A Runtime installed with the default configuration can be accessed by anyone.
Any user can connect and make operations on it, such as listing or executing sessions, or invoking stambia webservices.
This behavior can be configured easily in the Runtime Properties, that offer the possibility to secure the connection through a user / password system, with roles, and hostname / IP restriction.
- Stambia DI Designer S18.3.0 or higher
- Stambia DI Runtime S17.4.0 or higher
Activating the security
Open the <stambiaRuntime>/properties/engineParameters.xml file.
Then, uncomment or add the security node:
<user anonymous="true" roles="Connect View"/> <user name="admin" uncryptedPassword="admin" roles="Admin"/> <user name="developer" uncryptedPassword="developer" roles="Connect View Execute"/> <user name="consult" uncryptedPassword="consult" roles="Connect View"/> <allow address="192.168.0.42"/> </security>
These restrictions will apply to RMI and HTTP(s) connections, including the webservices exposed with Stambia.
You can define as many "user" node as required and the syntax is the following:
<user name="user01" password="encrypted password" uncryptedPassword="plain text password" roles="Connect View Execute"/>
The following roles are available:
|Connect||The user can connect to the Runtime (required).|
|View||The user can list and view all the sessions of the Runtime.|
|Execute||The user can execute deliveries on the Runtime.|
The user has the full permissions on the Runtime. This is required for operations such as purging the sessions or scheduling deliveries.
- Only one of the "password" or "uncryptedPassword" should be set
- The password is encrypted with the
encrypt <password>Runtime command
- The user restriction also applies on Stambia Published Web Services that will require a Basic HTTP Authentication.
About the Anonymous User:
An anonymous user can be set, to specify the permissions of the users that connect to the Runtime without specifying credentials.
<user anonymous="true" roles="Connect View"/>
When the anonymous user is set, it is therefore not mandatory to specify credentials when connecting.
The connected user will have the permissions of the anonymous user.
When the anonymous user is not set, specifying credentials when connecting is mandatory.
Anonymous connections will then be rejected.
Only one anonymous user can be set at a time.
Anonymous users are supported from Stambia DI Runtime S17.4.5 and higher
The security node must contain at least one user, which can be a normal or anonymous user.
Hostname / IP restriction
You can also define as many "allow" node as required.
They are used to specify the hostnames / IP address allowed to connect to the Runtime.
If none are defined, all the addresses are authorized.
<allow address="hostname or IP address"/>
At the next restart, the Runtime's connection will be secured with the settings defined in the security node.
Externalizing the security configuration in another file
If needed, the security configuration can be externalized in another file than engineParameters.xml.
For this, simply put your security node inside another file (security.xml file for instance).
Then, add or uncomment the following line in the engineParameters.xml file.
A sample is available in the <stambiaRuntime>/properties/samples/engineParameters/ folder of the Runtime
At the next restart, the Runtime's connection will be secured with the settings defined in this file.
Connecting to a secured Runtime from the Designer
To connect to a secured Runtime from your Designer, refer to this article.