You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by GitBox <gi...@apache.org> on 2022/05/26 17:03:28 UTC
[GitHub] [camel-quarkus-examples] llowinge commented on a diff in pull request #91: [closes #3805] Add platform HTTP security example
llowinge commented on code in PR #91:
URL: https://github.com/apache/camel-quarkus-examples/pull/91#discussion_r882888167
##########
platform-http-security/README.adoc:
##########
@@ -0,0 +1,272 @@
+= Platform HTTP security with Keycloak: A Camel Quarkus example
+:cq-example-description: An example that shows how to secure platform HTTP with Kyecloak
Review Comment:
Thanks, resolved.
##########
platform-http-security/pom.xml:
##########
@@ -0,0 +1,329 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <artifactId>camel-quarkus-examples-platform-http-security</artifactId>
+ <groupId>org.apache.camel.quarkus.examples</groupId>
+ <version>2.10.0-SNAPSHOT</version>
+
+ <name>Camel Quarkus :: Examples :: Platform HTTP Security</name>
+ <description>Camel Quarkus Example :: Platform HTTP Security</description>
+
+ <properties>
+ <quarkus.platform.version>2.9.0.Final</quarkus.platform.version>
+ <camel-quarkus.platform.version>2.10.0-SNAPSHOT</camel-quarkus.platform.version>
+
+ <quarkus.platform.group-id>io.quarkus</quarkus.platform.group-id>
+ <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
+ <camel-quarkus.platform.group-id>org.apache.camel.quarkus</camel-quarkus.platform.group-id>
+ <camel-quarkus.platform.artifact-id>camel-quarkus-bom</camel-quarkus.platform.artifact-id>
+
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+ <maven.compiler.target>11</maven.compiler.target>
+ <maven.compiler.source>11</maven.compiler.source>
+ <maven.compiler.testTarget>${maven.compiler.target}</maven.compiler.testTarget>
+ <maven.compiler.testSource>${maven.compiler.source}</maven.compiler.testSource>
+
+ <formatter-maven-plugin.version>2.17.1</formatter-maven-plugin.version>
+ <impsort-maven-plugin.version>1.3.2</impsort-maven-plugin.version>
+ <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
+ <maven-jar-plugin.version>3.2.0</maven-jar-plugin.version>
+ <maven-resources-plugin.version>3.1.0</maven-resources-plugin.version>
+ <maven-surefire-plugin.version>2.22.2</maven-surefire-plugin.version>
+ <mycila-license.version>3.0</mycila-license.version>
+ </properties>
+
+ <dependencyManagement>
+ <dependencies>
+ <!-- Import BOM -->
+ <dependency>
+ <groupId>${quarkus.platform.group-id}</groupId>
+ <artifactId>${quarkus.platform.artifact-id}</artifactId>
+ <version>${quarkus.platform.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <dependency>
+ <groupId>${camel-quarkus.platform.group-id}</groupId>
+ <artifactId>${camel-quarkus.platform.artifact-id}</artifactId>
+ <version>${camel-quarkus.platform.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.camel.quarkus</groupId>
+ <artifactId>camel-quarkus-microprofile-health</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.camel.quarkus</groupId>
+ <artifactId>camel-quarkus-platform-http</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.camel.quarkus</groupId>
+ <artifactId>camel-quarkus-log</artifactId>
Review Comment:
Thanks, resolved.
##########
platform-http-security/README.adoc:
##########
@@ -0,0 +1,273 @@
+= Platform HTTP security with Keycloak: A Camel Quarkus example
+:cq-example-description: An example that shows how to secure platform HTTP with Kyecloak
+
+{cq-description}
+
+TIP: Check the https://camel.apache.org/camel-quarkus/latest/first-steps.html[Camel Quarkus User guide] for prerequisites
+and other general information.
+
+
+== Prerequisites
+
+The example application requires a Keycloak instance.
+
+You do not need to provide the Keycloak instance yourself
+as long as you play with the example code in dev mode (a.k.a. `mvn quarkus:dev` - read more https://quarkus.io/guides/getting-started#development-mode[here]
+or as long as you only run the supplied tests (`mvn test`).
