FROST-Server Documentation

Live documentation for the development version.

Authentication and Authorisation

There are many ways to secure webservices. The most flexible one is to use an external reverse proxy. Since this can be tricky to set up, FROST offers some simple auth* options.

Auth* has to happen in two places: in the HTTP package and in the MQTT package. To make things flexible, authentication is handled by classes that implement an interface, just like the persistence backends. The interface to be implemented is de.fraunhofer.iosb.ilt.sta.util.AuthProvider.

An example docker-compose file with basic auth set up can be found at: docker-compose-separated-basicauth.yaml

More fine-grained authorisation rules can be configured using:

Roles

FROST-Server asks the AuthProvider if the user has the following roles:

Currently there are two auth packages included: FROST-Server.Auth.Basic and FROST-Server.Auth.Keycloak.

Auth settings

These are generic settings for authentication/authorisation.

Settings for the auth provider class BasicAuthProvider

The BasicAuthProvider needs a database to store its usernames, passwords and user roles. This database can be the same as the database used by the persistence manager, but it can also be a different database. The database has the same structure as described in the DataSourceRealm documentation of Tomcat except with the table and column names in upper case, like the rest of the database. If you let this provider create its database tables (with auth.autoUpdateDatabase) it will create three default users:

You should change these default users!

The BasicAuthProvider has the following specific settings:

Settings for the auth provider class KeycloakAuthProvider

Keycloak requires a JSON config file. The contents of this file are provided by the Keycloak server. There are three ways to pass this configuration to FROST:

When setting roles for a user, the roles need to be set explicitly for the FROST client. Realm roles do not automatically apply to FROST.