Hi Ivy Team

I have a HtmlDialog containing several links to our RESTful API (implemented using Axon.ivy). However, every time the user accesses to the API, the browser requires authentication even though the user has already logged in.

I'm aware of the javax.annotation.security.PermitAll/DenyAll (-- which seems to be the only annotations supported?) but I want to keep the Basic authentication intact.

Say the page could be like this:

< !-- The HelloWorld dialog -->
< h:html>
    < h:body>
        < h:outputLink value="/ivy/api/designer/helloworld" target="_blank">
            Click to see Hello World
         < /h:outputLink>

        < h:outputLink value="/ivy/file/designer/session/some_file_already_created.txt" target="_blank">
            Get content of file
        < /h:outputLink>
    < h:/body>
< /h:html>

The first link will require authentication whereas the second works normally.

Is there a possible way to overcome this?

asked 22.02.2017 at 08:26

Genzer%20Hawker's gravatar image

Genzer Hawker
481222535
accept rate: 66%

Did you try to use the plain JAX-RS api javax.ws.rs.client.ClientBuilder.newClient() and re-use the returned instance of the client?

(22.02.2017 at 09:47) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image

Hi @Reguel Wermelinger, I want to expose and then let the user consumes the RESTful API from the browser. In my setup, the RESTful classes and the JSF page are in the same project.

(22.02.2017 at 09:50) Genzer Hawker Genzer%20Hawker's gravatar image

How did the user authenticate to access the HtmlDialog? I guess that if Basic AUTH was used to access the dialog, then the authentication headers will also be sent to follow up requests and therefore work for the REST api.

(22.02.2017 at 10:15) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image

The user is authenticated (Developer on designer). Even if the header Cookie:JSESSIONID=XXXX; oam.Flash.RENDERMAP.TOKEN=-yyyyyy is transfered but it still require to input username and password. It seems the header Basic XXXX is not present so it (Jersey) will automatically assume the UserPrinciple is not initialized. The filter does not check the Cookie though.

(22.02.2017 at 10:27) Genzer Hawker Genzer%20Hawker's gravatar image
1

Hi @Reguel Wermelinger, via an internal resource, I know that the JIRA issue XIVY-1183 will address the problem I asked. Looking forward to version 6.6. Please add the answer once the feature is implemented.

(23.02.2017 at 05:39) Genzer Hawker Genzer%20Hawker's gravatar image

You asked also "I'm aware of the javax.annotation.security.PermitAll/DenyAll (-- which seems to be the only annotations supported?":

We support next to @DenyAll and @PermitAll also @RolesAllowed. Look at the com.axonivy.connectivity.rest.provider.SecureService class in the Axon.ivy sample project "ConnectivityDemos".

(02.03.2017 at 11:40) Alex Suter ♦♦ Alex%20Suter's gravatar image
showing 5 of 6 show 1 more comments

LE Version 7.1+:

Since version 7.1 the Ivy Engine is able to reuse the authenticated session for the REST service call. This was implemented with XIVY-1183.

Note that the Engine will check for the CSRF (X-Requested-By) mitigation in the header. See chapter Engine REST Integration in our documentation.

LTS Version 7.0.11+:

We now will apply these changes to the LTS version 7.0.11 (story XIVY-3119).

Note that by default this feature is switched off and the Engine is also not checking for the CSRF header token. In order to enable the session reuse you need to set the following Java system properties to true:

  • IVY_REST_SERVLET_SESSION_REUSE
  • IVY_REST_SERVLET_CSRF_PROTECTION

For security reasons it is highly recommended to enable the CSRF mitigation when enabling the REST session reuse.

link

answered 14.03 at 10:29

Andreas%20Rusch's gravatar image

Andreas Rusch
27613
accept rate: 87%

edited 15.03 at 04:58

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×35
×25

Asked: 22.02.2017 at 08:26

Seen: 1,385 times

Last updated: 29.03 at 05:49