IT |
気になる、記になる… |
povo2.0、Amazonプライム3ヶ月分が付属した「5GB(30日間)」トッピングを期間限定で提供 |
https://taisy0.com/2023/03/02/169170.html
|
期間限定 |
2023-03-02 08:28:38 |
IT |
気になる、記になる… |
povo、モバイルSuicaの定期券購入で最大40GBのデータ容量が貰えるキャンペーンを開催へ |
https://taisy0.com/2023/03/02/169166.html
|
suica |
2023-03-02 08:20:17 |
IT |
気になる、記になる… |
TikTok、18歳未満の視聴時間を1日60分に制限 |
https://taisy0.com/2023/03/02/169162.html
|
tiktok |
2023-03-02 08:11:16 |
TECH |
Techable(テッカブル) |
賃貸も“脱・都心”。みんなが家を借りたい街1位は3年連続で本厚木。急上昇2位は所沢、1位は京王線のあの駅! |
https://techable.jp/archives/198779
|
lifullhomes |
2023-03-02 08:30:57 |
TECH |
Techable(テッカブル) |
「note AIアシスタント」に新機能が追加。文章のレビューや要約、導入文作成が可能に |
https://techable.jp/archives/198316
|
支援ツール |
2023-03-02 08:00:24 |
python |
Pythonタグが付けられた新着投稿 - Qiita |
Anaconda環境をVSCodeで使う最小構成 |
https://qiita.com/shiganai/items/11537a0083f978e6821d
|
anaconda |
2023-03-02 17:29:30 |
技術ブログ |
Developers.IO |
【Alteryx】Alteryx Starter Kits製品がインストールできないとき |
https://dev.classmethod.jp/articles/alteryx-starter-kits-unable-install/
|
alteryx |
2023-03-02 08:23:28 |
技術ブログ |
Developers.IO |
RDS のインスタンスクラスを変更後、BurstBalance メトリクスが表示されなくなった理由を教えてください |
https://dev.classmethod.jp/articles/tsnote-rds-burstbalance-nitro/
|
burstbalance |
2023-03-02 08:20:35 |
技術ブログ |
Developers.IO |
仮説検証をした結果ボツになった機能(月刊Proflly2023年2月号) |
https://dev.classmethod.jp/articles/whats-new-proflly-202302/
|
proflly |
2023-03-02 08:09:13 |
海外TECH |
DEV Community |
Bulk IP Lookup |
https://dev.to/smartseotools/bulk-ip-lookup-539c
|
Bulk IP LookupBulk GEO IP locator is a tool that enables users to identify the geographical location of multiple IP addresses at once The tool is used by businesses and individuals to gather information about the location of their website visitors potential clients and competitors The bulk GEO IP locator works by analyzing the IP addresses and determining their geographic location based on the available information In this article we will explore how bulk GEO IP locator works its benefits and limitations How Does Bulk GEO IP Locator Work Bulk IP Lookup works by utilizing a database of IP addresses and their corresponding geographic locations When a user inputs a list of IP addresses the tool cross references them with the database and returns the corresponding location data The database is created by collecting and organizing IP addresses from various sources such as Internet Service Providers ISPs domain registrars and network administrators Bulk GEO IP locator uses several methods to determine the geographic location of an IP address These methods include IP Address Mapping This method involves mapping IP addresses to their corresponding geographical location IP address mapping is achieved through the use of IP geolocation databases These databases contain information about the IP address ranges and the geographic location associated with each range Reverse DNS Lookup Reverse DNS lookup involves resolving the IP address to a domain name and then looking up the location of the domain name This method is used when IP address mapping fails to provide a location WHOIS Lookup WHOIS lookup involves querying the WHOIS database to obtain information about the owner of the IP address This information includes the owner s name email address and geographic location Traceroute Traceroute involves sending packets of data from the user s computer to the target IP address and recording the route taken by the data This method can be used to determine the location of the network that the IP address belongs to Benefits of Bulk GEO IP LocatorBulk GEO IP locator has several benefits for businesses and individuals These benefits include Targeted Marketing Bulk GEO IP locator enables businesses to identify the geographic locations of their website visitors and potential clients This information can be used to create targeted marketing campaigns that are specific to the needs and interests of the target audience Competitive Analysis Bulk GEO IP locator enables businesses to identify the locations of their competitors This information can be used to create competitive analysis reports that provide insights into the strengths and weaknesses of the competition Fraud Detection Bulk GEO IP locator enables businesses to identify the geographic locations of potential fraudsters This information can be used to prevent fraudulent activities such as credit card fraud identity theft and phishing attacks Localization Bulk GEO IP locator enables businesses to localize their websites and content This means that businesses can create content that is specific to the geographic location of their website visitors This can improve user experience and increase engagement Limitations of Bulk GEO IP LocatorBulk GEO IP locator has several limitations that users should be aware of These limitations include Inaccuracy Bulk GEO IP locator is not always accurate The accuracy of the tool depends on the quality and reliability of the database being used Some IP addresses may not be mapped correctly or may be associated with the wrong geographic location Privacy Concerns Bulk GEO IP locator raises privacy concerns The tool can be used to track the geographic location of individuals without their knowledge or consent This can be a violation of privacy laws in some countries Dynamic IP Addresses Bulk GEO IP locator may not work with dynamic IP addresses Dynamic IP addresses are IP addresses that change frequently This means that the geographic location associated with the IP address may not be accurate VPNs Bulk GEO IP locator may not work with VPNs Virtual Private Networks VPNs mask the user s IP address and route their internet