IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this forum will no longer be available. More details available on our FAQ.
Topic
  • 2 replies
  • Latest Post - ‏2019-07-17T18:41:32Z by AndrewPaier
QuikJean
QuikJean
133 Posts

Pinned topic List allowed CSHS URLs for the current user

‏2019-07-10T17:22:54Z | baw

Hi

 

I have an application with multiple CSHS published as URLs. One of these CSHS is a front end that all the users can go to where they can find the list of available "published" CSHS.

Right now to get the list of published CSHS, from BPM I run a REST call (with an External Service) to BPM itself using a "superuser" account that queries '/rest/bpm/wle/v1/exposed/service' and extracts the URLs, etc

It happens that some of my users don't have access to all the published resources : but since the query is not done with the end-user account itself, some end-users see more than they should (no security issue, when they click on the link, BPM says they are not allowed).

 

So the best would be querying BPM REST API using the same ID that the users used to get in. But I don't see how I could "transfer" the BPM credentials to the External Service query.

 

Or do you know any javascript command within BPM that gives you a list of CSHS available to you ? I have looked around, I have not found anything yet.

 

Thanks !!

  • Atanu
    Atanu
    209 Posts

    Re: List allowed CSHS URLs for the current user

    ‏2019-07-16T11:32:20Z  

    Can you try sending LTPA SSO token in the HTTP request to make the REST call ?

    https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/security/web/WebSecurityHelper.html

    com.ibm.websphere.security.web.WebSecurityHelper.getSSOCookieFromSSOToken().getValue();

     

     - Atanu Roy

  • AndrewPaier
    AndrewPaier
    1198 Posts

    Re: List allowed CSHS URLs for the current user

    ‏2019-07-17T18:41:32Z  
    • Atanu
    • ‏2019-07-16T11:32:20Z

    Can you try sending LTPA SSO token in the HTTP request to make the REST call ?

    https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/security/web/WebSecurityHelper.html

    com.ibm.websphere.security.web.WebSecurityHelper.getSSOCookieFromSSOToken().getValue();

     

     - Atanu Roy

    Or you could just invoke the call from the user's browser.  That would use the credentials of the current user and avoid the underlying problem.  

    (Thinking about that someone should likely create a coach view for invoking such things without having to write all the JS, unless that is already in the current CV offering, and, if it is, then just use that.)

    -Andrew Paier