REST API and JSESSIONID

0

Hi Ivy Team,

Is there a way to get the JSESSIONID (or the whole cookie itself) of the logged in user ?

I want to build a rest method which is authenticating the user. I need to return the cookie, so that next requests are authenticated

BR, Yordan

asked 30.09.2019 at 03:58

Stelt0's gravatar image

Stelt0
(suspended)
accept rate: 12%

If the client is in the browser the JSESSIONID works for both the web and the rest stack. But this is transparent and you have nothing to configure. Generally it is not possible to get the JSESSION cookie, this would be a security risk. But that I can give you a concrete answer you have to explane exactly what is your usecase...

(01.10.2019 at 02:47) SupportIvyTeam ♦♦ SupportIvyTeam's gravatar image

If you design the API to only allow normal users : the login will automatically be done based on the HTTP_BASIC auth headers. What value do you have if you can enforce to send it as POST and handle auth on your own?

(03.10.2019 at 10:14) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image

Hi Reguel,

The client application (browser) cannot be modified to send basic auth header. it sends user and password and It works only with cookie after that.

And the problem I have with Axon.Ivy is that if a REST method has @PermitAll it automatically creates a session and the returns a cookie for this session (and not for the user which I`m trying to login)

Basically, the question is -> How to do a REST method which is login a user and returns back cookie for for it

BR, Yordan

(03.10.2019 at 10:41) Stelt0 Stelt0's gravatar image
3 Answers:
active answersoldestnewestmost voted
1

If setting up a BASIC_AUTH header on client side is the main issues I think it should be possible to solve this in an additional ContainerRequestFilter for the IVY Rest stack.

Currently auth and session handling is done in : ch.ivyteam.ivy.webserver.internal.rest.security.ApplicationSessionRequestFilter alt text

The request filter comes with a priority (in this case: 1'000). Therefore, it should be possible to provide an additional request filter that can change the request just before the default filter is executed. Your custom filter could compensate the inabilities of the real client > transform form params into http_basic auth headers.

To setup your custom filter as general extension for the ivyEngine REST stack you have to add the @Provider annotation on the class body. See https://answers.axonivy.com/questions/3412/how-can-i-use-jax-rs-containerrequestfilter-responsefilter-for-my-jax-rs-resources

...just an idea: I did not check it with an example.

PS: be aware that big improvements from 7.4 REST stack have been ported back to the 7.0 LTS train recently. So ensure that you work with the latest hotfix version to benefit of the extension capabilities mentioned here.

link

answered 04.10.2019 at 02:11

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
9.4k31958
accept rate: 70%

edited 04.10.2019 at 02:12

Hi Reguel,

Its an excellent hint! Ill try it out and will let you know.

BR, Yordan

(04.10.2019 at 09:36) Stelt0 Stelt0's gravatar image
0

Hi Reguel,

I was able to add Authorization Basic header before ApplicationSessionRequestFilter. In result, the session of the user was changed based on this header.

However, the returned cookie form this request, is still not valid for the next calls ... ) the second call is authenticated as Developer)

I assume that this is a bug.

Here how you can reproduce it:

  1. create project myapp with two REST endpoints (require authentication) (/ivy/api/myapp/loginCall and /ivy/api/myapp/checkCurrentUser); in both of them just log Ivy.session().getSessionUserName()
  2. create user -> allan:allan
  3. add this code snippet as index2.html and place it in \AxonIvyDesigner7.4.0\webapps\ivy
  4. test it on http://localhost:8081/ivy/index2.html (clean cache/session first)

html:

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Test</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
<script>

    function loginCall() {
    var authToken = btoa('allan:allan'); //user and passowrd

    return $.ajax({
      url: "/ivy/api/myapp/loginCall",
      type: 'GET',
      headers:{
            'X-Requested-By': 'myapp',
            'Content-Type':'application/json',
            'Authorization': 'Basic ' + authToken
        },
      dataType: 'json'
    });
  }

  function checkProfile() {

    return $.ajax({
      url: "/ivy/api/myapp/checkCurrentUser",
      type: 'GET',
      headers:{
            'X-Requested-By': 'myapp',
            'Content-Type':'application/json'
        },
      dataType: 'json'
    });
  }

  $(document).ready(function() {

      loginCall()
      .done(function() {
        checkProfile()
          .done(function(response) {

          }).fail(function() {

          });
      }).fail(function() {

      });


  });

</script>
</head>

<body>
check F12
</body>

</html>

BR, Yordan

link

answered 07.10.2019 at 06:25

Stelt0's gravatar image

Stelt0
(suspended)
accept rate: 12%

edited 07.10.2019 at 07:07

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
9.4k31958

Hi Yordan. Glad to hear on your success on providing a custom request filter to transform headers. Currently I do not have the time do drive further analysis why the session is not overtaken. But I'm confident that you can find the cause quickly by using a class decompiler + debugger to analyse the execution of our ApplicationSessionRequestFilter. The tracing on which terms the existing session are overtaken should be easy to see in there. If nothing works. You could try to handle the issue in a global tomcat Valve : which is in charge not only for the rest stack, but for the whole webserver.

(08.10.2019 at 03:56) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image

Some documentation to start with valves can be found here : https://developer.axonivy.com/doc/latest/engine-guide/integration/web-application-firewall.html

(08.10.2019 at 03:57) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image
0

Hi Yordan

I can now reproduce your problem and see your use case!

I think we have a bug there because on login we change the session id and we then do not map the correct session. As workaround you could disable RenewIdOnLogin like this in ivy.yaml:

Session:
  RenewIdOnLogin: false

With the follwowing code you can get the current http session id:

Ivy.request().getSession().getHttpSessionIdentifier();
link

answered 09.10.2019 at 05:05

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
1.4k102118122
accept rate: 77%

edited 09.10.2019 at 05:31

Hi,

Can I test this on the Designer ? Is it equivalent if I configure it in app-designer.yaml ?

if I set log the getHttpSessionIdentifier and getSessionUserName in the two requests I get again the same behavior

Ivy.log().info(Ivy.request().getSession().getHttpSessionIdentifier()); Ivy.log().info(Ivy.session().getSessionUserName());

alt text

BR, Yordan

(09.10.2019 at 09:19) Stelt0 Stelt0's gravatar image

Do it directly in ivy.yaml in the configuration folder, yes this should also work in designer.

(11.10.2019 at 05:32) SupportIvyTeam ♦♦ SupportIvyTeam's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×52
×37
×33
×16

Asked: 30.09.2019 at 03:58

Seen: 6,456 times

Last updated: 11.10.2019 at 08:05

Related questions

REST token authentication

Complete Task from REST

How to secure Rest Services from Ivy 6.2 with Authorization Bearer instead of Basic

Java collections in ivyScript

Streaming with Ivy REST API

Java Api for Start Process Signature variables

Calling NTLM protected REST service with SSO

REST http method PATCH

How to use the java connector of JD Edwards Enterprise One (Oracle)

How can I create a role at runtime dynamically?