Security
Securing Endpoints
Exposed Management Web Endpoints
For versions 2.0.0 and later , there are many endpoints that are automatically enabled for this connector. For a comprehensive list, see Management and Monitoring Connector.
For versions earlier than 2.0.0, the connector only enables the health
and leaderelection
management endpoints.
The health
endpoint only returns the root status by default–basically there no health details provided.
To enable other management endpoints, see Spring Actuator Endpoints.
Authentication & Authorization
This release of he connector only supports basic HTTP authentication.
By default, no users are created unless the operator configures them in their configuration file. The configuration parameters responsible for security are as follows:
solace: connector: security: enabled: true users: - name: user1 password: pass - name: admin1 password: admin roles: - admin
In the above example, we have created two users:
-
user1: Has access to perform GET (Read) requests.
-
admin1: Has access to perform GET and POST (Read & Write) requests.
To fully disable security and permit anyone to access the connector’s web endpoints, operators can configure the solace.connector.security.enabled
parameter to false
.
While these properties can be defined in an application.yml
file, we recommend that you use environment variables to set secret values.
The following example shows you how to define users using environment variables:
# Create user with no role (i.e., read-only) SOLACE_CONNECTOR_SECURITY_USERS_0_NAME=user1 SOLACE_CONNECTOR_SECURITY_USERS_0_PASSWORD=pass # Create user with admin role SOLACE_CONNECTOR_SECURITY_USERS_1_NAME=admin1 SOLACE_CONNECTOR_SECURITY_USERS_1_PASSWORD=admin SOLACE_CONNECTOR_SECURITY_USERS_1_ROLES_0=admin
In the above example, we have created two users:
-
user1 has access to perform GET (Read) requests.
-
admin1 has access to perform GET and POST (Read & Write) requests.
solace.connector.security.users
is a list. When users are defined in multiple sources (different application.yml
files, environment variables, and so on), overriding works by replacing the entire list. In other words, you must pick one place to define all your users, whether in a single application properties file or as environment variables. For more information, see Spring Boot - Merging Complex Types.
CSRF Protection
Connectors that are version 2.0.0 and later do not support CSRF. CSRF Protection is only supported for connector versions earlier than 2.0.0.
Spring Boot enables CSRF protection by default on all management endpoints (see Spring Cross Site Request Forgery Protection). Though this connector disables CSRF protection for all POST requests on actuator endpoints so that users with write permissions (those with the admin
role) can perform POST requests.
To fully disable CSRF protection, set the following configuration option:
solace.connector.security.csrf-enabled=false
TLS
Transport Layer Security (TLS) is disabled by default.
To configure TLS, see Spring Boot - Configure SSL and TLS Setup in Spring.