+In those situations, Quarkus tooling starts a Keycloak image for you via https://quarkus.io/guides/security-openid-connect-dev-services[Quarkus Dev Services]
+and it also configures the application so that you do not need touch anything in `application.properties`.
+
+[[users-configuration]]
+=== Users configuration
+In all scenarios which we will cover, we will need two users `boss` (with role `admin-role` and password `boss-pass`) and `employee` (with role `regular-role` and password `employee-pass`). Employee user can be authenticated and access secured HTTP endpoints and boss user can in addition access also restricted HTTP resources.
+
+== Start in Development mode
+=== Run the app with Keycloak instance
+Run the application in development mode with Keycloak client credentials secret of your choice (see environment variable `QUARKUS_OIDC_CREDENTIALS_SECRET`) which will be used later on.
+
+TIP: If you want to use another running instance, in dev mode. Change `%prod` profile to `%dev` property `quarkus.oidc.auth-server-url` in `src/main/resources/application.properties`.
+
+[source,shell]
+----
+$ export QUARKUS_OIDC_CREDENTIALS_SECRET=abcdefghijklmnopqrstuvwxyz # You can change it as you wish
+$ mvn clean compile quarkus:dev
+----
+
+The above command compiles the project, starts the application, starts Keycloak instance via Dev Services and lets the Quarkus tooling watch for changes in your
+workspace. Any modifications in your project will automatically take effect in the running application.
+
+TIP: Please refer to the Development mode section of
+https://camel.apache.org/camel-quarkus/latest/first-steps.html#_development_mode[Camel Quarkus User guide] for more details.
+
+Now you can move on to <<playground>> section with assumption that `KEYCLOAK_URL=http://localhost:8082` and `APP_URL=http://localhost:8080`.
+
+[[playground]]
+=== Playground
+First thing you need to do is to obtain Bearer token from the running Keycloak instance for each created user. Save those tokens for further authentication.
+
+For employee user (extract value from response of key `access_token` and call it `EMPLOYEE_TOKEN`):
+[source,shell]
+----
+$ curl -d "client_id=quarkus-client" -d "client_secret=$QUARKUS_OIDC_CREDENTIALS_SECRET" -d "username=employee" -d "password=employee-pass" -d "grant_type=password" $KEYCLOAK_URL/realms/quarkus/protocol/openid-connect/token
+----
+For boss user (extract value from response of key `access_token` and call it `BOSS_TOKEN`):
+[source,shell]
+----
+$ curl -d "client_id=quarkus-client" -d "client_secret=$QUARKUS_OIDC_CREDENTIALS_SECRET" -d "username=boss" -d "password=boss-pass" -d "grant_type=password" $KEYCLOAK_URL/realms/quarkus/protocol/openid-connect/token
+----
+
+Now we can finally try to play with the application which have those endpoints configured:
+
+- not-secured - anyone can access this endpoint
+- secured/authenticated - authenticated users with Bearer token can access this endpoint
+- secured/authorized - only users with role `admin-role` can access this endpoint
+
+Try to access endpoints with various users:
+
+- Employee accessing authenticated endpoint (you should receive `200 OK` + `You are authenticated user so you can perform this action.` message):
+[source,shell]
+----
+$ curl -i -X GET -H "Authorization: Bearer $EMPLOYEE_TOKEN" $APP_URL/secured/authenticated
+----
+- Employee accessing authorized endpoint (you should receive `403 Forbidden`):
+[source,shell]
+----
+$ curl -i -X GET -H "Authorization: Bearer $EMPLOYEE_TOKEN" $APP_URL/secured/authorized
+----
+- Boss accessing authenticated endpoint (you should receive `200 OK` + `You are authenticated user so you can perform this action.` message):
+[source,shell]
+----
+$ curl -i -X GET -H "Authorization: Bearer $BOSS_TOKEN" $APP_URL/secured/authenticated
+----
+- Boss accessing authorized endpoint (you should receive `200 OK` + `You are authorized to perform sensitive operation.`):
+[source,shell]
+----
+$ curl -i -X GET -H "Authorization: Bearer $BOSS_TOKEN" $APP_URL/secured/authorized
+----
+
+[[external-keycloak-instance-configuration]]
+== Prerequisites for externally running Keycloak instance
+For next steps we need to have externally running Keycloak instance. It can be done easily via Keycloak docker image:
+
+=== Run the Keycloak
+[source,shell]
+----
+$ docker run --name keycloak_test -p 8082:8080 \
+ -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
+ quay.io/keycloak/keycloak:latest \
+ start-dev
+----
+=== Import preconfigured realm
+Then go to `http://localhost:8082/` click on `Administrator console` and login with `admin:admin`. Then we are going to import already pre-configured realm (`realm-export.json`) stored within `config` folder placed at root of this example.
