[SOLVED] World server design questions simethereal

Vault works like your saying.

When you start vault, you create a token for access to it.

$ vault server --dev --dev-root-token-id="00000000-0000-0000-0000-000000000000"

Set two environment var.

$ export export VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
$ export VAULT_ADDR="http://127.0.0.1:8200"

Create an endpoint as key/value pairs in Vault.

$ vault kv put secret/github github.oauth2.key=foobar

Setup your apps with a bootstrap.properties file.

spring.cloud.vault.token=00000000-0000-0000-0000-000000000000
spring.cloud.vault.scheme=http

Now you can retrieve them in your code by calling the endpoint.

vaultTemplate.opsForKeyValue("secret", KeyValueBackend.KV_2).get("github");

You can also create new key-values, encrypt, decrypt, whatever.

Very slick as this vault will be run on its own server without anything else running on it.

This is a bump update.

I have been studying Vault since the last post and its helped me to understand the things @jayfella was saying immensely. Vault does everything you mentioned and more.

I ran into the usual problems with some documentation not as up to date as should be but have worked with hashicorp to get some things cleaned up. They are really responsive to reports.

In the final stages of bringing everything together now. Vault is very addicting but it’s the way to go for securing apps with SpringBoot imo.

On another note, I will have my own linux box for server testing in a couple of months since win 7 is hitting end of life. It’s a 32 bit Pentium that runs to good to just toss but just cant handle windows 10. Cant wait.

3 Likes

A small design question.

The gameserver credentials reside in the vault server but the way I am using vault is that the only app that can connect to vault is the WorldServer app and then it’s policy restricted to only read a servers credentials for authentication.

WorldServer only allows connections to the endpoints for saving and updating from specific addresses, ie the gameservers.

What are the opinions on using environment variables vs file for storing credentials of the gameservers for sending to the WorldServer?

I mean it’s not the end of the world. I know it’s common practice in some areas to do this. For example when you push jars to hosts, instead of putting your password in a build file you can use various other methods, one of which is pulling from an env var.

Technically speaking passwords should keep their presence in memory as short as possible (and in some super-sensitive cases they use an array of chars and overwrite them before disposing). My opinion of it is that it’s a frowned-upon method. I may do it personally, but I wouldn’t do it in a corporate environment, or at least wouldn’t encourage it as a standard procedure.

Right, I am wanting to avoid pushing a file to github and I exclude it from the dist jar as well.

I have it setup to use files during development and environment during deployment.

Vault uses config files for server and environment for clients.

Doesn’t seem to be a standard based off reading the war about it. Always good points for and against. I am having trouble pulling the trigger on files because of my past experiences with VPS.

Well keep in mind that a database is a file, too. So in that respect they are as vulnerable as flat files. And if I have access to the database I have access to the salt, and therefore the password.

Choose a reputable host.

Yeah, My first choice is centurylink but they have horrible customer service for business accounts. Been trying for 3 weeks to get them to even talk to me so that screams avoid at all costs.

My second choice doesn’t have enough data centers for what I am wanting to do but they have awesome VPS and dedicated pricing and customer service.

My two choices are digitalocean for a VPS and OVH for a dedicated. Kimsufi is an OVH reseller, and can be cheaper. Hetzner are another solid company.

1 Like

I would you suggest you use consul for healthcheck, service discovery…, keyclock as a main point for issuing, validating jwt, roles, sessions, security realms, users (can be integrated with 3d party services for oauth2) and leave vault for good also dockerize everything for happy life.

Oh My.

2019-09-12 16:43:09.629  INFO 764100 --- [ctor-http-nio-4] v.a.ReactiveLifecycleAwareSessionManager : Scheduling Token renewal
AUTHENTICATED true ID gameserver-1 Authority [XXX] cred xxxxxxxxx
2019-09-12 16:43:27.630  INFO 764100 --- [ctor-http-nio-1] c.p.s.ServerStats                        : Server [1] reported [0] players.
2019-09-12 16:43:27.631  INFO 764100 --- [ctor-http-nio-1] c.p.s.ServerRepositoryImpl               : addServerStats() #servers[1] { "serverId": "1", "numOfPlayers": "0", "location": "Temp City, USA", "memberServer": "false", "serverAddress": "localhost:4269" }
[snip]
v.a.ReactiveLifecycleAwareSessionManager : Renewing token
2019-09-12 16:44:49.704  INFO 764100 --- [ctor-http-nio-4] v.a.ReactiveLifecycleAwareSessionManager : Scheduling Token renewal
AUTHENTICATED true ID gameserver-1 Authority [XXX] cred xxxxxxx
2019-09-12 16:45:06.673  INFO 764100 --- [ctor-http-nio-1] c.p.s.ServerStats                        : Server [1] reported [1] players.
2019-09-12 16:45:06.674  INFO 764100 --- [ctor-http-nio-1] c.p.s.ServerRepositoryImpl               : updateServerStats() #servers[1] { "serverId": "1", "numOfPlayers": "1", "location": "Temp City, USA", "memberServer": "false", "serverAddress": "localhost:4269" }
2019-09-12 16:45:14.705  INFO 764100 --- [g-Cloud-Vault-2] v.a.ReactiveLifecycleAwareSessionManager : Renewing token
2019-09-12 16:45:14.724  INFO 764100 --- [ctor-http-nio-4] v.a.ReactiveLifecycleAwareSessionManager : Scheduling Token renewal
[snip]
2019-09-12 16:51:05.151  INFO 764100 --- [g-Cloud-Vault-2] v.a.ReactiveLifecycleAwareSessionManager : Renewing token
2019-09-12 16:51:05.166  INFO 764100 --- [ctor-http-nio-4] v.a.ReactiveLifecycleAwareSessionManager : Scheduling Token renewal
AUTHENTICATED true ID gameserver-1 Authority [xxx] cred xxxxxxx
2019-09-12 16:51:06.818  INFO 764100 --- [ctor-http-nio-1] c.p.s.ServerStats                        : Server [1] reported [0] players.
2019-09-12 16:51:06.819  INFO 764100 --- [ctor-http-nio-1] c.p.s.ServerRepositoryImpl               : updateServerStats() #servers[1] { "serverId": "1", "numOfPlayers": "0", "location": "Temp City, USA", "memberServer": "false", "serverAddress": "localhost:4269" }

