Topic
  • 9 replies
  • Latest Post - ‏2013-07-25T14:21:37Z by JoeMoenich
HarshKoshal
HarshKoshal
3 Posts

Pinned topic how to disable authentication in BPM & only keep user identification

‏2013-06-21T16:03:07Z |

We are facing a situation. We want to fetch tasklist, process instances etc from an external application using restful service. We have sample application as well. Just wondering is there a way by which we can just pass the username and not password and fetch the tasklist.

 

  • kolban
    kolban
    3322 Posts
    ACCEPTED ANSWER

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-06-21T16:38:29Z  

    Unfortunately, all REST requests received by BPM expect to know (and be able to prove) the identity of the requester.  This means that anonymous REST requests are not allowed.  What you could do is create a user identity which has the lowest permissions possible and given that a "public" password.  You would have to validate that the user doesn't expose too much.

    A perhaps safer alternative would be use an HTTP proxy app which would allow an incoming REST request with no identity information and "add an identity" before passing it on to the BPM runtime.  Assuming the HTTP proxy app is secure, it wouldn't compromise the system and could be tuned/configured on a REST command by command basis.

    Neil

  • AndrewPaier
    AndrewPaier
    842 Posts
    ACCEPTED ANSWER

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-06-21T21:40:01Z  

    While this is doable, I agree with Neil that you really need to think through the security implications of however you decided to solve this.  A while ago I very reluctantly wrote a security provider for a customer that would "authenticate" a user based only on their ID.  This is really dangerous since any person who can hit the server can pretend to be any user if they simply know how to pass the right information in their call.  However it is doable. BPM uses WAS to authenticate users, and if you wrote your own authentication for WAS that didn't require a password, then if WAS says a user is a "good" user, then BPM would accept that user and not challenge them.

    Does the call have to be restful?  You could create a BPM service that uses the JS-API to return this information.  You could then use that as the implementation of a WS hosted in BPM and have the external application use the WS call to populate the data.  I believe the WS have options to be either secured or open. You could secure it and use a system login for the calling application.  The WS would accept the user id as the payload of the inbound WS call.

    Andrew Paier  |  Director  |  BP3 Global, Inc.
    BP3 Global's Website  |  Twitter  |  Linkedin  |  Google+  |  Blogs

  • kolban
    kolban
    3322 Posts

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-06-21T16:38:29Z  

    Unfortunately, all REST requests received by BPM expect to know (and be able to prove) the identity of the requester.  This means that anonymous REST requests are not allowed.  What you could do is create a user identity which has the lowest permissions possible and given that a "public" password.  You would have to validate that the user doesn't expose too much.

    A perhaps safer alternative would be use an HTTP proxy app which would allow an incoming REST request with no identity information and "add an identity" before passing it on to the BPM runtime.  Assuming the HTTP proxy app is secure, it wouldn't compromise the system and could be tuned/configured on a REST command by command basis.

    Neil

  • AndrewPaier
    AndrewPaier
    842 Posts

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-06-21T21:40:01Z  

    While this is doable, I agree with Neil that you really need to think through the security implications of however you decided to solve this.  A while ago I very reluctantly wrote a security provider for a customer that would "authenticate" a user based only on their ID.  This is really dangerous since any person who can hit the server can pretend to be any user if they simply know how to pass the right information in their call.  However it is doable. BPM uses WAS to authenticate users, and if you wrote your own authentication for WAS that didn't require a password, then if WAS says a user is a "good" user, then BPM would accept that user and not challenge them.

    Does the call have to be restful?  You could create a BPM service that uses the JS-API to return this information.  You could then use that as the implementation of a WS hosted in BPM and have the external application use the WS call to populate the data.  I believe the WS have options to be either secured or open. You could secure it and use a system login for the calling application.  The WS would accept the user id as the payload of the inbound WS call.

    Andrew Paier  |  Director  |  BP3 Global, Inc.
    BP3 Global's Website  |  Twitter  |  Linkedin  |  Google+  |  Blogs

  • HarshKoshal
    HarshKoshal
    3 Posts

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-06-22T05:46:18Z  
    • kolban
    • ‏2013-06-21T16:38:29Z

    Unfortunately, all REST requests received by BPM expect to know (and be able to prove) the identity of the requester.  This means that anonymous REST requests are not allowed.  What you could do is create a user identity which has the lowest permissions possible and given that a "public" password.  You would have to validate that the user doesn't expose too much.

    A perhaps safer alternative would be use an HTTP proxy app which would allow an incoming REST request with no identity information and "add an identity" before passing it on to the BPM runtime.  Assuming the HTTP proxy app is secure, it wouldn't compromise the system and could be tuned/configured on a REST command by command basis.

    Neil

    Thanks Neil

  • HarshKoshal
    HarshKoshal
    3 Posts

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-06-22T05:52:41Z  

    While this is doable, I agree with Neil that you really need to think through the security implications of however you decided to solve this.  A while ago I very reluctantly wrote a security provider for a customer that would "authenticate" a user based only on their ID.  This is really dangerous since any person who can hit the server can pretend to be any user if they simply know how to pass the right information in their call.  However it is doable. BPM uses WAS to authenticate users, and if you wrote your own authentication for WAS that didn't require a password, then if WAS says a user is a "good" user, then BPM would accept that user and not challenge them.

