--- alias: operation-guide-security-portal-config-userinterfaces description: "User interfaces utilize a secure middleware for authentication and authorization via a web server" --- # User Interfaces All User Interfaces are served by a web server and a Traefik instance, where all the resources are secured through a middleware that ensures that only authenticated users have access to the Critical Manufacturing UI assets. A Forward Auth middleware is configured for the UI routes, ensuring the traffic is only sent to the final endpoint after validating if the user is authenticated and authorized. ## Forward Auth When an MES Customer Environment is deployed through the Critical Manufacturing DevOps Center, an `IngressRoute` for the Critical Manufacturing UI container is created, with a set of Middlewares and Service endpoints. For every asset, except for the manifest, the traffic will first go through the Forward Auth middleware, as you can see in the YAML snippets below: ### Route ```yaml apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: labels: ... name: ui namespace: mes spec: entryPoints: - web routes: - kind: Rule match: PathPrefix(`/`) && !PathPrefix(`/apps/`) middlewares: - name: ui-headers namespace: mes - name: ui-auth namespace: mes services: - kind: Service name: ui namespace: mes port: 8080 - kind: Rule match: PathPrefix(`/manifest.json`) && !PathPrefix(`/apps/`) services: - kind: Service name: ui namespace: mes port: 8080 ``` ### Middleware ```yaml apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: labels: ... name: ui-auth namespace: mes spec: forwardAuth: address: 'http://traefik-forwardauth:8080/api/auth/validate' authResponseHeaders: - X-Forwarded-User trustForwardHeader: true ``` The middleware ensures that the Traefik will first forward the request to the Forward Auth container, which will validate the authentication and authorization together with the Security Portal, returning a response with the validation outcome. If it succeeds, the `X-Forwarded-User` response header is populated with the user from the authentication details and the Traefik will then forward the traffic to the initial URL. However, if the validation fails, the user is redirected to the Security Portal to login into the system.