Topic
  • 3 replies
  • Latest Post - ‏2013-09-09T21:26:04Z by AndrewPaier
samuelxie
samuelxie
11 Posts

Pinned topic How to make REST call without login authentication

‏2013-09-03T02:47:50Z |

Our REST Client in java code has performance issue because every REST call need login authentication.

How to make REST call without login authentication in every call? we want to call REST in integration service or coach without login every time...

If the user is already authorized, how to make the calls using their already logged in session? thanks!

 

  • kolban
    kolban
    3322 Posts

    Re: How to make REST call without login authentication

    ‏2013-09-03T02:55:22Z  

    When a call is made to the IBM BPM REST services (which I am assuming is the target of your request), that request must prove to IBM BPM that the caller is who they claim to be.  In order to achieve that, authentication information needs to be passed with the REST request.  Remember, REST programming is pretty much "down to the wire" programming so by and large you are responsible for providing all data.  IBM BPM can get the information it needs in one of two primary ways.

    The first is called "Basic Authentication" where a userid/password pair is sent with each and every REST request.  The second technique is that the REST request sends a "Cookie" that contains an "LTPA" token.  This cookie is normally set in your browser when you login.  So for example, you may see a login prompt for IBM BPM and you enter your credentials.  IBM BPM (through WAS) then validates those credentials and creates an LTPA token.  That token is then sent back to the browser and saved as a Cookie.  On subsequent REST calls from the same browser, the LTPA token cookie flows back automatically.  Since only that unique browser that relatively recently proved that the user was who they claim to be would know the Cookie, the REST request is honored.

    However, it sounds like you are making REST calls from IBM BPM services.  In that case, there will be no LTPA cookie and all you can really do is pass in the userid/password pair.

    Neil

  • samuelxie
    samuelxie
    11 Posts

    Re: How to make REST call without login authentication

    ‏2013-09-03T04:59:18Z  
    • kolban
    • ‏2013-09-03T02:55:22Z

    When a call is made to the IBM BPM REST services (which I am assuming is the target of your request), that request must prove to IBM BPM that the caller is who they claim to be.  In order to achieve that, authentication information needs to be passed with the REST request.  Remember, REST programming is pretty much "down to the wire" programming so by and large you are responsible for providing all data.  IBM BPM can get the information it needs in one of two primary ways.

    The first is called "Basic Authentication" where a userid/password pair is sent with each and every REST request.  The second technique is that the REST request sends a "Cookie" that contains an "LTPA" token.  This cookie is normally set in your browser when you login.  So for example, you may see a login prompt for IBM BPM and you enter your credentials.  IBM BPM (through WAS) then validates those credentials and creates an LTPA token.  That token is then sent back to the browser and saved as a Cookie.  On subsequent REST calls from the same browser, the LTPA token cookie flows back automatically.  Since only that unique browser that relatively recently proved that the user was who they claim to be would know the Cookie, the REST request is honored.

    However, it sounds like you are making REST calls from IBM BPM services.  In that case, there will be no LTPA cookie and all you can really do is pass in the userid/password pair.

    Neil

    thanks Kolban!

    If Cookie with LTPA token is used in the REST request in browser, how long it will take effect by default, or it works throughout the current session?

  • AndrewPaier
    AndrewPaier
    842 Posts

    Re: How to make REST call without login authentication

    ‏2013-09-09T21:26:04Z  

    Neil's explanation is good.  When most of my customers run into this I ask if the REST call they are making really belongs on the server or if it should be done on behalf of the user from their browser.  If you have a coach make rest calls to the server, since the user running that coach has an LTPA token, the user does not get a prompt to login, it just all works.

    However the real question is what you are doing in these rest calls.  It maybe that the JS API, which runs on the server and doesn't require any credentials has the same capabilities.  The 2 sets of functionality are, unfortunately intersecting sets.  There are gaps in the JS API which I find distressing at times...

    Andrew Paier | Director | BP3 Global, Inc.
    BP3 Global's Website  |  Twitter  |  Linkedin  |  Google+  | Blogs