Skip to content

Security

Jump to bottom
Tamás Kőhegyi edited this page Nov 25, 2015 · 4 revisions

Approach

Wilma and Wilma Message Search applications are designed for use in Software Development environments, never use it in production environment. Also it is designed in a way, that End-Users must know exactly what they do when they set-up these applications, and log the traffic. Because of the above no security is build into these applications, all settings are available for everybody who can reach the instances, without any restriction. When any kind of access restriction added to the product, it is not to increase security, rather decrease accidental setup changes, that may drastically influence the proxy and stub behavior of Wilma.

Note: WARNING! Wilma is capable to act as Man-In-The-Middle (MiM) for SSL and 2-way-SSL connections. You must not use it in production environment, and must not use in case sensitive information is transferred within such channels - because Wilma will decrypt and log those messages in plain text. Use in Development/Test environment and don't use production data for developing/testing applications.

Host Based Access Limitation

Wilma supports a host based security solution, that restricts access to:

  • Wilma's internal settings (basically the buttons on /index page) .
  • Uploading of StubConfigs and external classes/jars.

If you want to use this feature you have to provide the path to an admin_hosts_file, in the Wilma configuration file at the wilma.admin.hosts.file key, relative to the project root.

To disable the security feature, either leave wilma.admin.hosts.file key completely empty (that is after the equals sign not even whitespace characters should remain), or remove the key itself.

The admin_hosts_file should contain one hostname or IP per line.

Current limitations:

  • If you want to grant admin rights to the localhost:
    • Using "localhost" as hostname isn't supported, use 127.0.0.1 instead and access Wilma from that IP.
    • Using your fully qualified hostname to access Wilma on local machine.
  • For other hosts you can either use their simple hostname or their IP.

Examples:

  • Simple hostname: mymachinename
  • Fully qualified hostname: mymachinename.somewhere.com
  • Admin hosts file:
127.0.0.1
mymachinename1
mymachinename2

URL:

on this URL: http://wilmahost:wilmaport/config/public/adminstatus, you can check if your host has admin rights. A JSON answer will be given (for example if you don't have admin rights then: {"adminStatus": false} ).

Protecting Stub Access

The /stub page that is the internal webapp page used to receive stub requests accepts requests from Wilma itself only (only internal requests are allowed), otherwise sends back "Wilma has declined this request." message with an E503 error code.

Logging Configuration Changes

All config changes (regardless that made via UI or via service) are logged in app log, together with the requestor's IP (or rather host name).

Clone this wiki locally