traffic through a different location This means that the geographic location associated with the IP address may not be accurate Limited Information Bulk GEO IP locator may not provide comprehensive information about the user s geographic location For example the tool may not be able to provide information about the user s street address or zip code How to Use Bulk GEO IP LocatorUsing bulk GEO IP locator is easy Here are the steps to follow Gather the IP addresses you want to locate Collect a list of IP addresses you want to locate You can obtain IP addresses from your website logs email logs or network logs Choose a bulk GEO IP locator tool There are many bulk GEO IP locator tools available online Choose a tool that is reliable and accurate Upload the list of IP addresses Once you have chosen a tool upload the list of IP addresses you want to locate The tool will analyze the IP addresses and provide the corresponding geographic location data Analyze the data Once the tool has provided the data analyze it to gain insights into the geographic location of your website visitors or potential clients Bulk GEO IP locator is a useful tool for businesses and individuals who want to gather information about the geographic location of their website visitors or potential clients The tool works by analyzing IP addresses and determining their geographic location based on the available information Bulk GEO IP locator has several benefits including targeted marketing competitive analysis fraud detection and localization However the tool also has limitations including inaccuracy privacy concerns dynamic IP addresses and limited information To use bulk GEO IP locator gather the IP addresses you want to locate choose a reliable tool upload the list of IP addresses and analyze the data Source |
2023-03-02 08:55:08 |
海外TECH |
DEV Community |
AWS Patch Management |
https://dev.to/sagar0419/aws-patch-management-28g
|
AWS Patch ManagementIntroduction AWS Patch Manager automates the patching process for AWS managed Linux and Windows instances It patches the instances with security and non security updates By using patch manager we can scan instances for missing patches or we can use patch manager to scan and install all missing patches on our AWS managed VMs Prerequisites AWS VM is up and running In our scenario we are using CentOs All the OS which are supported for installation of the patch manager can be checked on this link You have SSH access to VM You have AWS access to create S Bucket IAM role and Policies Assuming that you have all the prerequisites we can now move forward with installing Patch Manager on our machine Installation To install the AWS System Manager Agent on our machine we need to run the SSM agent install command on our machine If you are using CentOS then you can download the below mentioned command and run it on your machine Otherwise you can get your command from this link You can use the below mentioned command if you are using a CentOS VM sudo yum install y Once the command is installed run the following commands sudo systemctl daemon reload amp amp sudo systemctl restart amazon ssm agentAnd you will get an output like this If you get an output like the service is inactive amazon ssm agent service amazon ssm agent Loaded loaded etc systemd system amazon ssm agent service enabled vendor preset disabled Active inactive dead since Tue UTC s ago truncated To activate the agent run the below mentioned command sudo systemctl enable amazon ssm agentsudo systemctl daemon reload amp amp sudo systemctl restart amazon ssm agentIAM Instance Role Assuming that your SSM agent is up and running Now we need to create an IAM Instance Profile so that our machine can communicate with the patch manager To communicate the IAM role log in to your AWS console and navigate to the IAM section Once you reach there click on Roles under Access Management Click on Create role A window will appear to select Select the trusted entity Select the trusted entity type AWS Service and under the use case select EC Once you are done with the selection click on Next Now a new window will appear from this window you can add permission to your role Here search for AmazonECRoleforSSM Select the policy and click Next then give your role a name In our scenario we are using the demo Patch manager name Scroll down and click on Create Role and your role will be created Now we need to attach the newly created role to the instance For this navigate to the EC Console and select the instance that you want to add to your patch manager After selecting the instance click on Action and then navigate to Security Under the security option select Modify IAM role In the new window select the IAM role that you have created in the previous step and then click on Update IAM Role and your IAM role will get attached to the machine Patching To patch your instance goes to the AWS Systems Manager on the AWS console Then click on Patch Manager under Node Management Under Patch Manager select Configure patching A new window will open Here you need to select the instance that you want to patch In our scenario our instance is demo patch so we have selected that instance In the next option we need to select the patching window and whether we want to install the patch or just scan the machine In our scenario we are using the option Skip scheduling and patch instance now You can schedule the patch according to your requirements Under Patching Operation click on Scan and Install so that it can scan the machine and update the patches If you only want to scan the machine and generate a list of patches that are available for installation then select Scan only Once you have selected all the requirements click on Configure Patching Verification To verify the status of your patch command Navigate to Run Command under Node Management in the AWS Systems Manager window Select the command and click on View details In this window you can check the status of the patch command As you can see our command was successful which means our instance was patched successfully I hope you found this post informative and engaging I would love to hear your thoughts on this post so do start a conversation on Twitter or LinkedIn Here are some of my other articles that you may find interesting OpenTelemetry Auto InstrumentationvClusterUntil Next time |
