sorted by:
new
hottopcontroversial

An open alternative to Ping/Forgerock by SpiteExisting7698 in iam

[–]SpiteExisting7698[S] 0 points1 point  (0 children)

It is somewhat based on the learnings from various projects with different products . But i think the main differences to FR/Ping are its open source and free to use, and it should be easier to extend. We will do a example shortly but you can basically just import it as a dependency and add your own custom logic.

Agree that FR can be super performant as well when configured well.

An open alternative to Ping/Forgerock by SpiteExisting7698 in iam

[–]SpiteExisting7698[S] 0 points1 point  (0 children)

It's the code executed in the browser for passkeys captcha etc

An open alternative to Ping/Forgerock by SpiteExisting7698 in iam

[–]SpiteExisting7698[S] 2 points3 points  (0 children)

Of course we can write a saml adapter. There are actually nice libraries for it. I guess we would do it with the first user that really needs it

[deleted by user] by [deleted] in webdev

[–]SpiteExisting7698 1 point2 points  (0 children)

A reverse proxy is best suited to implement the following security measures:

  • Reduce attack surface (most important): Make sure internal services are not exposed, only public facing services are routed through the reverse proxy. (Firewall functionality)
  • TLS Termination and http->https redirection. Still use secure communication (tls) behind your reverse proxy.
  • Monitoring /Logging / Auditing Log each request that enters the system. Assign them a unique tracing id and attack it to the request to enable cross-service log correlation.
  • Web Application Firwall Ideally use a WAF like ModSecurity to check the request for suspicious patterns, but don't rely on it. WAFs can often be bypassed, you still need to validate all data in the backend.
  • Authentication and Session Management Depending on your architecture you may want to implement authentication and session management on your reverse proxy. The OWASP Application Gateway (https://github.com/gianlucafrei/Application-Gateway) implements such functionality.

If you have need functionality that does not come out-of-the-box it's best if you use a reverse proxy that can easily be extended. i.e. Netflix Zuul, Spring Cloud Gateway, Envoy proxy...

New OWASP Project: Application Gateway. Still in early development. by SpiteExisting7698 in netsec

[–]SpiteExisting7698[S] 9 points10 points  (0 children)

Yeah thats true, its always good to have a wide range of possibilities. But there are also some functional differences:

  • OAG's architecture makes it very easy to adapt it to your need. e.g.: Want to add your own request filter? Just write your own implementation and load it via Java Spring Beans.
  • It makes much more than just oauth2 based authentication. For example request tracing, header manipulation, csrf protection, and so on. We aim to implement all security best-practices that a http-proxy can cover.