Stream: hapi
Topic: Securing HAPI
Richard Kavanagh (Apr 19 2016 at 16:11):
Does anyone know whether HAPI has an authentication layer as part of the core offering?
Kevin Mayfield (Apr 19 2016 at 17:33):
I think James answered that on the google HAPI group the other day.
Kevin Mayfield (Apr 19 2016 at 17:33):
https://groups.google.com/forum/#!topic/hapi-fhir/xgTKteUVREc
Kevin Mayfield (Apr 19 2016 at 17:42):
I'd assume you'd be able to secure with Spring OAuth2, presume it's just a bit of config. (It'd be on our to do list, we have Spring securing our existing FHIR API's
)
James Agnew (Apr 19 2016 at 17:48):
Yup, the idea with AuthorizationInterceptor is that you could put an authentication/authorization layer on to of your server, of your choice. It could be spring security, or custom code talking to an LDAP or whatever else makes sense.
The output of the outer security layer would be decisions about what the current user is allowed to do (i.e. it might say I'm authorized to view anything in the Patient/1 compartment, and write Observations). AuthorizationInterceptor lets you declaratively implement those rules.
James Agnew (Apr 19 2016 at 17:48):
..if that makes sense... ahh security is annoying :)
Brian Postlethwaite (Apr 19 2016 at 21:42):
Doing the step 1 is pretty easy, getting the OAuth based identity verified, and filtering access types to the specific resource types.
The next step, provding resource level security is where things get more interesting and haarder. We are looking into this at the moment with sqlonfhir.
Brian Postlethwaite (Apr 19 2016 at 21:43):
(as filtering on the outset is not ideal, as usually need to get all the way to the disk and filter there as this effects paging data with searching)
Brian Postlethwaite (Apr 19 2016 at 21:44):
Filtering the direct GET/DELETE/POST/PUT is not too bad though
Kevin Mayfield (Apr 20 2016 at 07:36):
@Jonny Rylands you might be interested in the topic. Several of the code4health reps (both DS@Endeavour) wanted to go down OAuth2 route using LDAP. With my DevOps hat on, I'm keen to go down Spring Security route to keep config differences minimal.
Sean McIlvenna (Jul 16 2018 at 19:23):
Looking to secure HAPI's REST server with OAuth. Has anyone done this, yet? The "server security" documentation page doesn't provide a lot of guidance on how to do this... I imagine I would create an interceptor that validates the oauth token, but are there any examples of doing this yet?
Sean McIlvenna (Jul 16 2018 at 19:23):
@James Agnew
Sean McIlvenna (Jul 16 2018 at 19:38):
I may have found the answer in an example: https://github.com/jamesagnew/hapi-fhir/tree/master/hapi-fhir-oauth2
Let me know if I am wrong :)
Joel Schneider (Jul 17 2018 at 01:38):
FYI, PublicSecurityInterceptor.java and TdlSecurityInterceptor.java in https://github.com/jamesagnew/hapi-fhir/tree/master/hapi-fhir-jpaserver-uhnfhirtest/src/main/java/ca/uhn/fhirtest/interceptor implement very simple-minded bearer token checks.
Last updated: Apr 12 2022 at 19:14 UTC