2023-03-02 08:44:12 |
海外TECH |
DEV Community |
Expose APIs from Apache APISIX to the Power Platform |
https://dev.to/apisix/expose-apis-from-apache-apisix-to-the-power-platform-34la
|
Expose APIs from Apache APISIX to the Power PlatformApache APISIX API Gateway enables professional developers to publish their backend service as APIs monitor the usage and easily expose these APIs to the Power Platform Power Apps and Power Automate as custom connectors for discovery and integrate API Gateway endpoints into custom apps without having to write code from scratch In this article we will show you how to create a custom connector for the open source Apache APISIX API Gateway in Power Platform as an alternative to Azure API Management in case you are building up additional components to an existing system with usable APIs and your system s infrastructure is hosted on premises or on other cloud services provider rather than Azure Learning objectivesYou will learn the following throughout the article Benefits of integrating Power Apps with Apache APISIX What s a customer connector Set up a new custom connector for Apache APISIX API Gateway in Power Platform Create a Canvas Mobile App in PowerApps that uses the new custom connector Benefits of integrating Power Apps with Apache APISIXIntegrating Power Apps with Apache APISIX provides several benefits to organizations Your Power Apps can access your APIs via API Gateway and you can configure additional settings on APISIX Here are a few of them Enhanced security It offers advanced request throttling to avoid the unexpected error caused by massive requests to backend systems and setup rate limit policy for your backend APIs authentication and encryption that can be applied to custom applications Scalability It handles high volumes of traffic and can scale up or down based on demand This means that custom applications built on Power Apps can handle increasing volumes of traffic as the business grows Performance It provides features such as load balancing and caching that can improve the performance of custom applications built on Power Apps What s a customer connector A custom connector in Power Apps is a tool that allows users to create a connection between their app and an external data source or API that is not natively supported by Power Apps in our case it is Apache APISIX Custom connectors provide a way for users to access data and services from external systems within their app without having to write complex code or perform complex configurations Custom connectors are created by defining the API endpoints methods and authentication requirements of the external system along with any necessary parameters and response formats Once the custom connector is created and authenticated it can be used in Power Apps to perform operations such as retrieving data creating records updating records and deleting records Setup a new custom connectorLet s look at an example of configuring a custom connector for Apache APISIX For the demo case we will leverage the sample project built on ASP NET Core WEB API with a single GET endpoint retrieves all products list and Apache APISIX Docker sample project You can find in README file all instructions on how to run the sample app PrerequisitesMust be familiar with fundamental API concepts Basic knowledge about a couple of APISIX core concepts such as Route Upstream and Plugin Docker installed on your machine to run APISIX Install APISIX and the Product backend API with docker compose Configure the necessary settings such as the API endpoint upstream and routing rules You can follow this tutorial to setup APISIX API Gateway Make sure that you create the Route and upstream and APISIX should forward the request to our target API api products This exercise requires access to Power Apps Premium connectors Sign up for a free Developer Plan Step Start the custom connector wizardTo get started log in to the Power Apps portal and navigate to the Connectors section Click on the New custom connector button then choose to Create new from black and provide a name for the new connector Step Provide basic details for your connectorIn the General tab enter the following details for your connector Connector name Give your connector a name such as APISIX API Gateway Description Provide a brief description of your connector Scheme Ensure that you also select the correct scheme for this instance we should be using HTTP as we haven t configured our API to use HTTPS Put a check mark on the option Connect via on premises data gateway You will need to install an on premise data gateway on a machine inside your network Because Custom connector cannot have localhost as a hostname without using on premises data gateway Base URL Enter the base URL of your Apache APISIX API Gateway For example http localhost Step Choose an authentication typeNext switch