JarCastingPlume Admin
Plume Admin is based on Plume Framework, it provides Jersey web services to build an administration area.
If you are looking for a JavaScript frontened that uses these web-services, check out the Plume Admin UI for AngularJS.
Looking for a demo? Check out the Plume Demo project.
Installation
- Maven dependency:
<dependency>
<groupId>com.coreoz</groupId>
<artifactId>plume-admin-ws</artifactId>
</dependency>
- Guice module:
install(new GuiceAdminWsWithDefaultsModule()) - Jersey web-services:
packages("com.coreoz.plume.admin.webservices") - Jersey admin security:
register(AdminSecurityFeature.class) - Jersey security: If the access control mechanism is setup, you need to add the
RestrictToAdmin.classaccess control annotation:config.register(RequireExplicitAccessControlFeature.accessControlAnnotations(PublicApi.class, RestrictToAdmin.class)); - Generate a JWT secret key and register it in your configuration:
admin.jwt-secret = "long_generated_password_to_secure_jwt_tokens" - For non-https environments (ie localhost for dev), set the configuration value:
admin.session.fingerprint-cookie-https-only = false(this configuration value should be set to true in HTTPS environments like production) - SQL, see setup files
- Install a JS frontend like Plume Admin UI for AngularJS
Current user access
To fetch the current user in an administration web-service, this Jersey binder must be installed in the Jersey configuration class:
register(new AbstractBinder() {
@Override
protected void configure() {
bindFactory(WebSessionAdminFactory.class).to(WebSessionPermission.class).in(RequestScoped.class);
bindFactory(WebSessionAdminFactory.class).to(WebSessionAdmin.class).in(RequestScoped.class);
}
});
Admin security
To use this module without Admin Web-services, you may want to provide implementations of AdminPermissionService, WebSessionSigner, and JwtSessionSigner. As an example, here is what is defined in the Admin Web-services Guice configuration:
bind(AdminPermissionService.class).to(AdminPermissionServiceBasic.class);
bind(WebSessionSigner.class).toProvider(JwtSessionSignerProvider.class);
bind(JwtSessionSigner.class).toProvider(JwtSessionSignerProvider.class);
Configuration
To generate JWT secret, LastPass generator can be used with a password length of about 50 characters.
# this key should be changed in production if test users cannot be trusted
admin.jwt-secret = "long_generated_password_to_secure_jwt_tokens"
# default values
# the duration after which a session token expires
admin.session.expire-duration = 1 minute
# the duration after which the client should refresh the session token (must be lower than the expire duration)
admin.session.refresh-duration = 20 seconds
# the duration after which the client should stop refreshing the session token (must be greater than the expire duration)
admin.session.inactive-duration = 15 minutes
admin.login.max-attempts = 5
admin.login.blocked-duration = 30 seconds
admin.passwords.min-length = 0
# if a secure cookie is emitted alongside the JWT token to prevent XSS attacks
# see https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html for details
admin.session.use-fingerprint-cookie = true
# on localhost when using HTTP, this option must be set to false => this should be set to true at least on production
admin.session.fingerprint-cookie-https-only = true
# enable to ensure that users passwords are long enough
admin.passwords.min-length = 0
WS System module
To set up the module, install the Plume Schedule module in ApplicationModule: install(new GuiceSchedulerModule());
HTTP API Log module
To set up the module:
- Maven:
<dependency>
<groupId>com.coreoz</groupId>
<artifactId>plume-admin-api-log</artifactId>
</dependency>
- Install the Plume Schedule module in
ApplicationModule:install(new GuiceSchedulerModule()); - Scheduler:
LogApiScheduledJobs logApiScheduledJobs; // from dependency injection
logApiScheduledJobs.scheduleJobs();
Upgrade instructions
See the releases notes to see the upgrade instructions.
