Skip to content

Servlet Admin

Alex Vigdor edited this page Mar 26, 2018 · 1 revision

groovity-servlet-admin

Groovity servlet admin is a web-based admin UI for groovity projects that allows you to manually compile scripts, review documentation, retrieve performance statistics, observe thread health, and validate web path precedence or conflicts. It is packaged as a module that is automatically provided when running the groovity maven plugins or standalone containers, and can be imported as a dependency into any groovity project to be part of production deployments in servlet containers as well.

Groovity-servlet-admin depends on the ability of all hosts in a cluster to communicate with each other over HTTP, for example to tell all or some hosts to perform a compilation, or to retrieve or reset statistics. An API ClusterProvider allows custom implementations of how cluster membership is managed; for example the groovity-aws-servlet project has a component allowing AWS DynamoDB to be used as a cluster member registry. You can wire in a custom cluster provider by classname using the system property groovity.clusterProvider

In order for a groovity servlet application to register itself with a ClusterProvider, it must be able to discover its own IP address and port. While in some circumstances these can be discovered automatically, there are cases where it may not work, so groovity-servlet-admin provides additional configuration and extension points.

Groovity servlet admin can be accessed via a web browser at the path

/groovity/servlet/admin/ui/compiler

Configuration

Groovity needs to know what port it can be reach at in order to register with a cluster. Add a "groovity.port" system property to specify a different value.

port

The port number that this servlet application can be reached by other cluster members (defaults to 80)

Security

Because groovity servlet admin exposes sensitive information and capabilities, you must configure it with appropriate security credentials OR an authentication policy in order to protect it when deployed. Only when running a local environment using the groovity maven plugin or groovity standalone container will you find unobstructed access to the admin console.

Two forms of security are required: a "UI Policy" controls access to the servlet admin web pages when called from a browser, and an "API Policy" controls access to the cluster communication APIs that the cluster members use to talk to one another on the backend.

The default UI policy can be configured to enable UI access by passing in an admin password via the environment.

groovity.cluster.password

Required UNLESS a custom policy is applied; used to configure a password for the "admin" user to access servlet admin UI using the default policy.

groovity.cluster.username

Optional, specify a username other than "admin" to be used for UI credentials.

As an alternative to providing specific authentication credentials, you may specify a custom auth policy be used to gate access to the admin UI, for example to piggyback on an authenticated session already recognized by the application.

groovity.servlet.admin.ui.policy

Optionally used to specify the path of a groovity script that acts as an authentication policy for the servlet admin; this will disable default cluster username/password recognition in deference to the provided policy.

To enable secure API calls between cluster hosts you also must also configure API security. The default API security policy allows you to enable cluster communication by providing a secret key used to perform HMAC signatures of API calls.

groovity.cluster.secret

Required UNLESS a custom policy is applied; used to configure a shared secret known to all cluster members and used to sign and verify cluster API calls.

groovity.cluster.keyId

Optional, specify a keyId other than "groovityCluster" to use with the shared secret for authentication.

An alternative to providing a shared secret would be to establish a custom API authentication policy to protect API endpoints in groovity servlet admin.

groovity.servlet.admin.api.policy

Optionally used to specify the path of a groovity script that acts as an authentication policy for servlet admin API calls; this will disable signing and validation performed using cluster keyId and secret in deference to the provided policy.

Finally, you may disable both UI and API authentication entirely and run groovity servlet admin in an open/unprotected mode; it is recommended that this only be done for private or development environments, or in deployments where front-end routing blocks public access to paths under "/groovity/servlet/admin/".

groovity.cluster.disableAuth

Set to "true" to disable servlet admin authentication in this environment. This setting is automatically enabled when running applications using the groovity maven plugin and groovity standalone container.

Java Extensions

Groovity Servlet Admin supports 2 Java plugin APIs to adapt to different environments. You can wire in your custom implementations by specifying the className via init-params in the application web.xml, or via System properties in the environment prefixed with "groovity."

localHostResolver implements com.disney.groovity.servlet.cluster.LocalHostResolver

Use a LocalHostResolver to support custom local host resolution in cases where InetAddress.getLocalHost() can't resolve a local domain name, e.g. in AWS EC2 VPC

clusterProvider implements com.disney.groovity.servlet.cluster.ClusterProvider

Provide an appropriate implementation of cluster state management so hosts can discover one another

Clone this wiki locally