to the Security tab and provide the necessary authentication details based on the authentication type your custom connector is going to use For example Basic OAuth or API Key Step Define your API endpointsIn the Definition tab you can define the API endpoints that you want to expose in your custom connector For example you might define an endpoint for retrieving all the products list from the API Gateway To define an endpoint follow these steps Name Enter a name for your endpoint such as Get Product List Summary Provide a brief summary of what the endpoint does Operation ID Enter a unique operation ID for the endpoint such as GetProducts Method Choose the HTTP method that your endpoint uses such as GET URL Enter the API endpoint URL for your endpoint such as api products Request Specify the request parameters and headers that your endpoint requires Response Specify the response schema that your endpoint returns You can define as many endpoints as you need for your custom connector Step Test your custom connectorOnce you have defined your endpoints you can test your custom connector by clicking on the Test tab Here you can enter sample data for your requests and see the responses that your API Gateway returns Step Save your custom connectorAfter you have defined all the endpoints and tested your connector click on the Create connector button to save your changes Your custom connector for Apache APISIX API Gateway is now ready to use in your Power Apps You can use it to build a custom app in the next section that interacts with your API Gateway endpoint Create a new Power AppNow we build a new mobile app with a single page that fetches the product list from the APISIX API Gateway endpoint using the custom connector we created in the previous section Step Create a new app for ProductsTo get started log in to the Power Apps portal and create a new app by selecting Create an app Choose the Phone layout option to create a mobile app and provide a name for your app Step Add a data sourceIn the Data tab add your Apache APISIX API Gateway custom connector as a data source This will enable your app to interact with the API Gateway endpoints defined in your custom connector Step Design your user interfaceIn the Canvas tab design the user interface for your app You can add various UI controls such as buttons labels galleries and forms to create a user friendly and interactive interface In this example we show a list of products with their names and prices Step Define actions and logicIn the Action tab define the actions that your app should perform when the user interacts with the UI controls For example you might define an action to retrieve all the products from your API Gateway display them in a gallery and add the search functionality Step Test your appOnce you have defined the actions and logic for your app you can test it by clicking on the Preview button Here you can interact with the UI controls and see the data retrieved from your API Gateway Step Publish your appAfter you have tested your app you can publish it to make it available to your users You can publish your app to various platforms such as iOS Android and Windows Next stepsIn this article you learned how to describe the API and define the Apache APISIX custom connector Also we created the mobile app with Power Apps that uses the API Gateway with its custom connector Our custom connector is used the same way Microsoft managed connectors are used This means you can leverage the connector in a Logic App Power Automate as well So go ahead and give it a try and see how much you can accomplish with Power Platform and Apache APISIX Related resourcesCreate a custom connector from scratchAbout on premises gatewayExport APIs from Azure API Management to the Power PlatformManage NET Microservices APIs with Apache APISIX API Gateway Recommended content most common use cases of an API GatewayHow to choose the right API GatewayWhy Is Apache APISIX the Best API Gateway CommunityJoin the Apache APISIX Community Follow us on TwitterFind us on Slack About the authorVisit my personal blog www iambobur com |
2023-03-02 08:19:25 |
海外TECH |
DEV Community |
HTML/CSS Concepts |
https://dev.to/ajith_56/htmlcss-concepts-5l8
|
HTML CSS Concepts Box ModelIn web development the CSS box model is a rectangular structure that encloses each HTML element and includes the content itself as well as padding borders and margins The below diagram shows these layers content encompasses text and images within the box padding surrounds the content and is transparentborder outlines the padding and content margin lies outside the border and is transparent If we assume that a box has the following CSS The actual space taken up by the box will be px wide and px high box width px height px margin px padding px border px solid black Inline vs Block Elements Block level elements are automatically positioned on a new line by browsers and have a margin added before and after the element They occupy the full available width extending both to the left and right as far as possible Examples of popular block level elements include lt p gt lt form gt lt div gt etc An inline element is positioned without starting a new line An inline element occupies only the required width Examples of popular inline elements include lt span gt lt a gt lt img gt etc Positioning Relative AbsoluteRelative Positioning When an element is positioned relatively it remains in the normal flow of the page but its position can be adjusted relative to its default position The element s position is set using the same top bottom left and right properties