Topic
4 replies Latest Post - ‏2011-08-22T15:43:34Z by SystemAdmin
SystemAdmin
SystemAdmin
9224 Posts
ACCEPTED ANSWER

Pinned topic Connection.doGET returns empty response, when used with form auth with LDAP

‏2011-08-16T06:08:18Z |
Hi,

I am trying to follow a couple of worked out examples where I am trying to combine form based auth against LDAP (bluepages) and a sample bookmarks application.
I followed the dW article "http://www.ibm.com/developerworks/web/library/wa-webspheresec" (Secure your applications using the IBM WebSphere sMash security model).
1) The resource I am trying to secure is a groovy template (bookmarks.gt) placed in the /public.secure folder of the app.
2) The groovy template uses the Connection.doGET API to retrieve a list of bookmarks served by the implemented resource handler (bookmarks.groovy)
3) The onList, onRetrieve, onCreate, onUpdate, onDelete are implemented in the handler.
4) The bookmarks data model and sample data are in place (using derby)
5) The login (/public/login.gt) and authentication goes through fine.
issue is here -> 6) when loading http://localhost:8080/secure/bookmarks.gt which tries to do a Connection.Response resp = Connection.doGET("http://localhost:8080/resources/bookmarks"), the resp object contains an empty list.
7) How do I know this? When I try to parse the object with the json decoder, and iterate through the response to list out the bookmarks, I get an error while rendering the page. (since the list is empty).
8) When I directly access the resources via http://localhost:8080/resources/bookmarks in the browser I am able to list all the entries.
9) Also, the groovy template works fine when I use it without the authentication piece



Heres the config and code:
LDAP config: /config/security.config

@include "security/rule.config" {
"config" : "(/request/path =~ /(.*)? ) && (/request/method =~ (POST|GET|PUT|DELETE))",
"authType" : "Form",
"groups" :
}

@include "security/form.config" {
"formLoginPage" : "/login.gt"
}

@include "security/formAuthentication.config" {
"conditions" : "(/request/path =~ /(.*)? ) && (/request/method =~ (POST|GET|PUT|DELETE))"
}
===========================

Login: /public/login.gt:

<% if( zget("/request/headers/in/Referer") =~ zget("/request/uri") ){ %>

Invalid user ID or password

Please verify your ID and password and try again.

<% } %>

Login using your normal user ID and password:



==================================
Groovy Template: /public/secure/bookmarks.gt


<% import zero.core.connection.Connection Connection.Response resp = Connection.doGET("http://localhost:8080/resources/bookmarks") def bookmarks = zero.json.Json.decode(resp.getResponseBodyAsString()) %>

<% for(bookmark in bookmarks) { %> <% } %>
Bookmarks Manager
<%=bookmark.id%> <%=bookmark.url%> <%=bookmark.name%> <%=bookmark.category%> delete <%=(bookmark.id)%>

Please let me know if I am missing anything.

I have attached the exported app zipped below.

Thanks
Santosh
(ssantosh@in.ibm.com)
Updated on 2011-08-22T15:43:34Z at 2011-08-22T15:43:34Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    9224 Posts
    ACCEPTED ANSWER

    Re: Connection.doGET returns empty response, when used with form auth with LDAP

    ‏2011-08-16T13:50:52Z  in response to SystemAdmin
    It seems Connection.doGET receive 30X response. It doesn't have a entity body in HTTP.
    I think REST API should not be secured by Form authentication because a client must treat a response like a Web browser.
    • SystemAdmin
      SystemAdmin
      9224 Posts
      ACCEPTED ANSWER

      Re: Connection.doGET returns empty response, when used with form auth with LDAP

      ‏2011-08-17T06:50:54Z  in response to SystemAdmin
      Thank you for responding and pointing me in the right direction, and I apologize for not acknowledging immediately. When I went through the documentation, I realized the mistake I was making.
      I was able to get Connection.doGET() to work when I configured secure outgoing REST calls over https/ssl with a userid and password.
      And I was also able to display the resources using the dojo client (grid and store) which works fine with basic/form based authentication.
      I need to understand in what way Connection API differ from the way the dojo client interacts with the resource handler.
      • SystemAdmin
        SystemAdmin
        9224 Posts
        ACCEPTED ANSWER

        Re: Connection.doGET returns empty response, when used with form auth with LDAP

        ‏2011-08-17T11:14:02Z  in response to SystemAdmin
        No problem. :)

        > I need to understand in what way Connection API differ from the way the dojo client interacts with the resource handler.
        Dojo XHR send with your credential of a browser if you log in application.
        Connection API is a server side request, so your "system" must log in application because it is "system to system" request.
        • SystemAdmin
          SystemAdmin
          9224 Posts
          ACCEPTED ANSWER

          Re: Connection.doGET returns empty response, when used with form auth with LDAP

          ‏2011-08-22T15:43:34Z  in response to SystemAdmin
          Thank you :-) Makes perfect sense !