Is there a way to recreate WCToken and WCTrustedToken in websphere commerce by using cookies?
Considering a scenario where search and browse uses websphere commerce and checkout in a different technology leveraging REST api's of websphere commerce.
The WCToken and WCTrustedToken are composed of a subset of the data used to create the USER_ACTIVITY and AUTHENTICATION cookies. It is therefore possible to recreate them from cookies. However, to do so, you would need to use internal WCS APIs. IBM will not support customization that use those APIs.
Note that the commerce team is looking at improving this area in the future to avoid this type of problem.
Following APAR would help I guess
http://www-01.ibm.com/support/docview.wss?uid=swg1JR45670
https://www.ibm.com/developerworks/community/forums/html/topic?id=0b75439b-b305-4916-bdd0-73ff487acbf3
FEP 7 which due for release END of Feb-2014 will have this feature supported. While invoking the api just send the cookies along. If cookies are available then no need for WCToken and WCTrusted tokens in header
You can use CommerceTokenHelper OOB class which has the method generateCommerceTokens. This will use the user Id and generate the WcToken and WcTrustedToken.
Related
We have an application developed with react and NodeJs and already implemented an MYOB cloud ERP integration to import data. Now we are planning to add a new ERP integration for Acumatica, in the developer document it was mentioned that the rest API is available but I can't find the cloud instance URL, everywhere it was mentioned as localhost only. So can anyone please help me to understand how to connect the Acumatica cloud to fetch details?
Note: I understand the authorization flow like Authorization Code but I'm confused with which URL to use for and I hope it should be a fixed one as it is a cloud URL
The Integration end points is a rather large topic. I am in the process of writing a blog post on it which is more or less a getting started blog on automating stuff and getting info via ReST. The blog itself is in the context of using these services via PowerShell but if you are able to follow along and get to the point of establishing postman examples of what you need to do you should be able to get to the same end result in any language.
You will want to explore The Web Services Endpoint screen in the integration module as this is where all the Contract Based Soap/ReST definitions are managed. You can even set up custom endpoint if you need.
Do you have access to the Acumatica Portal? The best way to get started is with some of the course work there.
Stand by and ill forward some information for you to get started.
Robert
The URL for the RestAPI is whatever is the site URL of your Acumatica instance. For example if your Acumatica is hosted in www.ManiMaran.com. To login to your API :
http://ManiMaran.com/entity/auth/login.
Looking for best practice instructions on how to integrate a Fiware/Wirecloud with Moodle. It would seem that Fiware/IdM should be providing the user data and Moodle connects via one of its plugins. Moodle offers a number of different authentication options (actually too many, difficult to decide best path). Ideally, once logged in, Moodle pluggins should also be able to access other FIWARE backend services.
Should be possible in principle but I notice that the Fiware academy http://edu.fiware.org/ does not have SSO with the FIWARE lab :-)
WireCloud supports using the OAuth2 token provided by the IdM to access third-party services, so the real problem is how to integrate Moodle with the IdM (as commented by #Meier).
There are some moodle plugins like auth_googleoauth2 that supposedly offer support for adding your own OAuth2 providers. Take into account that probably you will need to make more modifications to this kind of plugins as usually the OAuth provider are only used for the sign in process, but this doesn't mean that you will be able to use the OAuth2 token as valid credentials for making request to the web service API.
I am coding a webapp (E-commerce) for learning purpose using AngularJS + BootStrap and REST.
I have used Apache Wink for REST WS and and application is deployed on JBoss EAP 6.4. My application is working fine.
I can access the back end data using AJAX and webpages are getting populated properly. The issue is security of REST WAS. If I use REST URL directly on browser, without going through front end, JSON data gets populated and my data is exposed. What design changes should i do ?
Please note that initial operation on the website for e.g. browsing the products, adding them to cart etc are stateless. No user's identity is needed for these operations. I still need to secure my data for these interactions. Please suggest, how can I do it.
Sunil
If you want to lock down the services, you may require some type of authentication (for example user/pass) that returns a security token (over https). Then all subsequent function calls may require the security token to be passed in as a parameter (if the operation is sensitive). The token will require a session timeout.
However, if the data is also publically shown on the site, then there's not really a security risk in itself. IOW, how is this any different than them using the public website to get/update data? The rest services usually shouldn't require any additional level of security beyond what is already used on the website to protect the data.
Updated: Thanks for responding on my post. I am very sorry, as of today these were the requirement details. However, I can elaborate more on what I understand. I some idea on WIF, where I can write my own STS, RP and publish policies.
Couple of queries here. Do we need to have an IdP and should we connect STS to IdP. if not, can we go without IdP. I will have to use claim base authentication and federated identity mgmt in the application.we do not depend on AD/LDAP integration.
Imp Requirements are in this way. 1) we allow customers to do self registration who are direct users of this portal-M and the other set of users come from partner-X where the company claims are verified using SAML Req/Resp to access the portal-M. 2) once the direct user or user-thru-partner-X enters the portal-M, he/she should get access to another portal-N of partner-Y sending SAML request in similar fashion.
I have provided as much as details I know, since I am new to this technology of SSO/FIdM
I would happy to provide more information, if needed
Original
I have got a complex task to build a solution of externalized SSO with SAML that would be used by customers of different partners over web. the constraints are to build IdP/STS/Issuers/RP/Trusts/Policies with no open source or commercial product support choosing specific technology platforms such as Microsft or/and J2EE.
On top of these, IdP must have to use in house custom data store available on SQL Server and Oracle.
your ideas are appreciable and thanks in advance
So you want to implement a SAML stack without using any commercial or open source software?
That is a HUGE amount of work and you will need to spend a non-trivial amount of time getting your head around SAML.
In terms of a DB as your Identity repository, refer: Thinktecture IdentityServer.
In terms of SAML stacks, refer: SAML : A SAML stack .
I am developing a Rest service with Web API. The service only requires one login credential as it is used by an application developed by a third party. If I use the project template with "Individual User Accounts", I have to have a SQL server running(?), which is an overkill to support a single username and password. How about the LocalDB comes with VS 2013 ?
"Windows Authentication" cannot be used because the service is accessed from the Internet.
What is the proper way to authenticate ?. Are there any "in memory" or config file providers that come with Web API ? I know there is Asp.net Identity package, but It uses entity framework as a provider. Can anyone please suggest ?
You can create a custom store for ASP.NET Identity and it could be memory or a config file. Here is a tutorial on creating a custom store in ASP.NET Identity. I would not put it in memory because you will most likely want to change the password and that would require a recompile and redeploy. Personally I would just use SQL Express or SQL Compact as they take minimal resources and rewriting the data store seems like a lot of work for little benefit in this scenario.
No matter how do you want to authorize the call, the users has to be present in a database or cache to check the validity of the provided user. Microsoft will offer you out of the box a solution based on SQL server or some of their own products.
If you want to implement you own user check, you will probably have to take care of the authentication by yourself. This means that you will have to check the HTTP header by yourself and reject or accept the request by yourself.
My question is, why do you want to use some "in memory" provider? The users has to be somewhere. Why not a SQL express?