User Interfaces#
All User Interfaces are served by a web server and a Traefik instance, where all the resources are secured through a middleware that ensures that only authenticated users have access to the Critical Manufacturing UI assets.
A Forward Auth middleware is configured for the UI routes, ensuring the traffic is only sent to the final endpoint after validating if the user is authenticated and authorized.
Forward Auth#
When an MES Customer Environment is deployed through the Critical Manufacturing DevOps Center, an IngressRoute for the Critical Manufacturing UI container is created, with a set of Middlewares and Service endpoints. For every asset, except for the manifest, the traffic will first go through the Forward Auth middleware, as you can see in the YAML snippets below:
Route#
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
labels:
...
name: ui
namespace: mes
spec:
entryPoints:
- web
routes:
- kind: Rule
match: PathPrefix(`/`) && !PathPrefix(`/apps/`)
middlewares:
- name: ui-headers
namespace: mes
- name: ui-auth
namespace: mes
services:
- kind: Service
name: ui
namespace: mes
port: 8080
- kind: Rule
match: PathPrefix(`/manifest.json`) && !PathPrefix(`/apps/`)
services:
- kind: Service
name: ui
namespace: mes
port: 8080
Middleware#
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
labels:
...
name: ui-auth
namespace: mes
spec:
forwardAuth:
address: 'http://traefik-forwardauth:8080/api/auth/validate'
authResponseHeaders:
- X-Forwarded-User
trustForwardHeader: true
The middleware ensures that the Traefik will first forward the request to the Forward Auth container, which will validate the authentication and authorization together with the Security Portal, returning a response with the validation outcome. If it succeeds, the X-Forwarded-User response header is populated with the user from the authentication details and the Traefik will then forward the traffic to the initial URL.
However, if the validation fails, the user is redirected to the Security Portal to login into the system.