I have created a "Windows Azure Cloud Service" project in VS2012.2 with a MVC4 web role. When I run up the project it just gives me a web page. I am trying to develop a web service back-end for my website so I want to be able to call web methods directly from my website which is also running in on Azure.
When F5 my project it just gives me a website. Should I be using a worker role instead of a web role?
If you put your back-end web service along with your web role, then you can use it directly.
If you put your service in a worker role, then you need to open an input endpoint on your worker role so that it can be connected from out side of azure.
Or, you can create another website for your service and map to a virtual dictionary/application on your web role.
You may use both, but a web role is easiest as it sets up everything for you.
Its better to use web role in your scenario, the reason being publishing a web role is pretty straight forward.
Related
I am working on a web application part of which is running on our local server and part of the application is implemented using AWS. I am looking for a solution where if the user logs in to the using the part of application that is running on local side, the authentication and authorization is carried over to AWS and vice-versa.
Check out AWS Cognito, specially User/Identity Pools. You can do SSO and pass tokens from one app to another and authenticate against the Cognito endpoint in AWS.
I have been doing some research about using some AWS service as OAUTH2 for our application running in 3 docker containers (backend, frontend, database). Backend has an API which is not open to public obviously and accessible only within docker network. We are looking for extending our app with a chat service, which we want to implement as a service, so we build our app following microservices architecture, since we will add other services later on. So when user logs into our app, his session will be also "shared" with chat service.
Our chat service will be using sockets and since sockets require direct connection to user resources, we can not just implement an integration layer which will supply all resources required by chat service, but we have to either:
implement sockets within our application API (which we dont want to do, we want it as microservice),
open API endpoints for chat service to use, but this option requires OAUTH2 and thats what we try to deal with.
I am not sure if there is some other way to handle this and be also ready for a long run, but if this works, which AWS service would fit the best for us to use, which would play OAUTH2 role for handling security in this matter?
I also checked this post but it didn't help me much in my case. I'm open to any suggestions, I've checked AWS lambda, AWS cognito, AWS amplify, pretty confusing, many features, we don't want to overload the architecture with features we don't need.
What exactly is the thing you want? User accounts managed by AWS? Use cognito.
Users logging in with Apple, Facebook, Etc? Use cognito again.
Just have some backend code that once a user logs in, create a token or session so they can chat with that.
There are many youtube videos on AWS cognito but a lot of them suck. The best one is written in React but before they came out with hooks. Here is part one. https://www.youtube.com/watch?v=EaDMG4amEfk
I'm a beginner when it comes to Google Cloud. I have only worked with AWS before, but for this purpose I want to give Google Cloud a try.
I want to create an application where I don't have human users, but instead there are multiple instances of the same client application trying to access the pub/sub service. I would like each one of these users to come to register with my cloud function, which in return will:
create a pub/sub topic that only this client can listen to
return an identifier/key/something that can be used to authenticate the client the next time
How should I handle the authentication in this case? Should I create service credentials for each one of the clients? Or is there a way to provide a custom Identity Provider?
The first question is answered in this answer.
For the second one, the best way is for the user to be identified with Google oauth (a.k.a. a Google account).
When you create the pub/sub topic for this user, you should have already identified them, so you can set the proper permissions on the thread. Then, the user can simply call the pub/sub endpoint identified.
GCF, GAE apps, apps running on GKE, ... all of those have service accounts associated with them, so there should not be a problem to properly identify each client app running there.
If those users don't have an account (e.g. the client app is running outside of GCP), you can ask your human users (the ones running the client apps) to either:
Authenticate with their user account on your client app
Create a service account in GCP and make the client app use it
If those are not options, you can create a service account for each of your users, and provide the proper service account key file to each client.
We have an enterprise web application implemented based on Spring-Security for authentication/authorization. This application is currently deployed on-premises on client side and usually we connect it to existing AD/LDAP systems.
Now we'd like to setup this web application within Amazon AWS for demo purposes. Therefore we need a kind of an user access frontend, where users can register and as soon as an admin approved this, the user should have access to the webapp ui. In addition a simple analytics layer is needed, to see some information about the user access.
It is important to have this "frontend" (could be a simple website based on a CMS like WordPress) just to explain the demo, to have the user registration functionality and the analytics layer. We explicitly don't want to include this in the existing web application, so it must be decoupled from each other.
What could be the right approach to setup such an environment? I just need the right direction to dig into the topics.
After a first research, we see that Amazon Cognito could be the right backend service for user data management. But we don't see "an easy way" to enable a simple frontend as described above (e.g. I didn't find a wordpress plugin to connect wordpress user data management with Apache Cognito). Also on the backend side I haven't find useful information how to integrate Apache Cognito with Spring Security.
If you are looking for a simple frontend we launched a new feature which gives you basic signup/login pages for your user pool.
I have developed a set of Jersey-based REST APIs and deployed them to a Tomcat application server running on Elastic Beanstalk. Our application architecture requires that these REST APIs be accessed from an AngularJS web front end. The web front-end requires user authentication and we want all the accesses to these APIs to be restricted to users who are authenticated. This is a pretty common application architecture pattern.
Now mapping this architectural pattern to AWS services, we configure a Cognito user pool to authenticate users. We map this user pool to an identity pool, to which we attach a policy that allows for access to Beanstalk applications. From here, I don't know what to do next in order to configure secure access to REST APIs. A number of areas in this technical architecture are still not clear to me.
1) How to secure REST APIs on the server (i.e. AWS) side
Because we are using Tomcat container to host Jersey application, the "standard" JEE approach is to declare security constraint in web.xml, as demonstrated in the example below:
<security-constraint>
<web-resource-collection>
<url-pattern>/rest/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
I am wondering if this role-name "admin" will be ingested by Elastic beanstalk? So if I defined a role "admin" in IAM, and specify the above stanza in web.xml, will Tomcat app server at runtime perform the check? In my application, if I use standard SecurityContext.isUserInRole("admin"), SecurityContext.getUserPrincipal() etc, what kind of values will be returned?
2) web front end service invocation
because we are using AngularJS, the standard approach is to use the built-in $http service to invoke remote REST APIs. Suppose a user logs in through Cognito successfully, and obtains a JWT access token, how should we pass it to the http call to the REST API? Will AWS Javascript SDK automatically add proper HTTP headers to the $http service call or we need to handle this explicitly in our code?
I have researched quite a bit in the Elastic Beanstalk documentation, in particular the section of "integration with IAM service". However, the documentation does not seem to cover my questions above.
I would like to understand:
1) architecturally, how my questions above could be resolved in AWS Beanstalk. I am sure it can be done as it is a common architectural pattern. I just couldn't find the right answer in the documentation.
2) is there a pointer to some sample code? I went through some Java web app samples and built one by myself. However, these samples do not cover my requirements above.
Appreciate if any friend could enlighten me on this topic.
zx999