Red Hat SummitChapter 3. Business application configuration
3.1. Business application authentication and authorization
By default, business applications are secured by protecting all REST endpoints (URLs that contain /rest/). In addition, business applications have two sets of log in credentials that allow users to connect to Business Central in development mode: the user with the ID user and password user and the user with the ID kieserver and password kieserver1!.
Both authentication and authorization is based on Spring security. Alter this security configuration for all business applications used in production environments. You can make configuration changes in the <business-application>/<business-application>-services/src/main/java/com/company/service/DefaultWebSecurityConfig.java file:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration("kieServerSecurity")
@EnableWebSecurity
public class DefaultWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/rest/*").authenticated()
.and()
.httpBasic();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
auth.inMemoryAuthentication().withUser("kieserver").password(encoder.encode("kieserver1!")).roles("kie-server")
.and()
.withUser("john").password(encoder.encode("john@pwd1")).roles("kie-server", "PM", "HR");
}
}
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration("kieServerSecurity")
@EnableWebSecurity
public class DefaultWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/rest/*").authenticated()
.and()
.httpBasic();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
auth.inMemoryAuthentication().withUser("kieserver").password(encoder.encode("kieserver1!")).roles("kie-server")
.and()
.withUser("john").password(encoder.encode("john@pwd1")).roles("kie-server", "PM", "HR");
}
}3.2. Configuring the application.properties file
After you create your business application, you can configure several components through the application.properties file to customize your application.
Prerequisites
-
You have a
<business-application>.zipfile that you created using the business application website.
Procedure
-
Unzip the
<business-application>.zipfile and navigate to the<business-application>/<business-application>-service/src/main/resourcesfolder. -
Open the
application.propertiesfile in a text editor. Configure the host, port, and path for the REST endpoints, for example:
server.address=localhost server.port=8090 cxf.path=/rest
server.address=localhost server.port=8090 cxf.path=/restCopy to Clipboard Copied! Configure the KIE Server (
kieserver) so that it can be easily identified, for example:kieserver.serverId=<business-application>-service kieserver.serverName=<business-application>-service kieserver.location=http://localhost:8090/rest/server kieserver.controllers=http://localhost:8080/decision-central/rest/controller
kieserver.serverId=<business-application>-service kieserver.serverName=<business-application>-service kieserver.location=http://localhost:8090/rest/server kieserver.controllers=http://localhost:8080/decision-central/rest/controllerCopy to Clipboard Copied! The following table lists the KIE Server parameters that you can configure in your business application:
Table 3.1. kieserver parameters Parameter Values Description kieserver.serverIdstring
The ID used to identify the business application when connecting to the Decision Manager controller.
kieserver.serverNamestring
The name used to identify the business application when connecting to the Decision Manager controller. Can be the same string used for the
kieserver.serverIdparameter.kieserver.locationURL
Used by other components that use the REST API to identify the location of this server. Do not use the location as defined by
server.addressandserver.port.kieserver.controllersURLs
A comma-separated list of controller URLs.
If you selected Business Automation when you created your business application, specify which of the following components that you want to start at runtime:
Table 3.2. kieserver capabilities parameters Parameter Values Description kieserver.drools.enabledtrue, falseEnables or disables the Decision Manager component.
kieserver.dmn.enabledtrue, falseEnables or disables the Decision Model and Notation (DMN) component.
3.3. Configuring the business application with Red Hat Single Sign-On
You can use Red Hat Single Sign-On (RH SSO) to enable single sign-on between your services and to have a central place to configure and manage your users and roles.
Prerequisites
-
You have a
<business-application>.zipfile that you created using the business applications website.
Procedure
- Download and install RH SSO. For instructions, see the Red Hat Single Sign-On Getting Started Guide.
Configure RH SSO:
- Either use the default master realm or create a new realm.
-
Create the
springboot-appclient and set theAccessTypeto public. Set a valid redirect URI and web origin according to your local setup, for example:
-
Valid redirect URIs:
http://localhost:8090/* -
Web origin:
http://localhost:8090
-
Valid redirect URIs:
- Create realm roles that are used in the application.
- Create users that are used in the application and assign roles to them.
