ESB Authorization - Securing web services - Syncope or alternative

Highlighted
Five Stars

ESB Authorization - Securing web services - Syncope or alternative

Hello. I'd like to make more use of web services and require implementing some kind of user/group authorization.

Would anybody be able to shed any light on the options below:

 

Syncope seems to the obvious choice with the use of Talend IAM.  I've tried very hard to implement this but always find that any user in Syncope can access any web service, despite creating resources and applying a role under the Authorization tab in TAC.  Has anyone successfully used this method and restricted the web service to 1 group?

Having read this page it seems to imply that this is expected behaviour:  https://community.talend.com/t5/Architecture-Best-Practices-and/How-to-setup-Talend-IAM-for-authenti...

"Deploy the ESB Service in the ESB Runtime and call if, for sample opening its URL in a browser. The browser asks you to log in. You can use any user you created in the Syncope Console to login. The user does not need to be associated with a specific Syncope group"

 

 

LDAP -  I expect I cannot use the Authorization tab with the LDAD-module applied in Karaf.  Would I be right thinking any user in the Active directory would be able to access any web service?

 

 

Multiple Karaf ports - I thought about setting up each Web service on a different port in Karaf.  I could then set my Iptables list to allow particular IP Addresses to access particular ports.  This would work in theory but I'm not sure about how to create multiple ports in Karaf.  Can anyone explain how this is done?

 

 

Any other suggestions are very much welcome.

 

Thank you very much.

 

 

Employee

Re: ESB Authorization - Securing web services - Syncope or alternative

Hi,

 

Yes, we have tested the IAM + Authorization functionality (one user assigned to one group).

Please also reference here: https://help.talend.com/reader/WEEgRoxIy_iUMxRK3bopPQ/Tzq2pgB~kuvvW7~vzNnf0Q

If you still couldn't make it works, maybe then have to see the details.

 

Multiple Karaf ports -

The 8040 Http port is exposed by default by Runtime container. Normally you set relative URL for Soap/Rest service from Studio before you build/deploy it into Runtime, then every service is exposed from "http://host:8040/services/...".
If you want each service exposed from a dedicated http port, you may build it as Microservice from Studio, then every Service is running as a Microservice with port 8065, 8066 ... you could able to configure it.

 

HTH

Xilai

Five Stars

Re: ESB Authorization - Securing web services - Syncope or alternative

Hello. I've still never successfully got this working yet and could do with the functionality.  I have a few questions if anyone can help:

 

1) Is adding the SyncopeLoginModule.xml required to get this to work?  I've found conflicting documentation - some of which doesn't mention it (https://help.talend.com/reader/wGE6ESIRNV4dv8rE8Gsh4w/R90twXM2pu7GmF1Uvbj1LQ)  however only users in users.properties are recognised, despite running  tesb:switch-sts-tidm

 

2) Does Authorization only work with SOAP services - with a WSDL file?  I've been trying this with a standard job with TRestRequest components until now and had no luck.

2019 GARNER MAGIC QUADRANT FOR DATA INTEGRATION TOOL

Talend named a Leader.

Get your copy

OPEN STUDIO FOR DATA INTEGRATION

Kickstart your first data integration and ETL projects.

Download now

What’s New for Talend Summer ’19

Watch the recorded webinar!

Watch Now

Talend API Designer – Technical Overview

Take a look at this technical overview video of Talend API Designer

Watch Now

Getting Started with APIs

Find out how to get started with APIs

Read