I'm trying to call the SAP BI/BO REStful webservices using basic authentication. I enabled basic authentication in the WACS and tested with this service:
http://host:6405/infostore/16422
This works! I can get the report metadata as either xml or json. However, whenever I try an url with "raylight" in it, I get an authentication problem:
http://host:6405/biprws/raylight/v1/documents/16422/parameters
{
error_code: "1"
message: "No session found in HTTP header X-SAP-LogonToken"
}
Why do some services work with basic authentication and others absolutely require the logontoken? I would like to avoid the logontoken if possible. I tested by logging on with the token and that does work, so it's not like my credentials are wrong.
I suspect you asked the same question on SCN which was answered by one of the SAP developers, Anthony Muller.
He stated that:
Raylight doesn't support basic authentication because it required a
permanent session to work. Internally, we have to manage a "cache" to
support subsequent REST calls and this is not possible using basic
authentication.
Related
I want to use the Xbox Services REST APIs, particularly one of the achievement APIs for my very first web application that I'm building. In order to use any of these APIs, I have to include a required Authorization request header in every one of my requests. This request header must be a string populated with the following information:
Authentication credentials for HTTP authentication. Example value: "XBL3.0 x=<userhash>;<token>".
However, I'm unsure of how to properly supply the missing <userhash> and <token> expected here. I found a promising lead in a similar question asked where one of the answers suggested using "authenticate of the xbox-webapi-python to get the Authorization header". I have downloaded this repository and have access to the aforementioned script. However, I'm having trouble figuring out what I specifically need to do with it to get the information I need.
Can anyone provide some guidance here or share another way to collect this header information? I'm new to python and web development, FYI!
Thanks!
Ive got a rest api that connects with a MQ queue. Im using the IBM tools such as App connect enterprise, and MQ Explorer of IBM.
The thing its that when I send rest, using basic mode, the request results in 200 (ok). Ive assigned the values of users and passwords. But when I try to use inherit auth from parent, the answer it's unauthorized 401.
I tryed to modify the swagger doc, but it resulted very complex, and also It occurred to me that maybe if I develop an LTPA token, that could be a help.
Do you know a method to make inherit auth to work without asking the user and password again? Thank you
Can someone please tell me which of this architectures is stateful/stateless?
REST API with session user authentication stored on redis.
REST API with JWT user authentication stored with revocation list on redis.
REST API with oauth2 user authentication.
I would like to also know if I can have resource and authorization server as one and the same API in terms of oauth2. Is it worth to have own authorization server?
What kind of user authentication and app authentication would be easy and secure to use as start up for REST API that will be used by the website and mobile app? I understand it would be 2 authentications one for user and one for app.
Please this is for me more like wrap up of all stuff I've read so I just need short answers - already had a lot of reading.
The key goal is to externalise it - your UI and API code is then simple and stateless. This is what an Authorization Server enables.
The AS is something you interface with and configure - but you don't code it yourself.
Use a free / cheap Authorization Server from a cloud provider like Google or AWS
Following the OAuth 2.0 and Open Id Connect standards is the lowest cost option if you make the right choices - though there is a learning curve.
As an example my Cloud Samples are pretty much zero cost to me - and my code is simple - even though anyone on the internet can run them.
In terms of getting connected, maybe have a browse of my first tutorial.
I'm new to Shiro. We are attempting to use Shiro with Stormpath. I've been trying to dissect the examples to come up with a solution to what I want to do, but I'm unsuccessful so far.
For now, I'm simply trying to create REST services to do what I want, and I'll tie a real client in later. This is what I'm trying to achieve as my first step:
I want to have a client hit a REST endpoint (login) on my server. My server would authenticate, and return a JWT to the client. This JWT would then be used to access secured endpoints on my server. (I have written Java code that can successfully authenticate against Stormpath).
My problem is the JWT. I expected that a JWT would be created for me, or at least easily accessible. I can't find a way to get one. I have seen sample code on how to build one, but that doesn't seem like the way I would expect to acquire one.
I have run through several examples, but most seem to deal with JSP interfaces, and I can't seem to make the leap to what I'm trying to do.
Is this approach reasonable? Any guidance is appreciated.
Edit 1
I now have a Java client that can authenticate using the Shiro servlet and retrieve a JWT. I have this running as a deployed application (war) in GlassFish. My next step is to use that JWT to authenticate against a different application that has my REST endpoints. This REST application doesn't need to know anything about how to authenticate - I just want to pass the JWT along in the call to a given REST endpoint and use Shiro (via annotations) to control access to the endpoint (if that is indeed possible). All of the examples I can find seem to be "all-in-one" examples (bundling JSP with Shiro/Stormpath configurations, etc). I'm trying to determine the minimum working configuration for securing REST endpoints and I'm having difficulty determining which pieces of the configuration I need.
Edit 2
I am using the Stormpath-Shiro-Servlet (as stolen from the Shiro Servlet example) as my authentication back-end. Using my Java client, I am sending a login request to the servlet, and I am indeed getting back a JWT. However, I am not able to successfully use the JWT to access my other rest resources. My rest calls result in this error:
org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager. This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again. Because an identity is currently not known due to any of these conditions, authorization is denied.
First, I don't understand why the servlet 'login' doesn't actually log me in and give me non-anonymous principle? Second, I am attempting to do everything on a separate client, so I don't have access to Subject.login (is this a correct assumption?).
Take a look at this example from github/stormpath-shiro
The JWT creation is managed for you by the Stormpath API. If you start up one of the examples, (the servlet one above, or the spring-boot-web example), after login, you will have a JWT cookie. There is background info in this blog post.
I'm working on releasing strompath-shiro now, but figured I'd include these link here so you can start looking.
I have setup FORM-authentication within web.xml (java-webcontainer) successfully.
I did not find a way to sent the username/password within the get-request of the restful-uri from my client when using FORM-Authentication. So I have to use BASIC-Authentication only for the restful-uri.
So I have this question:
How can I set up both form-based authentication and basic authentication?
Basic authentication should only be enabled for the restful-uri.
I was also facing a similar problem and I realized that if you are using Wildfly then its possible to configure multiple mechanism using web.xml:-
<auth-method>BASIC?silent=true,FORM</auth-method>
Using this silent basic authentication will be tried first, which is basic authentication that only takes effect if an Authorization header is present. If no such header is present then form authentication will be used instead.
Maybe its too late for a reply but I just updated this in case someone finds this useful :P
There were no responses here for a while, so I did a quick servlet refresher myself. Servlet specs indeed allow only one <login-config> element per web application, so there is no way to have an entry point with BASIC authetication for the REST API and another with FORM-based authentication for the UI. The only option is to build them as two independently deployable applications. To avoid code duplication, it might be a good idea just to let the UI application talk to the REST API the same way the third-party clients are supposed to.