Security¶
HTTPS¶
To switch IAD Server to use HTTPS set the SERVER_SSL_ENABLED
environment variable to true
. This will change the default port from 8080
to 8443
:
docker run \
--env SERVER_SSL_ENABLED=true \
-p 8443:8443 \
...
By default the Server uses a self-signed certificate. You can change it by mapping the required certificate as a volume and providing the path to it inside the container via the SERVER_SSL_KEY_STORE
environment variable:
docker run \
--env SERVER_SSL_ENABLED=true \
--env SERVER_SSL_KEY_STORE=/tls/bundle.pem \
--volume /etc/idlivedoc/bundle.pem:/tls/bundle.pem \
...
The pem file should contain a certificate and a private key. If you have separate files you can put paths to them in a config file:
source.key=/tls/fullchain.key
source.cert=/tls/privkey.pem
And use the config file by setting the SERVER_SSL_KEY_STORE_TYPE
environment variable to PEMCFG.MOD
and linking the config file on the SERVER_SSL_KEY_STORE
variable:
docker run \
--env SERVER_SSL_ENABLED=true \
--env SERVER_SSL_KEY_STORE=/tls/config.properties \
--env SERVER_SSL_KEY_STORE_TYPE=PEMCFG.MOD \
--volume /etc/idlivedoc/tls:/tls \
...
JWT¶
IAD Server supports JWT-based authentication. To enable it set the IAD_SERVER_AUTHENTICATION
environment variable to jwt
and specify the configuration endpoint of the authorization server:
docker run \
--env IAD_SERVER_AUTHENTICATION=jwt \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://example.com/realms/test \
...
If your authorization server doesn't support configuration endpoints, the JWK Set endpoint can be specified instead:
docker run \
--env IAD_SERVER_AUTHENTICATION=jwt \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://example.com/realms/test/protocol/openid-connect/certs \
...
Additionally you can specify the audiences (the aud
claim) that the JWT should contain:
docker run \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_AUDIENCES=idlivedoc \
...
Note that /api_version
endpoint never requires authentication.