How to secure Rest Services from Ivy 6.2 with Authorization Bearer instead of Basic

0

As the tittle. I'm using Ivy version 6.2 and would like to know how to secure my REST Services using Bearer Authorization instead of basic. Thanks

asked 21.06.2018 at 07:31

thminh's gravatar image

thminh
(suspended)
accept rate: 0%

2 Answers:
active answersoldestnewestmost voted
2

You are free to use any authentication method on modern Axon.ivy platforms.

If you need a non standard authorization approach just implement a custom tomcat valve for authentication and authorization: https://developer.axonivy.com/doc/latest/EngineGuideHtml/integration.html#integration-waf-sso

Implementation details can be found here: https://developer.axonivy.com/doc/latest/EngineGuideHtml/configuration.html#configuration-tomcat-context-xml or here https://github.com/ivy-samples/tomcatValve

... so far about modern Platforms. But I'm not sure whether this works on the very outdated 6.2 leading edge version. So I suggest that you basically ensure that it works on 7.0 LTS. And may give it a try afterwards in the old 6.2... Keep in mind: it was never the idea that outdated leading edge versions are used productive for a long time. Update as fast as you can if you want to operate a secure engine with well documented supported featureset.

link

answered 22.06.2018 at 02:25

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
9.4k31958
accept rate: 70%

0

Thanks for your instructions. I created a custom valve in Ivy 7.1 to validate the bearer token. Inside the method, I get the Authorization token in the header and check if it is valid or not, if not, could I stop the request and throw an unauthorized exception back to the client?

@Override
public void invoke(Request request, Response response) throws IOException, ServletException {

    String token = request.getHeader("Authorization");

    if(StringUtils.isEmpty(token)){
        getNext().invoke(request, response);
        return;
    }
    if(TokenValidator.isValidToken(token)){
        String userName = extractUserNameFromToken(token);
        request.setUserPrincipal(createUserPrincipal(userName));
        getNext().invoke(request, response);
    } else {
        // How to reject the request and throw unauthorized exception back to the client? 
    }
}

Thanks

link

answered 28.06.2018 at 02:55

thminh's gravatar image

thminh
(suspended)
accept rate: 0%

edited 28.06.2018 at 02:57

1

in case there is no login information: response.sendError(HttpServletResponse.SC_UNAUTHORIZED); or in case of an invalid token: response.sendError(HttpServletResponse.SC_FORBIDDEN);

..this will just end with the correct HTTP status code. most clients will know how to deal with it.

(28.06.2018 at 06:29) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×40
×37
×33

Asked: 21.06.2018 at 07:31

Seen: 3,052 times

Last updated: 02.07.2018 at 02:50

Related questions

REST http method PATCH

Complete Task from REST

Change password of an AD user in Ivy

REST service security

REST token authentication

Ajax call from HTML Dialog to consume Web Service and REST Service

Streaming with Ivy REST API

Manipulate users directly in the system DB of Ivy

Is it possible to access Ivy's RESTful API from an HtmlDialog or within the same session?

REST API and JSESSIONID