Skip to main content
Announcements
NEW: Seamless Public Data Sharing with Qlik's New Anonymous Access Capability: TELL ME MORE!
cancel
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable

ESB Authorization - Securing web services - Syncope or alternative

Hello. I'd like to make more use of web services and require implementing some kind of user/group authorization.

Would anybody be able to shed any light on the options below:

 

Syncope seems to the obvious choice with the use of Talend IAM.  I've tried very hard to implement this but always find that any user in Syncope can access any web service, despite creating resources and applying a role under the Authorization tab in TAC.  Has anyone successfully used this method and restricted the web service to 1 group?

Having read this page it seems to imply that this is expected behaviour:  https://community.talend.com/t5/Architecture-Best-Practices-and/How-to-setup-Talend-IAM-for-authenti...

"Deploy the ESB Service in the ESB Runtime and call if, for sample opening its URL in a browser. The browser asks you to log in. You can use any user you created in the Syncope Console to login. The user does not need to be associated with a specific Syncope group"

 

 

LDAP -  I expect I cannot use the Authorization tab with the LDAD-module applied in Karaf.  Would I be right thinking any user in the Active directory would be able to access any web service?

 

 

Multiple Karaf ports - I thought about setting up each Web service on a different port in Karaf.  I could then set my Iptables list to allow particular IP Addresses to access particular ports.  This would work in theory but I'm not sure about how to create multiple ports in Karaf.  Can anyone explain how this is done?

 

 

Any other suggestions are very much welcome.

 

Thank you very much.

 

 

Labels (3)
2 Replies
Anonymous
Not applicable
Author

Hi,

 

Yes, we have tested the IAM + Authorization functionality (one user assigned to one group).

Please also reference here: https://help.talend.com/reader/WEEgRoxIy_iUMxRK3bopPQ/Tzq2pgB~kuvvW7~vzNnf0Q

If you still couldn't make it works, maybe then have to see the details.

 

Multiple Karaf ports -

The 8040 Http port is exposed by default by Runtime container. Normally you set relative URL for Soap/Rest service from Studio before you build/deploy it into Runtime, then every service is exposed from "http://host:8040/services/...".
If you want each service exposed from a dedicated http port, you may build it as Microservice from Studio, then every Service is running as a Microservice with port 8065, 8066 ... you could able to configure it.

 

HTH

Xilai

Anonymous
Not applicable
Author

Hello. I've still never successfully got this working yet and could do with the functionality.  I have a few questions if anyone can help:

 

1) Is adding the SyncopeLoginModule.xml required to get this to work?  I've found conflicting documentation - some of which doesn't mention it (https://help.talend.com/reader/wGE6ESIRNV4dv8rE8Gsh4w/R90twXM2pu7GmF1Uvbj1LQ)  however only users in users.properties are recognised, despite running  tesb:switch-sts-tidm

 

2) Does Authorization only work with SOAP services - with a WSDL file?  I've been trying this with a standard job with TRestRequest components until now and had no luck.