as absolute positioning but the values are relative to the element s original position Absolute positioning When an element is positioned absolutely it is removed from the normal flow of the page and positioned relative to its nearest positioned ancestor If there is no positioned ancestor it will be positioned relative to the initial containing block The element s position is set using the top bottom left and right properties Common CSS structural classes first child Selects first child element under the parent element when first child element is a specified element last child Selects last child element under the parent element when last child element is a specified element first of type Selects first child element of its type under the parent element last of type Selects last child element of its type under the parent element only child Selects a specified element if it is the only child element under the parent element nth of type n Selects one or more child elements based on its type under the parent element nth last of type n Selects one or more child elements based on its type under the parent element not This takes simple selector as an argument and selects elements that are not represented by the argument empty Selects empty elements root Selects root element Common CSS styling classesContainer It is usually defined using the class attribute in HTML and styled in CSS Row A row class is used to define a horizontal row of elements within a container Column A column class is used to define a vertical column of elements within a row Header A header class is used to define the top section of a web page which typically includes the site logo navigation menu and other important information Footer A footer class is used to define the bottom section of a web page which typically includes copyright information contact details and links to social media accounts Sidebar It is often used to display additional navigation links or other secondary content Navigation A navigation class is used to define a menu of links that allows users to navigate through different sections of the website Content A content class is used to define the main section of a web page which typically includes the main text images and other media CSS SpecificiySpecificity determines which CSS rule is applied by the browsers Every selector has its place in the specificity hierarchy If two selectors apply to the same element the one with higher specificity wins The embedded style sheet has a greater specificity than other rules ID selectors have a higher specificity than attribute selectors A class selector beats any number of element selectors Universal selectors applied at last CSS Responsive QueriesCSS responsive queries are also known as media queries They allow you to apply different styles to a webpage based on the screen size orientation and other characteristics of the device on which it is being viewed Basic media query to target smaller screens media max width px This query targets screens with a maximum width of pixels and applies styles only when the screen is narrower than that Media query to target larger screens media min width px This query targets screens with a minimum width of pixels and applies styles only when the screen is wider than that FlexboxFlexbox is a layout mode in CSS that allows you to create flexible and responsive layouts with a single container element and its child elements Flexbox has two main axis the main axis and the cross axis By default the main axis is horizontal and the cross axis is vertical To use flexbox we need to set the display property of the container element to flex For example container display flex To Center the child elements along the main axis container display flex justify content center To center the child elements along the cross axis container display flex align items center To switch the main axis to vertical container display flex flex direction column To allow the child elements to wrap to the next line container display flex flex wrap wrap GridCSS grid is a two dimensional layout system that allows you to create complex layouts for websites To create a grid we need to define a container element and set it to display grid The grid container can be divided into rows and columns using the grid template rows and grid template columns properties lt div class grid container gt lt div class grid item gt lt div gt lt div class grid item gt lt div gt lt div class grid item gt lt div gt lt div class grid item gt lt div gt lt div class grid item gt lt div gt lt div class grid item gt lt div gt lt div gt grid container display grid grid template columns repeat fr grid template rows repeat px grid gap px grid item background color ccc padding px In this example we have a grid container with six grid items We ve set the grid template columns property to repeat three columns each with a width of fr and the grid template rows property to repeat two rows each with a height of px We ve also added a grid gap of px between rows and columns The result is a x grid with six equally sized cells Common header meta tagsDescription tag This tag provides a brief description of the web page lt head gt lt meta name description content This is an example description of the web page gt lt head gt Keywords tag This tag lists keywords that are relevant to the content on the web page lt head gt lt meta name keywords content example keywords web page gt lt head gt Author tag This tag specifies the name of the author of the web page lt head gt lt meta name author content John Doe gt lt head gt Robots tag This tag specifies whether or not search engine robots should index or follow the web page lt head gt lt meta name robots content index follow gt lt head gt Viewport tag This tag specifies the viewport settings for the web page lt head gt lt meta name viewport content width device width initial scale gt lt head gt Charset tag This tag specifies the character set used in the web page lt head gt lt meta charset UTF gt lt head gt References CSS Box Model W SchoolsThe box model mdn web docsAbsolute Relative Fixed Positioning CSS TRICKSCSS Pseudo class selectors explained with example DOM tree and cheat sheetCSS Specificity SmashingMagazine CSS Flexbox WSchoolsCSS Grid layout Module WSchoolsHTML meta tag WSchools |
