Secure the Todo Application
Now we secure the Tasks API by requiring the caller to have
read:tasksrole for the
write:tasksrole for the
The Zilla engine configuration defines a flow of named
bindingsrepresenting each step in the pipeline as inbound network traffic is decoded and transformed then encoded into outbound network traffic as needed.
When routing at each binding, Zilla can guard a route to require that specific roles have been granted to the caller. If the caller does not have the required roles, then the route is ignored. If no routes are viable, then the HTTP request fails with
404 Not Found.
Zilla trusts JWT tokens based on the token
keyof the token provider.
Alternatively, copy the contents of
zilla.jsonshown below to your local
This allows the Zilla engine to validate the API caller's JWT access token at the
http_server0binding so that routes further along in the pipeline can verify the caller has the required roles.
Then, add the
zilla.jsongiving the following updated configuration.
Now run the command below to update the
zillaservice and force a restart.
docker service update --force \
$(docker stack services example -q -f name=example_zilla)
Let's verify the Tasks API using
curlas shown below.
curl -v http://localhost:8080/tasks
> GET /tasks HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.79.1
> Accept: */*
< HTTP/1.1 404 Not Found
< Content-Length: 0
< Access-Control-Allow-Origin: *
As you can see, the
GET /tasksAPI is now secured against unauthorized access, without leaking any information about failed security checks.
Initially you will see an error message caused by attempting to list the current tasks as an unauthorized user without the
Loginbutton and follow the flow to become an authorized user, then you will see your profile picture in the upper right corner in place of the login button.
For the purposes of this guide, all authorized users are implicitly granted both
write:tasksroles for the Tasks API at
The Todo Application now behaves as expected, with authorized-only access to the Tasks API.