Security

Securing Endpoints

Exposed Management Web Endpoints

For versions 2.0.0 and later , there are many endpoints that are automatically enabled for this connector. For a comprehensive list, see Management and Monitoring Connector.

For versions earlier than 2.0.0, the connector only enables the health and  leaderelection management endpoints.

The health endpoint only returns the root status by default–basically there no health details provided.

To enable other management endpoints, see Spring Actuator Endpoints.

Authentication & Authorization

This release of he connector only supports basic HTTP authentication.

By default, no users are created unless the operator configures them in their configuration file. The configuration parameters responsible for security are as follows:

solace:
  connector:
    security:
      enabled: true
      users:
      - name: user1
        password: pass
      - name: admin1
        password: admin
        roles:
        - admin

In the above example, we have created two users:

  • user1: Has access to perform GET (Read) requests.

  • admin1: Has access to perform GET and POST (Read & Write) requests.

To fully disable security and permit anyone to access the connector’s web endpoints, operators can configure the solace.connector.security.enabled parameter to false.

While these properties can be defined in an application.yml file, we recommend that you use environment variables to set secret values.

The following example shows you how to define users using environment variables:

# Create user with no role (i.e. read-only)
SOLACE_CONNECTOR_SECURITY_USERS_0_NAME=user1
SOLACE_CONNECTOR_SECURITY_USERS_0_PASSWORD=pass
# Create user with admin role
SOLACE_CONNECTOR_SECURITY_USERS_1_NAME=admin1
SOLACE_CONNECTOR_SECURITY_USERS_1_PASSWORD=admin
SOLACE_CONNECTOR_SECURITY_USERS_1_ROLES_0=admin

In the above example, we have created 2 users:

  • user1 has access to perform GET (Read) requests.

  • admin1 has access to perform GET and POST (Read & Write) requests.

solace.connector.security.users is a list. When users are defined in multiple sources (different application.yml files, environment variables, and so on), overriding works by replacing the entire list. In other words, you must pick one place to define all your users, whether in a single application properties file or as environment variables. For more information, see Spring Boot - Merging Complex Types.

CSRF Protection

Connectors that are version 2.0.0 and later do not support CSRF. CSRF Protection is only supported for connector versions earlier than 2.0.0.

Spring Boot enables CSRF protection by default on all management endpoints (see Spring Cross Site Request Forgery Protection). Though this connector disables CSRF protection for all POST requests on actuator endpoints so that users with write permissions (those with the admin role) can perform POST requests.

To fully disable CSRF protection, set the following configuration option:

solace.connector.security.csrf-enabled=false

TLS

Transport Layer Security (TLS) is disabled by default.

To configure TLS, see Spring Boot - Configure SSL and TLS Setup in Spring.