview

Setup

You need Java 11 and must download the latest release from releases page.

$ tar -xzf restheart-security-XX.tar.gz
$ cd restheart-security
$ java -jar restheart-security.jar etc/restheart-security.yml -e etc/default.properties

Building from source

You need Git, Java 11 and Maven.

$ git clone [email protected]:SoftInstigate/restheart-security.git
$ cd restheart-security
$ mvn package
$ java -jar target/restheart-security.jar etc/restheart-security.yml -e etc/default.properties

With Docker

$ docker pull softinstigate/restheart-security

Book a chat

If you have any question about RESTHeart Security and want to talk directly with the core development team, you can book a free video chat with us.

Made with ❤️ by SoftInstigate. Follow us on Twitter.

restheart-security's People

Contributors

mkjsix avatar snyk-bot avatar ujibang avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

misselvexu anniyanvr

restheart-security's Issues

support parametric conf file

Add support of mustache parameters in uiam.yml like RESTHeart supports it in restheart.yml

Expected Behavior

When restheart admin uses mustache parameter in uiamy.yml, mustache is replaced by a value like it's done for restheart.yml (using environment variables for example)

Current Behavior

We could not use mustache parameter

Context

Our organisation prefers starting docker container with environment variable and without configuration file in file system.

Environment

n.a.

Steps to Reproduce

n.a.

Possible Implementation

Use same algorithm as used for restheart.yml

upload artifact on maven central repo

Expected Behavior

travis build process should publish the jar on maven central repo

Current Behavior

the jar is published on a private aws s3 repo

Auth-Tokens cannot be used in webapps when restheart and restheart-security are used

Expected Behavior

Responses from restheart-security should contain CORS header access-control-expose-headers including all the values Location, ETag, Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location, X-Powered-By

We're interested especially in Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location here.

Current Behavior

Restheart responds with access-control-expose-headers: Location, ETag, X-Powered-By. Restheart security checks that CORS headers are already present and does not alter them. Since Restheart security cares about the auth tokens and all of that, the header values access-control-expose-headers: Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location are not allowed to be read by browser-side javascript.

Context

we're moving to the new restheart major release 4.0+

Environment

n/a

Steps to Reproduce

  1. Use Restheart-security and restheart
  2. Send Request with valid basic auth credentials to Restheart-Security
  3. Observe header access-control-expose-headers.

Possible Implementation

If access-control-expose-headers is present, add relevant values instead of simply accepting what downstream restheart did.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.