2023-03-02 08:10:44 |
海外TECH |
DEV Community |
Make your security policy auditable |
https://dev.to/apisix/make-your-security-policy-auditable-5o8
|
Make your security policy auditableLast week I wrote about putting the right feature at the right place I used rate limiting as an example moving it from a library inside the application to the API Gateway Today I ll use another example authentication and authorization Securing a Spring Boot applicationI ll keep using Spring Boot in the following because I m familiar with it The Spring Boot application offers a REST endpoint to check employees salaries The specific use case is taken from the Open Policy Agent site more later Create a policy that allows users to request their own salary as well as the salary of their direct subordinates We need a way to Authenticate an HTTP request as coming from a known userCheck whether the user has access to the salary dataIn any other case return a I ll pass an authentication token in the request to keep things simple I won t rely on a dedicated authentication authorization backend such as Keycloak but it should be a similar approach if you do To enable Spring Security on the app we need to add the Spring Boot Security Starter lt dependency gt lt groupId gt org springframework boot lt groupId gt lt artifactId gt spring boot starter security lt artifactId gt lt dependency gt We also need to enable Spring Security to work its magic SpringBootApplication EnableWebSecurityclass SecureBootApplicationWith those two steps in place we can start securing the application according to the above requirement internal fun security beans lt gt bean val http ref lt HttpSecurity gt http authorizeRequests authorize finance salary authenticated lt gt addFilterBefore lt UsernamePasswordAuthenticationFilter gt TokenAuthenticationFilter ref lt gt httpBasic disable csrf disable logout disable sessionManagement sessionCreationPolicy SessionCreationPolicy STATELESS http build bean TokenAuthenticationManager ref ref lt gt Use the Kotlin Beans DSL because I canOnly allow access to the endpoint to authenticated usersAdd a filter in the filter chain to replace regular authenticationAdd a custom authentication managerRequests look like the following curl H Authorization xyz localhost finance salary bobThe filter extracts from the request the necessary data used to decide whether to allow the request or not internal class TokenAuthenticationFilter authManager AuthenticationManager AbstractAuthenticationProcessingFilter finance salary authManager override fun attemptAuthentication req HttpServletRequest resp HttpServletResponse Authentication val header req getHeader Authorization val path req servletPath split val token KeyToken header path return authenticationManager authenticate token override fun successfulAuthentication Get the authentication tokenGet the pathWrap it under a dedicated structureTry to authenticate the tokenIn turn the manager tries to authenticate the token internal class TokenAuthenticationManager private val accountRepo AccountRepository private val employeeRepo EmployeeRepository AuthenticationManager override fun authenticate authentication Authentication Authentication val token authentication credentials as String throw BadCredentialsException No token passed val account accountRepo findByPassword token orElse null throw BadCredentialsException Invalid token val path authentication details as List lt String gt val accountId account id val segment path last if segment accountId return authentication withPrincipal accountId val employee employeeRepo findById segment orElse null val managerUserName employee manager userName if managerUserName null amp amp managerUserName accountId return authentication withPrincipal accountId throw InsufficientAuthenticationException Incorrect token Get the authorization token passed from the filterTry to find the account that has this token For simplicity s sake the token is stored in plain text without hashingIf the account tries to access its data allow itIf not we must load the hierarchy from another repo If the account attempts to access data from an employee they manage allow it Else deny it The whole flow can be summarized as the following Now we can try some requests curl H Authorization bob localhost finance salary bobbob asks for his own salary and it works curl H Authorization bob localhost finance salary alicebob asks for the salary of one of his subordinates and it works as well curl H Authorization bob localhost finance salary alicealice asks for her manager s salary which is not allowed The code above works perfectly but has one big issue there s no way to audit the logic One must know Kotlin and how Spring Security works to ensure the implementation is sound Introducing Open Policy AgentOpen Policy Agent or OPA for short describes itself as Policy based control for cloud native environments Stop using a different