Securing a custom "web.http" endpoint

[3rim]

Greetings,

I have written an ServiceExtension which has injected a Webservice like in the Samples.
I am trying to secure my custom endpoint due to the docs i found Api Authentication Configuration & auth-tokenbased

I use gradle and added implementation(libs.edc.auth.tokenbased) to the build file.
Also in the .toml edc-auth-tokenbased = { module = "org.eclipse.edc:auth-tokenbased", version.ref = "edc" }

Sadly my endoint localhost:56789/my-endpoint/hello is not secured. What did i do wrong?

edit: edv-version 0.6.4

provider.properties

//more properties...
web.http.my-endpoint.port=56789
web.http.my-endpoint.path=/my-endpoint
web.http.my-endpoint.type=tokenbased
web.http.my-endpoint.auth.key=apiKey

My ServiceExtension

public class MyExtension implements ServiceExtension {

    @Inject
    DataFlowManager dataFlowManager;
    @Inject
    WebService webService;

    @Override
    public void initialize(ServiceExtensionContext context) {
        //TODO: implement initialization
        System.out.println("init extension...");
        Monitor monitor = context.getMonitor();
        monitor.debug("Registering MyExtension");
        webService.registerResource("my-endpoint",new CustomApiController(monitor));
        dataFlowManager.register(new MyDataFlowController(monitor));
    }

    @Override
    public String name() {
        return "name";
    }
}

My CustomApiController

@Consumes({MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_JSON})
@Path("/")
public class CustomApiController {
    private final Monitor monitor;

    public CustomApiController(Monitor monitor) {
        this.monitor = monitor;
    }

    @GET
    @Path("hello")
    public String checkHealth() {
        monitor.info("Received a health request for hello-endpoint");
        return "{\"response\":\"I'm alive!\"}";
    }
}

[wolf4ood]

Hi @3rim

probably you miss the extension that configure the auth for each web context.

edc-auth-configuration = { module = "org.eclipse.edc:auth-configuration", version.ref = "edc" }

Let me know if this helps

Thanks

[3rim]

Hi @wolf4ood
Thanks for the fast reply. I added it to the .toml. Sadly my endpoint is still accessible

[wolf4ood]

Did you also add implementation(libs.edc.auth.configuration) in the build file?

[3rim]

I added it now. My build fails now. "Could not find org.eclipse.edc:auth-configuration:0.6.4."
Does this version not exist?

[wolf4ood]

Nope it was introduced here

For that version you have wire it manually. If i remember correctly you just need to inject

@Inject
private AuthenticationService authenticationService;

and then register a resource

webService.registerResource("my-endpoint", new AuthenticationRequestFilter(authenticationService));

[3rim]

Here you go
`
[metadata]
format.version = "1.1"

[versions]
assertj = "3.24.2"
awaitility = "4.2.0"
edc = "0.6.4"
jakarta-json = "2.0.1"
junit-pioneer = "2.1.0"
jupiter = "5.10.1"
okhttp-mockwebserver = "5.0.0-alpha.11"
openTelemetry = "1.18.0"
restAssured = "5.3.2"
rsApi = "3.1.0"
testcontainers = "1.19.1"
kafkaClients = "3.6.0"

