add token

[narayana-users]

Hi,

 

I wanted to send the compensation and complete requests with an auth HTTP header so I can secure the jax-rs compensate and complete endpoints so only the coordinator is able to call them. 

One way that I can think of is adding an interceptor to all the points where the client is created in the LRAParticipantRecord class like this:

Response response = client.target(endPath)
.register(HeaderInterceptor.class)
.request()
.header(LRA_HTTP_CONTEXT_HEADER, lraId.toASCIIString())
.header(LRA_HTTP_PARENT_CONTEXT_HEADER, parentId) // make the context available to participants
.header(LRA_HTTP_RECOVERY_HEADER, recoveryURI.toASCIIString())
.header(NARAYANA_LRA_PARTICIPANT_DATA_HEADER_NAME, compensatorData)
.async()
.put(Entity.text(""))
.get(PARTICIPANT_TIMEOUT, TimeUnit.SECONDS);

and in the interceptor send a request get the token and add it to the header like this:

context.getHeaders().add("Authorization", "Bearer " + getAccessToken());

Would this interfere with how the coordinator works? Does it make issues? Are there better alternatives to achieve this?

Best

Mil

[narayana-users]

Can't you just use SSL?

[narayana-users]

And another option we'd recommend is JWT (JSON Web Tokens). We do provide an example of how to secure the coordinator so you could use a similar technique to secure your own service.

[Mil Qasemi]

Thanks for the answer,

As I see these are Coordinator endpoints. But what I wanted to secure (using JWT) is the JaxRs compensate and complete endpoints which are called by the Coordinator. So that only the coordinator is able to call those endpoints.

[Michael Musgrove]

On Tue, Sep 19, 2023 at 12:47 PM Mil Qasemi <cpt.m....@gmail.com> wrote:

Thanks for the answer,

As I see these are Coordinator endpoints. But what I wanted to secure (using JWT) is the JaxRs compensate and complete endpoints which are called by the Coordinator. So that only the coordinator is able to call those endpoints.

I know, I said "We do provide an example of how to secure the coordinator so you could use a similar technique to secure your own service." so the second half of the sentence was the key bit, the first half was providing context.

On Tuesday, September 19, 2023 at 11:56:26 AM UTC+2 narayana-users wrote:

And another option we'd recommend is JWT (JSON Web Tokens). We do provide an example of how to secure the coordinator so you could use a similar technique to secure your own service.

On Tuesday, 19 September 2023 at 10:51:17 UTC+1 Michael Musgrove wrote:

Can't you just use SSL?

On Tuesday, 19 September 2023 at 10:09:13 UTC+1 narayana-users wrote:

Hi,

 

I wanted to send the compensation and complete requests with an auth HTTP header so I can secure the jax-rs compensate and complete endpoints so only the coordinator is able to call them. 

One way that I can think of is adding an interceptor to all the points where the client is created in the LRAParticipantRecord class like this:

Response response = client.target(endPath)
.register(HeaderInterceptor.class)
.request()
.header(LRA_HTTP_CONTEXT_HEADER, lraId.toASCIIString())
.header(LRA_HTTP_PARENT_CONTEXT_HEADER, parentId) // make the context available to participants
.header(LRA_HTTP_RECOVERY_HEADER, recoveryURI.toASCIIString())
.header(NARAYANA_LRA_PARTICIPANT_DATA_HEADER_NAME, compensatorData)
.async()
.put(Entity.text(""))
.get(PARTICIPANT_TIMEOUT, TimeUnit.SECONDS);

and in the interceptor send a request get the token and add it to the header like this:

context.getHeaders().add("Authorization", "Bearer " + getAccessToken());

Would this interfere with how the coordinator works? Does it make issues? Are there better alternatives to achieve this?

Best

Mil

--
You received this message because you are subscribed to the Google Groups "narayana-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to narayana-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/narayana-users/2caa4732-fdf1-44ce-be90-f2156853425dn%40googlegroups.com.

--

Michael Musgrove

mmus...@redhat.com

JBoss, by Red Hat
Registered Address: Red Hat Ltd, 6700 Cork Airport Business Park, Kinsale Road, Co. Cork.
Registered in the Companies Registration Office, Parnell House, 14 Parnell Square, Dublin 1, Ireland, No.304873
Directors:Michael Cunningham (USA), Vicky Wiseman (USA), Michael O'Neill, Keith Phelan, Matt Parson (USA)

[Mil Qasemi]

The problem is not securing the endpoint, it is already using RBAC. The problem is making the coordinator send the JWT token with its complete or compensate request so that it can be verified at the service.  Right now I use the interceptor and add it as a header and send it with my request. 

[Michael Musgrove]

What about my first suggestion, namely "Can't you just use SSL"?

To view this discussion on the web, visit https://groups.google.com/d/msgid/narayana-users/d5c8e570-756f-4a42-ba4d-28ca2d8bbdean%40googlegroups.com.

[narayana-users]

Ah sorry that was my answer to your previous question, you'll need to raise an RFE for it (https://github.com/jbosstm/narayana/blob/main/CONTRIBUTING.md#reporting-an-issue).

[Michael Musgrove]

How are you deploying the coordinator, what platform are you using, Quarkus/WidlFly/....?

[Michael Musgrove]

I've created an issue for this forum question: 

[Michael Musgrove]

Marking as complete.

You may track our progress via the issue which I have marked with priority "Major" - I didn't feel that it warranted a "Critical" priority.