Security Modules - Gepardec/Hogarama GitHub Wiki
With optional security modules life should be made easier for developers by disabling security features.
security-jwt
The microprofile JWT security is activated by default. It allows us to use the Keycloak or other identity providers for authentication or authorization. In this case, we acquire all necessary data from bearer tokens sent in the authorization header.
Compile
mvn clean package -Psecurity-jwt
Testing
To test this locally, you can install a Keycloak instance locally in a container and configure it.
TODO: Documentation of local testing
security-dummy
The configuration of an identity provider for the local environment is an overhead, if a developer works on features that don't involve security directly. For such scenarios, Hogarama can be built and started with the dummy security module.
Compile
mvn clean package -Psecurity-dummy
Test
After deployment, all REST-Services accept the dummy security header in the form "Authorization: Dummy <BASE64 encoded dummy user json object>"
. The user object has the following format:
{
"name": "...",
"email": "...",
"givenName": "...",
"familyName": "..."
}
This dummy security header allows also simulate different users, because the backend uses email as a unique user identifier.
In order to perform a quick test, whether the dummy security is configured correctly, you can run the script hogajama-rs/src/test/resources/testRest.sh
. The script makes several calls with a dummy security header. If you do not see any 401
or 403
response codes in the script outputs (expected are 200
or 500
with exception message), then everything is configured correctly.
You can also configure a dummy security user in the angular frontend (http://localhost:8080/unitmanagement) under the "Login" section.