[libraries]
assertj = { module = "org.assertj:assertj-core", version.ref = "assertj" }
awaitility = { module = "org.awaitility:awaitility", version.ref = "awaitility" }
edc-api-core = { module = "org.eclipse.edc:api-core", version.ref = "edc" }
edc-api-observability = { module = "org.eclipse.edc:api-observability", version.ref = "edc" }
edc-auth-tokenbased = { module = "org.eclipse.edc:auth-tokenbased", version.ref = "edc" }
edc-auth-configuration = { module = "org.eclipse.edc:auth-configuration", version.ref = "edc" }
edc-boot = { module = "org.eclipse.edc:boot", version.ref = "edc" }
edc-build-plugin = { module = "org.eclipse.edc.edc-build:org.eclipse.edc.edc-build.gradle.plugin", version.ref = "edc" }
edc-configuration-filesystem = { module = "org.eclipse.edc:configuration-filesystem", version.ref = "edc" }
edc-connector-core = { module = "org.eclipse.edc:connector-core", version.ref = "edc" }
edc-control-plane-api-client = { module = "org.eclipse.edc:control-plane-api-client", version.ref = "edc" }
edc-control-plane-api = { module = "org.eclipse.edc:control-plane-api", version.ref = "edc" }
edc-control-plane-core = { module = "org.eclipse.edc:control-plane-core", version.ref = "edc" }
edc-control-plane-spi = { module = "org.eclipse.edc:control-plane-spi", version.ref = "edc" }
edc-data-plane-api = { module = "org.eclipse.edc:data-plane-api", version.ref = "edc" }
edc-data-plane-aws-s3 = { module = "org.eclipse.edc:data-plane-aws-s3", version.ref = "edc" }
edc-data-plane-azure-storage = { module = "org.eclipse.edc:data-plane-azure-storage", version.ref = "edc" }
edc-data-plane-client = { module = "org.eclipse.edc:data-plane-client", version.ref = "edc" }
edc-data-plane-core = { module = "org.eclipse.edc:data-plane-core", version.ref = "edc" }
edc-data-plane-http = { module = "org.eclipse.edc:data-plane-http", version.ref = "edc" }
edc-data-plane-kafka = { module = "org.eclipse.edc:data-plane-kafka", version.ref = "edc" }
edc-data-plane-selector-api = { module = "org.eclipse.edc:data-plane-selector-api", version.ref = "edc" }
edc-data-plane-selector-client = { module = "org.eclipse.edc:data-plane-selector-client", version.ref = "edc" }
edc-data-plane-selector-core = { module = "org.eclipse.edc:data-plane-selector-core", version.ref = "edc" }
edc-data-plane-spi = { module = "org.eclipse.edc:data-plane-spi", version.ref = "edc" }
edc-data-plane-util = { module = "org.eclipse.edc:data-plane-util", version.ref = "edc" }
edc-dsp = { module = "org.eclipse.edc:dsp", version.ref = "edc" }
edc-http = { module = "org.eclipse.edc:http", version.ref = "edc" }
edc-iam-mock = { module = "org.eclipse.edc:iam-mock", version.ref = "edc" }
edc-jersey-micrometer = { module = "org.eclipse.edc:jersey-micrometer", version.ref = "edc" }
edc-jetty-micrometer = { module = "org.eclipse.edc:jetty-micrometer", version.ref = "edc" }
edc-json-ld = { module = "org.eclipse.edc:json-ld", version.ref = "edc" }
edc-junit = { module = "org.eclipse.edc:junit", version.ref = "edc" }
edc-management-api = { module = "org.eclipse.edc:management-api", version.ref = "edc" }
edc-micrometer-core = { module = "org.eclipse.edc:micrometer-core", version.ref = "edc" }
edc-monitor-jdk-logger = { module = "org.eclipse.edc:monitor-jdk-logger", version.ref = "edc" }
edc-provision-aws-s3 = { module = "org.eclipse.edc:provision-aws-s3", version.ref = "edc" }
edc-runtime-metamodel = { module = "org.eclipse.edc:runtime-metamodel", version.ref = "edc" }
edc-transfer-data-plane = { module = "org.eclipse.edc:transfer-data-plane", version.ref = "edc" }
edc-transfer-process-api = { module = "org.eclipse.edc:transfer-process-api", version.ref = "edc" }
edc-transfer-pull-http-receiver = { module = "org.eclipse.edc:transfer-pull-http-receiver", version.ref = "edc" }
edc-transfer-pull-http-dynamic-receiver = { module = "org.eclipse.edc:transfer-pull-http-dynamic-receiver", version.ref = "edc" }
edc-transfer-spi = { module = "org.eclipse.edc:transfer-spi", version.ref = "edc" }
edc-util = { module = "org.eclipse.edc:util", version = "0.6.0" }
edc-vault-azure = { module = "org.eclipse.edc:vault-azure", version.ref = "edc" }
edc-vault-filesystem = { module = "org.eclipse.edc:vault-filesystem", version.ref = "edc" }
jakarta-rsApi = { module = "jakarta.ws.rs:jakarta.ws.rs-api", version.ref = "rsApi" }
jakartaJson = { module = "org.glassfish:jakarta.json", version.ref = "jakarta-json" }
junit-jupiter-api = { module = "org.junit.jupiter:junit-jupiter-api", version.ref = "jupiter" }
junit-jupiter-engine = { module = "org.junit.jupiter:junit-jupiter-engine", version.ref = "jupiter" }
junit-jupiter-params = { module = "org.junit.jupiter:junit-jupiter-params", version.ref = "jupiter" }
junit-pioneer = { module = "org.junit-pioneer:junit-pioneer", version.ref = "junit-pioneer" }
okhttp-mockwebserver = { module = "com.squareup.okhttp3:mockwebserver", version.ref = "okhttp-mockwebserver" }
opentelemetry-annotations = { module = "io.opentelemetry:opentelemetry-extension-annotations", version.ref = "openTelemetry" }
restAssured = { module = "io.rest-assured:rest-assured", version.ref = "restAssured" }
testcontainers = { module = "org.testcontainers:testcontainers", version.ref = "testcontainers" }
testcontainers-junit-jupiter = { module = "org.testcontainers:junit-jupiter", version.ref = "testcontainers" }
kafka-clients = { module = "org.apache.kafka:kafka-clients", version.ref = "kafkaClients" }
testcontainers-kafka = { module = "org.testcontainers:kafka", version.ref = "testcontainers" }
testcontainers-junit = { module = "org.testcontainers:junit-jupiter", version.ref = "testcontainers" }
opentelemetry = "io.opentelemetry.javaagent:opentelemetry-javaagent:1.31.0"

