BPM, Workflow, and Case

  • 1.  Disable Basic Authentication for inbound REST calls

    Posted Wed October 20, 2021 11:53 AM
    I have been looking for an way to disable basic authentication for inbound REST calls to meet some security requirements. I don't want to disable portal basic auth just the ability to make a REST call using basic auth. We are running on 8.5.7 - WebSphere 8.5.5 - Thanks for the help.

    ------------------------------
    Joseph StClair
    President
    BST Inc
    Irving TX
    2144495989
    ------------------------------


  • 2.  RE: Disable Basic Authentication for inbound REST calls

    Posted Thu October 21, 2021 02:42 AM
      |   view attached
    Hi,

    there are two levels to interpret your requirement.

    (1) the easier one
    You don't want the server to request basic auth

    (2) the maybe harder one
    You don't want the server to accept basic auth

    The BPM REST API web module is configured to require basic auth in its web.xml. Consequently, when receiving an unauthenticated request for the REST API, WAS must return
    HTTP 401 UNAUTHORIZED
    www-authenticate: Basic ....

    This will cause the browser pop up asking for username and password.

    You can avoid this request for basic auth by overriding / customizing authentication in WAS using a Trust Association Interceptor (TAI): https://www.ibm.com/docs/en/was-nd/8.5.5?topic=applications-developing-custom-tai

    There are two important methods:
    (a) isTargetInterceptor(): Should this TAI handle the request? This allows you to inspect the incoming request and fine tune to only jump in the few well-defined cases you want to handle. Here: request URI for REST API. Maybe, you even want to consider the user agent or host header to allow special treatment for some clients

    (b) negotiateValidateandEstablishTrust(): handle the unauthenticated request. Most TAIs would return some cookie and redirect URL or some other type of challenge. In your use case, it may be good enough to just return TAIResult with HTTP 401 return code, but omit the www-authenticate header. This is what our product TAI does. In more recent versions of the product, you may observe a request parameter like avoidBasicAuthChallenge. This is an indicator for our own TAI to jump in and avoid the password prompt that browser side JS code cannot handle.

    To meet your (2) requirment, you'd need to set some WAS security custom property to ensure your TAI is invoked even before WAS validates existing authentication (e.g. basic auth or LTPA). Your implementation would examine the request and in case there is a basic auth header - fail the request.

    Unfortunately, when my blog post about this topic was archived, the sample code was lost...

    ------------------------------
    Jens EngelkeJens Engelke
    ------------------------------

    Attachment(s)



  • 3.  RE: Disable Basic Authentication for inbound REST calls

    Posted Thu October 21, 2021 01:26 PM
    Hi Joseph,
    I am not aware about any way to disable Basic Authentication for REST calls specifically. BUT what you are trying to achieve can be done by using TAI.
    With this the REST API consumer would not have to pass any authentication credentials.

    The isTargetInterceptor method of the TAI will be triggered for every call to BPM, in this method you check if the incoming call is a REST call (context path can be used to test this and the processing is very fast) if it is not, then system will just let the call go through as is. But if the call is a rest call then you can put some logic in negotiateValidateandEstablishTrust method to log the user in as a REST API specific user ID (you can create a new user ID for this). If needed you can also put in checks that only specific rest calls are let through.

    If you are going with this approach, do also put in logic to log out the user, if the logged in user us the new REST API specific user and the resource being accessed is not one of the allowed resources.

    This is something that we are doing in our project. Our use case is to do some JWT validation and then login for those specific REST calls, in your case you would not do any validation, just check if the request is one among those specific REST calls or all REST calls as you choose.

    ------------------------------
    Shivam Verma
    BPM Consultant
    IBM BPM Architect
    UI Developer / UX Designer
    ------------------------------