As the tittle. I'm using Ivy version 6.2 and would like to know how to secure my REST Services using Bearer Authorization instead of basic. Thanks

asked 21.06 at 07:31

thminh's gravatar image

thminh
112
accept rate: 0%


You are free to use any authentication method on modern Axon.ivy platforms.

If you need a non standard authorization approach just implement a custom tomcat valve for authentication and authorization: https://developer.axonivy.com/doc/latest/EngineGuideHtml/integration.html#integration-waf-sso

Implementation details can be found here: https://developer.axonivy.com/doc/latest/EngineGuideHtml/configuration.html#configuration-tomcat-context-xml or here https://github.com/ivy-samples/tomcatValve

... so far about modern Platforms. But I'm not sure whether this works on the very outdated 6.2 leading edge version. So I suggest that you basically ensure that it works on 7.0 LTS. And may give it a try afterwards in the old 6.2... Keep in mind: it was never the idea that outdated leading edge versions are used productive for a long time. Update as fast as you can if you want to operate a secure engine with well documented supported featureset.

link

answered 22.06 at 02:25

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
6.9k11239
accept rate: 70%

Thanks for your instructions. I created a custom valve in Ivy 7.1 to validate the bearer token. Inside the method, I get the Authorization token in the header and check if it is valid or not, if not, could I stop the request and throw an unauthorized exception back to the client?

@Override
public void invoke(Request request, Response response) throws IOException, ServletException {

    String token = request.getHeader("Authorization");

    if(StringUtils.isEmpty(token)){
        getNext().invoke(request, response);
        return;
    }
    if(TokenValidator.isValidToken(token)){
        String userName = extractUserNameFromToken(token);
        request.setUserPrincipal(createUserPrincipal(userName));
        getNext().invoke(request, response);
    } else {
        // How to reject the request and throw unauthorized exception back to the client? 
    }
}

Thanks

link

answered 28.06 at 02:55

thminh's gravatar image

thminh
112
accept rate: 0%

edited 28.06 at 02:57

1

in case there is no login information: response.sendError(HttpServletResponse.SC_UNAUTHORIZED); or in case of an invalid token: response.sendError(HttpServletResponse.SC_FORBIDDEN);

..this will just end with the correct HTTP status code. most clients will know how to deal with it.

(28.06 at 06:29) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×34
×29
×18

Asked: 21.06 at 07:31

Seen: 78 times

Last updated: 02.07 at 02:50