[plugins]
shadow = { id = "com.github.johnrengelman.shadow", version = "8.1.1" }

`

[3rim]

No that's for the bundled jar task.

Follow in Intellj the AuthenticationRequestFilter definition. you should be able to check which is the source code/jar directly from intellj in the external dependency.

The ApiAuthenticationRegistry was added in the 0.7.0 version

Ok. IntelIj does not highlight an error anymore and if i pres ctr+b i get to the AuthenticationRequestFilter as you said. Still the build fails
"Could not find org.eclipse.edc:auth-configuration:0.6.4."

[wolf4ood]

The auth-configuration should be removed since it's not available in the version you are using

[3rim]

Perfect. Thanks a lot it works now :)

[3rim]

and to access the endpoint now i just need to add into the header "x-api-key: apiKey" i guess, right

[3rim]

@wolf4ood
If i want to use the auth-config extension i have to use edc version 0.8.0 or higher, right?
Is any other configuration needed like inject and register a AuthenticationRequestFilter?

[wolf4ood]

yes it was introduced here

[3rim]

ok. i will try to look up thanks

[3rim]

Hi @wolf4ood
I have updated my edc to 0.8.1 (i copied the .toml from the examples).

Also this is my provider.config

web.http.port=18180
web.http.path=/api
web.http.management.port=18181
web.http.management.path=/management
web.http.protocol.port=18182
web.http.protocol.path=/protocol
web.http.control.port=18183
web.http.control.path=/control
web.http.my-endpoint.port=56789
web.http.my-endpoint.path=/my-endpoint
web.http.my-endpoint.auth.type=tokenbased
web.http.my-endpoint.auth.key=apiKey
edc.dsp.callback.address=http://localhost:18182/protocol
edc.participant.id=provider
edc.ids.id=urn:connector:provider
edc.transfer.proxy.token.signer.privatekey.alias=private-key
edc.transfer.proxy.token.verifier.publickey.alias=public-key

If i dont include edc.transfer.proxy.token.signer.privatekey.alias=private-key &
edc.transfer.proxy.token.verifier.publickey.alias=public-key i get an exception. Why so? What is the purpose of these config?

This is my Extension:

public class MyExtension implements ServiceExtension {

    @Inject
    DataFlowManager dataFlowManager;
    @Inject
    WebService webService;
    @Inject
    private ApiAuthenticationRegistry authenticationService;

    @Override
    public void initialize(ServiceExtensionContext context) {
        Monitor monitor = context.getMonitor();
        webService.registerResource("my-endpoint",new CustomApiController(monitor));
        webService.registerResource("my-endpoint",new AuthenticationRequestFilter(authenticationService,"my-endpoint"));
        dataFlowManager.register(new MyDataFlowController(monitor));
    }

    @Override
    public String name() {
        return "name";
    }
}

My dependencies:

    implementation(libs.edc.control.plane.core)
    implementation(libs.edc.data.plane.selector.core)
    implementation(libs.edc.api.observability)
    implementation(libs.edc.configuration.filesystem)
    implementation(libs.edc.iam.mock)
    implementation(libs.edc.management.api)
    implementation(libs.edc.dsp)
    implementation(libs.edc.data.plane.selector.api)
    implementation(libs.edc.transfer.pull.http.dynamic.receiver)
    implementation(libs.edc.data.plane.spi)
    implementation(libs.edc.transfer.data.plane.signaling)
    implementation(libs.edc.data.plane.core)
    implementation(libs.edc.data.plane.http)
    implementation(libs.jakarta.rsApi)

    implementation(libs.edc.auth.tokenbased)
    implementation(libs.edc.auth.configuration)

The issue now is the following:
Every endpoint is now secured. For example I cannot create assets.
I cannot figure out how to properly configure the extension so only my custom endpoint will be secured. What did i do wrong?