Did I mention I hate functional programming and lambdas? Except Optionals and Providers.

I finally have a fully secured, custom reactive vault server implementation, that I can now use in my game for users, apps and anything else that needs it.

I had to implement a custom authorization manager and was able to get it working except for a bug in ONE LINE in the LAST METHOD. I understood exactly what was wrong, could easily fix it with normal java techniques or if this was a REST server but this crap is streams, lambda, functions and reactive programming.

Once upon a time I could of grabbed a good book on the subject and persevered. Not so easy now days. I literally read hundreds of terse, poorly written web pages written by people who mean well but suck at teaching. This includes the java tutorials. I even read the table of contents on dozens of books and their sample chapters which I am really good at determining the quality of the teaching from.

But like Paul mentioned, you may only get a chapter or less out of them worth a crap. Most were 2 pages at best. Though I consider myself a moderately skilled java coder, I am totally green on functional reactive programming and the light bulb just wouldn’t turn on.

Did I mention I hate functional programming? Except Optionals and Providers.

Finally, after turning every link on the subject in google and bing purple (literally hundreds) and 7 days, 8-12 hrs a day of reading, I ran across this.

https://www.oracle.com/webfolder/technetwork/tutorials/obe/java/Lambda-QuickStart/index.html#

It helped because it uses a proper teaching technique but it wasn’t until I found this link at the very bottom of that page, literally the last link in the summary,

To learn more about Java and related topics check out the Oracle Learning Library.

that I got rid of my huckleberry. If you follow the learn link and enter lambdas in the search there is a free course on lambdas and streams that is just dam good stuff.

I still suck at this type of programming and think that its a total waste of effort for such a small gain. You give up readability for terse code and excruciatingly painfully hidden bugs using this crap.

I can see how some people could like it for some things but I truly don’t get the hard swing to using it that I see happening. Why not just binary code instead? About as intuitive.

2 Likes

Java streams are hit or miss IMO, often not worth the effort.

Silly fad in another futile attempt to appease the cool kids who’ve already moved on*. :slight_smile:
(*Except in situations where it makes sense to use parallelStream() for performance benefits.)

I once asked a guy teaching this stuff “What’s the downside?”, and he said learning curve. I would add readability/maintainability, myself.

On lambdas… for backend stuff, I rarely find myself using them. But with JavaFX UIs… damn, it would be painful without them. (NetBeans code assist also a big help there.)

Congrats on getting through the pain of security implementation.

1 Like

Does your code complete on this?

Authentication::updateSomething

Seems to me that once you enter the second colon, code completion would work.

Sort of, I have to ctrl+space to get a popup.
But I guess I was more specifically referring to these deals - a bit much to type by hand:

Thread.setDefaultUncaughtExceptionHandler((Thread t, Throwable e) -> {
});

Thanks, that works.

I really haven’t used streams for much of anything - functional/streaming programming can be very non intuitive and outside of the parallelism benefits of parallel streaming like @louhy mentioned I don’t see the point. Lambdas used on their own (for single-method interface implementations) are AWESOME though - and very necessary for clean and concise JavaFX code. The icing on the cake is method references to instance methods - function pointer passing can be very powerful when used properly in native code, and this finally lets us get the goodies from that in Java without all of the (many) associated risks!

1 Like

Yet one more thing in my list of to learn things. I started java with 1.7 and swing and am pretty good using it. I plan on learning javaFX so looks like learning functional programming will pay off there by the sounds of it.

From what I remember from the videos, I think theres like 70 classes and 90 methods (vice versa?) in the entire java library that even use functional programming and that seems to me Oracle expended a huge amount of effort into this for such a small return.

I can tell it will be mandatory to know it well very soon so I will continue using it myself whenever I can I guess.

2 Likes

I wouldn’t really characterize JavaFX programming as being functional programming - lambdas are super useful as event listeners, but otherwise it’s a very powerful UI toolkit that’s heavily object-oriented. The property abstractions take some getting used to but are ridiculously powerful.

1 Like

Does anyone use a server management system of some type?

Something that will startup servers in a certain order and wait for responses?

Maybe even notify by sendmail that one is not responding?

On the Game Client for users, should I timeout their World Server Client connection to the world stat server once they connect to the game?

SimEthereal flow is that the window they use to connect from gets removed from the GUI node upon connecting and added back to the gui node upon disconnecting from the game through disable/enable so its not rebuilt.

I dont send input from the World Server unless the users World Server client asks for it but I am not certain what would happen even if they did get some input on the port while it was detached from the gui node.

Is it possible somehow someone could send them something to the port or possible they could receive something and if they do is that a problem if the node is removed from the gui node?

I am pretty sure but not 100% sure that since this is a “lazy” implementation that I shouldn’t need to timeout.

Docs say nothing can happen unless I subscribe so I should be ok.