    Does the call have to be restful?  You could create a BPM service that uses the JS-API to return this information.  You could then use that as the implementation of a WS hosted in BPM and have the external application use the WS call to populate the data.  I believe the WS have options to be either secured or open. You could secure it and use a system login for the calling application.  The WS would accept the user id as the payload of the inbound WS call.

    Andrew Paier  |  Director  |  BP3 Global, Inc.
    BP3 Global's Website  |  Twitter  |  Linkedin  |  Google+  |  Blogs

    The call have to be restful. I believe I have to write my own authentication then. I will start now. Thanks Andrew

  • TodorMollov
    TodorMollov
    1 Post

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-06-24T10:59:34Z  

    Authentication means getting a user identity so you must have the first if you need the second. Authentication can be done in various ways.

    If you external system is a Websphere Portal or other WAS/IBM based product then you can have a single sing on between the external system and BPM.

    I've done an integration between .Net portal showing the BPM task list per user. You need one WebSeal at the front of .Net and BPM. The user logs into the portal app, authenticates then the generated LTPA should be forwarded to the BPM REST API. There are some interesting infrastructure challenges when we have WebSeal in the picture, but it's doable.

     

  • JoeMoenich
    JoeMoenich
    4 Posts

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-07-03T16:47:40Z  

    Authentication means getting a user identity so you must have the first if you need the second. Authentication can be done in various ways.

    If you external system is a Websphere Portal or other WAS/IBM based product then you can have a single sing on between the external system and BPM.

    I've done an integration between .Net portal showing the BPM task list per user. You need one WebSeal at the front of .Net and BPM. The user logs into the portal app, authenticates then the generated LTPA should be forwarded to the BPM REST API. There are some interesting infrastructure challenges when we have WebSeal in the picture, but it's doable.

     

    I am curious about your implementation between WebSEAL, .Net and BPM.  We are trying to implement the same scenario.  I assume the LTPA token was generated by WebSEAL and passed through .Net to BPM REST API.  Were there any problems with the token going through .Net?  How did you pass the token?

  • Todor Mollov
    Todor Mollov
    34 Posts

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-07-04T08:41:43Z  

    I am curious about your implementation between WebSEAL, .Net and BPM.  We are trying to implement the same scenario.  I assume the LTPA token was generated by WebSEAL and passed through .Net to BPM REST API.  Were there any problems with the token going through .Net?  How did you pass the token?

    We used the "iv-creds" HTTP header instead of LTPA. I would like to send you a couple of links but the infocenter seems to be down:

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itame.doc_6.0%2Frev%2Fam60_webseal_admin204.htm

    The only challenge I remember was about WebSeal passing basic authentication details (username and password) to .Net which together with the iv-creds must be passed to the BPM TAI i.e. included on the HTTP request.

    So the workflow basically is like follows:

    - user authenticates with WebSeal , WebSeal generates the user identity token.

    - WebSeal passes the token and the basic auth to the .Net where is extracted from the HTTP header

    - .Net constructs new HTTP request to call the REST API and includes the token and the basic auth.

    Hope this helps.

  • JoeMoenich
    JoeMoenich
    4 Posts

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-07-08T14:03:26Z  

    We used the "iv-creds" HTTP header instead of LTPA. I would like to send you a couple of links but the infocenter seems to be down:

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itame.doc_6.0%2Frev%2Fam60_webseal_admin204.htm

    The only challenge I remember was about WebSeal passing basic authentication details (username and password) to .Net which together with the iv-creds must be passed to the BPM TAI i.e. included on the HTTP request.

    So the workflow basically is like follows:

    - user authenticates with WebSeal , WebSeal generates the user identity token.

    - WebSeal passes the token and the basic auth to the .Net where is extracted from the HTTP header

    - .Net constructs new HTTP request to call the REST API and includes the token and the basic auth.

    Hope this helps.

    Thanks so much.  I'll post our results when we complete our POC this coming week.

  • JoeMoenich
    JoeMoenich
    4 Posts

    Re: how to disable authentication in BPM & only keep user identification

    ‏2013-07-25T14:21:37Z  

    We used the "iv-creds" HTTP header instead of LTPA. I would like to send you a couple of links but the infocenter seems to be down:

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itame.doc_6.0%2Frev%2Fam60_webseal_admin204.htm

    The only challenge I remember was about WebSeal passing basic authentication details (username and password) to .Net which together with the iv-creds must be passed to the BPM TAI i.e. included on the HTTP request.

    So the workflow basically is like follows:

    - user authenticates with WebSeal , WebSeal generates the user identity token.

    - WebSeal passes the token and the basic auth to the .Net where is extracted from the HTTP header

    - .Net constructs new HTTP request to call the REST API and includes the token and the basic auth.

    Hope this helps.

    To follow-up, we've discovered webSEAL is not sending a LTPA token to the .Net application when configured to do so, so we are abandoning that approach.  In discussions with our security side, they've said that TAI plugin only works between WebSEAL and WebSphere with no intermediary systems.  Have you found this to be true? I'd be curious to know if you are passing iv-user, iv-creds and the user basic auth?  Or is basic auth really iv-creds?

     

    Thanks,

    Joe