[Apiman-user] Securing apiman admin resources and ports

[Paul Blair]

One thing we're noticing working with apiman is that besides the apiman management console, running apiman on Wildfly exposes a Wildfly admin console as well. In addition, the Wildfly configuration exposes ports for ajp and several other things. We're looking to make sure all this is locked down and secure. I have a few questions relative to that:

One alternative for us would be to run the gateway and management console with embedded Jetty instead of Wildfly as described in the recent post on micro-services. Since we want all authentication to go through Keycloak it looks like we'd need to modify the authentication handlers/filters in the gateway. Is there a good example of how to go about writing an authentication handler for Keycloak?

What would we be giving up if we were to go with the micro-service approach rather than running on Wildfly? One thing I know we'd be giving up is the HA clustering. Is apiman stateless? Could we just run multiple Jetty instances and load balance across them?

If we stay on Wildfly we'd like to secure the Wildfly management console using Keycloak, which I read is possible using Wildfly 9. Is there any issue with deploying apiman to Wildfly 9?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20151124/4fc537e5/attachment.html