January 22, 2016 at 1:38 pm #7021
Just wondering what methods people are using to restrict access to the OpenAM admin web interface, while still allowing users to login via the web interface?January 22, 2016 at 1:59 pm #7022Brad TumyParticipant
The recommended approach is to install the server-only version of OpenAM. You can than install an instance with the console on another server that is restricted to access only by the admin group.January 22, 2016 at 2:04 pm #7023
Do we know if this will still be the case with version 13?January 22, 2016 at 2:11 pm #7024Brad TumyParticipant
I am not an authoritative source but it’s a pretty important feature so I would be surprised if it was deprecated. You should be able to check out the nightly build to verify if openam-console and openam-server directories are still present.
You can browse the source here as well:
https://stash.forgerock.org/projects/OPENAMJanuary 22, 2016 at 2:16 pm #7025
Thanks Brad. I’m currently using the nightly build (which seems to have changed to v14) and couldn’t see any OpenAM-ServerOnly war files. Hopefully these will be included when this reaches release status.January 24, 2016 at 2:58 am #7042Peter MajorModerator
The server-only mode has been deprecated. With the introduction of the XUI admin console, the separation of admin/user stuff is mostly gone, hence it would be difficult to come up with such WARs as well (not to mention the fact that server-only always exposed the same REST APIs as the full WAR, so just removing the XUI admin console won’t resolve the problem with all the config related REST endpoints being available).January 24, 2016 at 3:43 pm #7048Bill NelsonParticipant
Peter, couldn’t you take another approach, outside of the OpenAM application to address this?
For instance, place OpenAM behind a reverse proxy and limit access to certain URLs – i.e. REST endpoints for managing configuration – from external users or even perform URL rewrites in the RP for URLs that might be considered sensitive or that pass certain query strings.
Another option could be to update the servlet filters that protect certain REST endpoints to only allow traffic from internal users (rather than external users).
Thoughts?January 26, 2016 at 2:35 am #7105Peter MajorModerator
I suppose as long as there is a need for this kind of deployment, there is a good chance that some kind of new interpretation will be introduced in one of the upcoming releases.April 22, 2019 at 9:18 pm #25669ddilParticipant
Does OpenAM 6 provide a solution for a user console?May 1, 2019 at 3:20 pm #25706Andy CoryParticipant
No, the admin console and user-facing pages are still part of the same WAR application. IMO, the preferred solution is to whitelist endpoints using a reverse proxy as @bill-nelsonidentityfusion-com suggested (3 years ago). Or in an enterprise environment you may have the option to do the same thing on an F5 device, for example.
You must be logged in to reply to this topic.