68thAirhacksQ&A.md

68thAirhacksQ&A.md

Ask questions and see you at November, 1st, 6.PM. CET: http://www.ustream.tv/channel/adambien

Also checkout recent episode:

Please keep the questions Java EE-stic. Means: as short and as concise as only possible. Feel free to ask several, shorter questions.

Hi Adam.

Last time I asked about how to pass secret data in quarkus without checking in the secret to git.

Of course I know the often propagated way to use system or environment properties.

BUT: In my eyes it is not “production ready” when you write a DB password or sth like that to an environment variable.

By printing “env” someone (hacker, sysadmin, technican from outside the team) has the most easiest way to get my DB password. Often some servers also print out the vars in the log.

So I think, this is not a good way, especially to meet the requirements of security compliances of a company.

What is your opinion about that?

As we use payara as application server, there is a way to store these secrets as a domain password alias and reference it with simple Injections.

So my question last time was: Is there a way in quarkus to store and read a password safely not using system or environment vars.

Thanks.

Best regards from Hamburg.

Bastian

Hello Bastian
I think Quarkus just had a release and they have a new plugin that maybe interesting to you : https://quarkus.io/blog/quarkus-0-26-1-released/
The name is https://www.vaultproject.io/ and the Guide is here : https://quarkus.io/guides/vault-guide

The extension comes with a MicroProfile config source so you can directly inject secured properties coming from Vault in your application.

Hope this helps. But it will be interesting to hear what Adam thinks of not only this project but also how we can go about using something else. Who knows maybe there will be a standard microprofile API which vendors can implement for secrets!

Thanks,
Guru

Hi Adam,

I'm using JSR-375 Security API in my Jakarta EE project with the out-of-the-box LdapIdentityStore, for example:

@LdapIdentityStoreDefinition(url = "ldap://dc:389",
                             bindDn = "CN=...",
                             bindDnPassword = "...",
                             useFor = IdentityStore.ValidationType.VALIDATE)
@ApplicationScoped
public class LdapIdentityStore {
}

Is it possible to define the attributes for the IdentityStore (url, bindDn, ...) programmatically (without writing a custom Identitystore)? I do not want to hard-code them in the Java class. For example I want to read them from environment variables.

kind regards
Markus

Hello Adam

What is the best way to achieve consistency in microservices?
What is Quarkus? As a jakarta ee developer in 2019, should you care/learn about Quarkus, what are it's benefits or drawbacks?

Thank you

In one of your podcasts you talked with Robert Scholte about maven clean and that it should not be used. So my question - when this command exists when should it be used? Why it's not removed or deprecated? Recently i stopped using clean and after a while ran into a problem. After a dependency upgrade in pom.xml in /target folder the dependency appeard twice - old and new version, causing problem in runtime. mvn clean solved the problem. I think it still has it's place.

Hi Adam,

Let's assume that you are building a service and you have to deploy it on bare metal servers using either of the below:

1. Docker/Docker Swarm (no auto scaling feature out of the box)
2. Kubernetes
3. OKD/OpenShift

Since i would like to use the out of the box auto scaling feature i would choose the 2nd or 3rd option.

My question is : OKD/OpenShift puts another layer of abstraction on top of Kubernetes, does it worth using OKD/OpenShift with the extra layer/complexity?

Thank you.

Hi Adam,
First, thank you for the show and the podcast, really inspiring and great resources :)

Now the questions:

1. I've created a Quarkus app and I'm using freemarker to template html frontend because I find it simple and easy to implement. Is it a good approach and how to secure my app for CSRF attacks and so on...? Or do I need to use javascript only and POST JSON?

2. In your hibernate with panache video, the properties of the Workshop class are left public. Could you please explain why?

3. I've used your enhydrator to do a poc for etl work. Would you still recommend it nowadays (now that nashorn has been deprecated) or would you recommend a new approach?

Thank you,
Guillaume

Hi Adam, looking at the specs in Microprofile (Config, OpenApi, Health Check, Metrics, etc.) , Do you recommend include and use them in a Monolithic Jakarta EE APP (single war)? Because If application server like payara, wildfly or tomee already includes them we can use it and keep our war thin. What are the benefits of this libraries in a monolithic app?

Tthank you.

Hi Adam,
We have completed all the microservices connection system with CDC and an Apache Kafka Cluster and its time to go production, do you think it's recommended to use OKD 3.11 instead of Openshift 3.11. If no what kind of alternative do you recommend in selfhosted in-premise environment.
Thanks

@mhrnr You can use Expression Language in order to get configuration value from a CDI bean. See an example: https://github.com/eclipse-ee4j/soteria/blob/master/test/app-custom-rememberme/src/main/java/org/glassfish/soteria/test/TestAuthenticationMechanism.java#L40

That's part of the spec and so is totally portable. A future version of the spec will probably add MicroProfile Config support.