Add the following dependencies to the service project
pom.xmlfile:<dependencyManagement> <dependencies> <dependency> <groupId>org.keycloak.bom</groupId> <artifactId>keycloak-adapter-bom</artifactId> <version>${version.org.keycloak}</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> .... <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-spring-boot-starter</artifactId> </dependency><dependencyManagement> <dependencies> <dependency> <groupId>org.keycloak.bom</groupId> <artifactId>keycloak-adapter-bom</artifactId> <version>${version.org.keycloak}</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> .... <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-spring-boot-starter</artifactId> </dependency>Copy to Clipboard Copied! Update the
application.propertiesfile:keycloak security setup
# keycloak security setup keycloak.auth-server-url=http://localhost:8100/auth keycloak.realm=master keycloak.resource=springboot-app keycloak.public-client=true keycloak.principal-attribute=preferred_username keycloak.enable-basic-auth=trueCopy to Clipboard Copied! Modify the
DefaultWebSecurityConfig.javafile to ensure that Spring Security works correctly with RH SSO:import org.keycloak.adapters.KeycloakConfigResolver; import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; @Configuration("kieServerSecurity") @EnableWebSecurity public class DefaultWebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .csrf().disable() .authorizeRequests() .anyRequest().authenticated() .and() .httpBasic(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider(); SimpleAuthorityMapper mapper = new SimpleAuthorityMapper(); mapper.setPrefix(""); keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(mapper); auth.authenticationProvider(keycloakAuthenticationProvider); } @Bean public KeycloakConfigResolver KeycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } }import org.keycloak.adapters.KeycloakConfigResolver; import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; @Configuration("kieServerSecurity") @EnableWebSecurity public class DefaultWebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .csrf().disable() .authorizeRequests() .anyRequest().authenticated() .and() .httpBasic(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider(); SimpleAuthorityMapper mapper = new SimpleAuthorityMapper(); mapper.setPrefix(""); keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(mapper); auth.authenticationProvider(keycloakAuthenticationProvider); } @Bean public KeycloakConfigResolver KeycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } }Copy to Clipboard Copied!
3.4. Configuring business application user group providers
With Red Hat Decision Manager, you can manage human-centric activities. To provide integration with user and group repositories, you can use two KIE API entry points:
-
UserGroupCallback: Responsible for verifying whether a user or group exists and for collecting groups for a specific user -
UserInfo: Responsible for collecting additional information about users and groups, for example email addresses and preferred language
You can configure both of these components by providing alternative code, either code provided out of the box or custom developed code.
For the UserGroupCallback component, retain the default implementation because it is based on the security context of the application. For this reason, it does not matter which backend store is used for authentication and authorisation (for example, RH-SSO). It will be automatically used as a source of information for collecting user and group information.
The UserInfo component is a separate component because it collects more advanced information.
Prerequisites
-
You have a
<business-application>.zipfile that you created using the business application website and that contains a business automation project.
Procedure
To provide an alternative implementation of
UserGroupCallback, add the following code to the Application class or a separate class annotated with@Configuration:@Bean(name = "userGroupCallback") public UserGroupCallback userGroupCallback(IdentityProvider identityProvider) throws IOException { return new MyCustomUserGroupCallback(identityProvider); }@Bean(name = "userGroupCallback") public UserGroupCallback userGroupCallback(IdentityProvider identityProvider) throws IOException { return new MyCustomUserGroupCallback(identityProvider); }Copy to Clipboard Copied! To provide an alternative implementation of
UserInfo, add the following code to the Application class or a separate class annotated with@Configuration:@Bean(name = "userInfo") public UserInfo userInfo() throws IOException { return new MyCustomUserInfo(); }@Bean(name = "userInfo") public UserInfo userInfo() throws IOException { return new MyCustomUserInfo(); }Copy to Clipboard Copied!
3.5. Enabling Swagger documentation
You can enable Swagger-based documentation for all endpoints available in the service project of your Red Hat Decision Manager business application.
Prerequisites
-
You have a
<business-application>.zipfile that you created using the business applications website.
Procedure
-
Unzip the
<business-application>.zipfile and navigate to the<business-application>/<business-application>-servicefolder. -
Open the service project
pom.xmlfile in a text editor. Add the following dependencies to the service project
pom.xmlfile and save the file.<dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-rt-rs-service-description-swagger</artifactId> <version>3.2.6</version> </dependency> <dependency> <groupId>io.swagger</groupId> <artifactId>swagger-jaxrs</artifactId> <version>1.5.15</version> <exclusions> <exclusion> <groupId>javax.ws.rs</groupId> <artifactId>jsr311-api</artifactId> </exclusion> </exclusions> </dependency><dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-rt-rs-service-description-swagger</artifactId> <version>3.2.6</version> </dependency> <dependency> <groupId>io.swagger</groupId> <artifactId>swagger-jaxrs</artifactId> <version>1.5.15</version> <exclusions> <exclusion> <groupId>javax.ws.rs</groupId> <artifactId>jsr311-api</artifactId> </exclusion> </exclusions> </dependency>Copy to Clipboard Copied! To enable the Swagger UI (optional), add the following dependency to the
pom.xmlfile and save the file.<dependency> <groupId>org.webjars</groupId> <artifactId>swagger-ui</artifactId> <version>2.2.10</version> </dependency>
<dependency> <groupId>org.webjars</groupId> <artifactId>swagger-ui</artifactId> <version>2.2.10</version> </dependency>Copy to Clipboard Copied! -
Open the
<business-application>/<business-application>-service/src/main/resources/application.propertiesfile in a text editor. Add the following line to the
application.propertiesfile to enable Swagger support:kieserver.swagger.enabled=true
kieserver.swagger.enabled=trueCopy to Clipboard Copied!
After you start the business application, you can view the Swagger document at http://localhost:8090/rest/swagger.json. The complete set of endpoints is available at http://localhost:8090/rest/api-docs?url=http://localhost:8090/rest/swagger.json.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}