+Navigate to left upper panel and click on `Add realm` select file `config/realm-export.json` and `create` it.
+
+=== Setup users
+You should create new users with credentials and roles based on <<users-configuration>>.
+
+TIP: Don't use `temporary` passwords.
+
+=== Get client credentials secret
+Go to `Configure` left panel and select `quarkus-client` under `Clients`. Go to `Credentials` and `Regenerate Secret`. Save it as `QUARKUS_OIDC_CREDENTIALS_SECRET`.
+
+== JVM mode
+
+[source,shell]
+----
+$ export QUARKUS_OIDC_CREDENTIALS_SECRET=<insert-your-secret>
+$ mvn clean package -DskipTests
+$ java -jar target/quarkus-app/quarkus-run.jar
+----
+
+Now you can go to <<playground>> section (with assumption that `KEYCLOAK_URL=http://localhost:8082` and `APP_URL=http://localhost:8080`) and try it yourselves.
+
+== Native mode
+
+IMPORTANT: Native mode requires having GraalVM and other tools installed. Please check the Prerequisites section
+of https://camel.apache.org/camel-quarkus/latest/first-steps.html#_prerequisites[Camel Quarkus User guide].
+
+To prepare a native executable using GraalVM, run the following command:
+
+[source,shell]
+----
+$ export QUARKUS_OIDC_CREDENTIALS_SECRET=<insert-your-secret>
+$ mvn clean package -DskipTests -Pnative
+$ ./target/*-runner
+----
+
+Now you can go to <<playground>> section (with assumption that `KEYCLOAK_URL=http://localhost:8082` and `APP_URL=http://localhost:8080`) and try it yourselves.
+
+== Deploying to Kubernetes
+
+You can build a container image for the application like this. Refer to the https://quarkus.io/guides/deploying-to-kubernetes[Quarkus Kubernetes guide] for options around customizing image names, registries etc.
+
+This example uses Jib to create the container image for Kubernetes deployment.
+
+=== Deploy Keycloak to Kubernetes
+Follow https://www.keycloak.org/getting-started/getting-started-kube to install on Kubernetes cluster.
+
+=== Configure Keycloak on Kubernetes
+Use the same configuration as in <<external-keycloak-instance-configuration>> and obtain `QUARKUS_OIDC_CREDENTIALS_SECRET` and Kubernetes base URL (BASE_KEYCLOAK_KUBERNETES_URL) to your keycloak instance.
+
+=== Deploy Camel Quarkus application to Kubernetes
+
+TIP: Because we use `quarkus.kubernetes.env.secrets=quarkus-keycloak` in `application.properties` all properties from the secret `quarkus-keycloak` will be presented as ENV variables to the pod.
+
+TIP: To trust self-signed certificates from Kubernetes API server use `-Dquarkus.kubernetes-client.trust-certs=true` in deploy command.
+
+[source,shell]
+----
+$ kubectl create secret generic quarkus-keycloak --from-literal=QUARKUS_OIDC_CREDENTIALS_SECRET=<YOUR_SECRET>
+$ mvn clean package -DskipTests -Dquarkus.kubernetes.env.vars.QUARKUS_OIDC_AUTH_SERVER_URL=$BASE_KEYCLOAK_KUBERNETES_URL/realms/quarkus -Dquarkus.oidc.tls.verification=none -Dquarkus.kubernetes.ingress.expose=true -Dquarkus.kubernetes.deploy=true -Dkubernetes
+----
+
+The `kubernetes` profile uses quarkus kubernetes and openshift-container extensions, as described in the `pom.xml`.
+
+[source,xml]
+----
+<dependencies>
+ <dependency>
Review Comment:
Thanks, resolved.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org