policy language policy model and policy API for every product and service you use Use OPA for a unified toolset and framework for policy across the cloud native stack Whether for one service or for all your services use OPA to decouple policy from the service s code so you can release analyze and review policies which security and compliance teams love without sacrificing availability or performance OPA WebsiteIn short OPA allows writing policies and offers a CLI and a daemon app to evaluate them You write policies in a specific interpreted language named Rego and I must admit it s not fun Anyway here s our above policy written in clear text package ch frankel blog securebootemployees data hierarchy default allow false Allow users to get their own salaries allow input path finance salary input user Allow managers to get their subordinates salaries allow some username input path finance salary username employees input user username Get the employee hierarchy somehow see below If the account requests their salary allow accessIf the account requests the salary of a subordinate allow accessI used two variables in the above snippet input and data input is the payload that the application sends to OPA It should be in JSON format and has the following form path finance salary alice user bob More Open Policy Agent goodnessHowever OPA can t decide on the input alone as it doesn t know the employee s hierarchy One approach would be to load the hierarchy data on the app and send it to OPA A more robust approach is to let OPA access external data to separate responsibilities cleanly OPA offers many options to achieve it Here I pretend to extract data from the Employee database bundle it together with the policy file serve the bundle via HTTP and configure OPA to load it at regular intervals Note that you shouldn t use Apache APISIX only to serve static files But since I ll be using it in the next evolution of my architecture I want to avoid having a separate HTTP server to simplify the system Now that we moved the decision logic to OPA we can replace our code with a request to the OPA service The new version of the authentication manager is internal class OpaAuthenticationManager private val accountRepo AccountRepository private val opaWebClient WebClient AuthenticationManager override fun authenticate authentication Authentication Authentication val token authentication credentials as String throw BadCredentialsException No token passed val account accountRepo findByPassword token orElse null throw BadCredentialsException Invalid token val path authentication details as List lt String gt val decision opaWebClient post accept MediaType APPLICATION JSON contentType MediaType APPLICATION JSON bodyValue OpaInput DataInput account id path exchangeToMono it bodyToMono DecisionOutput class java block DecisionOutput ResultOutput false if decision result allow return authentication withPrincipal account id else throw InsufficientAuthenticationException OPA disallow Keep the initial authentication logicReplace the authorization with a call to the OPA serviceSerialize the data to conform to the JSON input that the OPA policy expectsDeserialize the resultIf something is wrong the default should be to disallowAbide by OPA s resultThe flow is now the following At this point we moved the authorization logic from the code to OPA Moving authentication to the API GatewayThe next and final step is to move the authentication logic The obvious candidate is the API Gateway since we set Apache APISIX in the previous step In general we should use the capabilities of the API Gateway as much as possible and fall back to libraries for the rest Apache APISIX has multiple authentication plugins available Because I used a bearer token I ll use key auth Let s create our users or in Apache APISIX terms consumers consumers username alice plugins key auth key Bearer alice username betty plugins key auth key Bearer betty username bob plugins key auth key Bearer bob username charlie plugins key auth key Bearer charlieNow we can protect the Spring Boot upstream routes uri finance salary upstream type roundrobin nodes boot plugins key auth header Authorization proxy rewrite headers set X Account consumer name Authenticate with key auth and the Authorization headerSets the consumer id in the X Account HTTP header for the upstreamAPISIX guarantees that requests that reach the Spring Boot app are authenticated The code only needs to call the OPA service and follow the decision We can entirely remove Spring Security and replace it with a simple filter bean val repo ref lt EmployeeRepository gt router val props ref lt AppProperties gt val opaWebClient WebClient create props opaEndpoint filter req next gt validateOpa opaWebClient req next GET finance salary user name internal fun validateOpa opaWebClient WebClient req ServerRequest next ServerRequest gt ServerResponse ServerResponse val httpReq req servletRequest val account httpReq getHeader X Account val path httpReq servletPath split filter it isNotBlank val decision opaWebClient post accept MediaType APPLICATION JSON contentType MediaType APPLICATION JSON bodyValue OpaInput DataInput account path exchangeToMono it bodyToMono DecisionOutput class java block DecisionOutput ResultOutput false return if decision result allow next req else ServerResponse status HttpStatus UNAUTHORIZED build Get the account name from the API GatewayNothing changes afterwardThe final flow is the following ConclusionEverything looks like a nail when all you ve got is a hammer Developers mighty hammer of choice is code I ve written tons of code to solve problems and later on I ve used even more libraries to solve even more problems As you evolve from developer to architect you increase the number of tools you have In this regard code is only one tool among many Your organization has many infrastructure tools you can leverage to develop solutions at minimal costs In this post I ve shown how you can leverage OPA and Apache APISIX to move your authentication and authorization logic from the code to the infrastructure The former allows you to audit your security policies the latter coherence among all your upstream across all tech stacks The complete source code for this post can be found on GitHub To go further Spring SecurityOpen Policy AgentOPA BundlesRego playgroundSpring Security Authorization with OPAOriginally published at A Java Geek on February th |
2023-03-02 08:06:00 |
医療系 |
医療介護 CBnews |
無床診療所2年ぶり減少、22年12月-厚労省調べ、病院は2年10カ月ぶり増 |
https://www.cbnews.jp/news/entry/20230302173358
|
医療施設 |
2023-03-02 17:45:00 |
金融 |
金融庁ホームページ |
資金決済法に基づく払戻手続実施中の商品券の発行者等一覧を更新しました。 |
https://www.fsa.go.jp/policy/prepaid/index.html
|
資金決済法 |
2023-03-02 10:00:00 |
金融 |
金融庁ホームページ |
職員を募集しています。(制度の企画及び立案等に従事する職員) |
https://www.fsa.go.jp/common/recruit/r4/kikaku-15/kikaku-15.html
|
立案 |
2023-03-02 10:00:00 |
金融 |
ニッセイ基礎研究所 |
マイナンバーカードの今後の注目点-1月交付率は過去2番目に高い伸び |
https://www.nli-research.co.jp/topics_detail1/id=74050?site=nli
|
年度秋に予定される健康保険証の廃止までに、この層を含めた一層の普及促進策や、マイナ保険証未取得であっても受診に支障が出ない仕組みを作る必要があり、現在、デジタル庁の「マイナンバーカードと健康保険証の一体化に関する検討会」で議論が行われている。 |
2023-03-02 17:58:33 |
金融 |
日本銀行:RSS |
【記者会見】中川審議委員(福島、3月1日分) |
http://www.boj.or.jp/about/press/kaiken_2023/kk230302a.pdf
|
記者会見 |
2023-03-02 18:00:00 |
ニュース |
@日本経済新聞 電子版 |
ロシア、東部要衝で進撃 ウクライナ側「撤退はまだ」
https://t.co/2F9x2mhBwI |
https://twitter.com/nikkei/statuses/1631217248701382656
|
進撃 |
2023-03-02 08:57:53 |
ニュース |
@日本経済新聞 電子版 |
医療手袋、生産の国内回帰に壁 問われるコロナの教訓
https://t.co/rWUjXZjtFC |
https://twitter.com/nikkei/statuses/1631203680124039168
|
生産 |
2023-03-02 08:03:58 |
海外ニュース |
Japan Times latest articles |
Details emerge on teenage suspect in stabbing at Saitama school |
https://www.japantimes.co.jp/news/2023/03/02/national/crime-legal/saitama-school-stabbing-details/
|
Details emerge on teenage suspect in stabbing at Saitama schoolPolice arrested the year old on suspicion of attempted murder after he allegedly stabbed a year old teacher multiple times in the arms and stomach |
2023-03-02 17:34:04 |
ニュース |
BBC News - Home |
Covid messages leak a massive betrayal says Matt Hancock |
https://www.bbc.co.uk/news/uk-politics-64818969?at_medium=RSS&at_campaign=KARANGA
|
covid |
2023-03-02 08:43:13 |
ニュース |
BBC News - Home |
Eurovision 2023: Tickets will go on sale on Tuesday 7 March |
https://www.bbc.co.uk/news/entertainment-arts-64784428?at_medium=RSS&at_campaign=KARANGA
|
finals |
2023-03-02 08:30:12 |
ニュース |
BBC News - Home |
500 Words: BBC Breakfast to relaunch children's writing competition |
https://www.bbc.co.uk/news/entertainment-arts-64808395?at_medium=RSS&at_campaign=KARANGA
|
henry |
2023-03-02 08:20:16 |
ニュース |
BBC News - Home |
Fifa's appointment of supermodel Adriana Lima as fan ambassador in Women's World Cup year criticised |
https://www.bbc.co.uk/sport/football/64821116?at_medium=RSS&at_campaign=KARANGA
|
Fifa x s appointment of supermodel Adriana Lima as fan ambassador in Women x s World Cup year criticisedFormer Australia international Moya Dodd says Fifa s appointment of supermodel Adriana Lima as its global fan ambassador in a Women s World Cup year is baffling |
2023-03-02 08:24:33 |
ビジネス |
不景気.com |
メディカルネットが特損計上、チェンジ・ザ・ワールド破産で - 不景気com |
https://www.fukeiki.com/2023/03/medical-net-loss.html
|
計上 |
2023-03-02 08:38:47 |
ビジネス |
不景気.com |
ジュエリー製造・販売「Marque」に破産開始決定、負債5億円 - 不景気com |
https://www.fukeiki.com/2023/03/marque-poupee.html
|
marque |
2023-03-02 08:20:33 |
ニュース |
Newsweek |
水素活用の未来を拓く...新たな超音波式水素流量濃度計に、ここまで期待が集まる訳 |
https://www.newsweekjapan.jp/stories/world/2023/03/post-100990.php
|
|
2023-03-02 17:30:00 |
ニュース |
Newsweek |
世界最速で「人口崩壊」する韓国...同時に北朝鮮でも急激な少子化が起きていた |
https://www.newsweekjapan.jp/stories/world/2023/03/post-100995.php
|
|
2023-03-02 17:07:00 |
マーケティング |
MarkeZine |
マクロミル、デジタル広告事業において新たな消費者分析基盤を構築 ストラテジックプランナー組織も新設 |
http://markezine.jp/article/detail/41543
|
組織 |
2023-03-02 17:30:00 |
IT |
週刊アスキー |
Switch『グリム・ガーディアンズ』の体験版が配信開始!3月8日20時からは生放送も |
https://weekly.ascii.jp/elem/000/004/127/4127101/
|
grimguardiansdemonpurge |
2023-03-02 17:55:00 |
IT |
週刊アスキー |
新スイーツブランド「今からうさぎ」誕生! クロッカン・オ・ザマンドをアレンジしたザクザク食感のスイーツ「トーキョークロッカン」を発売 |
https://weekly.ascii.jp/elem/000/004/127/4127057/
|
食感 |
2023-03-02 17:45:00 |
IT |
週刊アスキー |
グリー、VTuber事業および法人向けメタバース事業の新会社を設立 |
https://weekly.ascii.jp/elem/000/004/127/4127088/
|
vtuber |
2023-03-02 17:40:00 |
IT |
週刊アスキー |
「楽天がモバイルの仮想化ネットワークで一番先を行っている」 三木谷氏がスペインでアピール |
https://weekly.ascii.jp/elem/000/004/127/4127102/
|
mwcbarcelona |
2023-03-02 17:35:00 |
IT |
週刊アスキー |
山善、水冷服「DIRECT COOL」新モデル。冷たさがより長持ち |
https://weekly.ascii.jp/elem/000/004/127/4127081/
|
directcool |
2023-03-02 17:30:00 |
IT |
週刊アスキー |
ハーマンインターナショナル、高品質33mm径ダイナミックドライバーを搭載したワイヤレスオンイヤーヘッドホン「JBL TUNE 520BT」を発売 |
https://weekly.ascii.jp/elem/000/004/127/4127085/
|
jbltunebt |
2023-03-02 17:30:00 |
IT |
週刊アスキー |
『信長の野望 覇道』にシーズン2「鉄砲伝来」開幕!鉄砲や交易、技術開発などの新要素が実装 |
https://weekly.ascii.jp/elem/000/004/127/4127098/
|
pcsteam |
2023-03-02 17:30:00 |
IT |
週刊アスキー |
パステル自慢の「なめらかプリン」が「ポムポムプリン」とコラボして登場! 3月15日〜4月30日限定販売 |
https://weekly.ascii.jp/elem/000/004/127/4127055/
|
限定スイーツ |
2023-03-02 17:20:00 |
IT |
週刊アスキー |
TikTok、子どもの視聴時間制限の導入やペアレンタルコントロール機能を拡張 |
https://weekly.ascii.jp/elem/000/004/127/4127084/
|
tiktok |
2023-03-02 17:20:00 |
コメント
コメントを投稿