IBM Security Verify

 View Only
Expand all | Collapse all

Dynamic JSON response to a json template file

  • 1.  Dynamic JSON response to a json template file

    Posted Mon November 16, 2020 01:37 PM
    Hello,

    We've a requirement where we would like to create a custom infomap rule which returns the JSON response based on different scenarios. How can we dynamically write the json response to a template .json file and return the response back via the endpoint(apiauthsvc). please share with me few examples, if any available

    Thanks,
    Vamsi

    ------------------------------
    Vamsi B
    ------------------------------


  • 2.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 03:02 AM
    Hi,
     You would have to create a template file with the extension .json. It is possible that you also have to create the .html file for it to work.
    The template file would just consist of this:

    @JSONRSP@

    Then you have to add your macro @JSONRSP@ in the advanced configuration "sps.page.notEscapedMacros"

    In the infomap you would write like this:

    var jsonrsp = ....
    macros.put("@JSONRSP@", JSON.stringify(jsonrsp));

    I have not tested this but it should work

    ------------------------------
    Laurent LA Asselborn
    ------------------------------

    Original Message


  • 3.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 03:31 AM
    Vamsi,

    Further to @Laurent LA Asselborn 's answer, here's a useful thing to add to your template page to allow you to see all the macros that are available:

    <% java.lang.System.err.println(JSON.stringify(templateContext.macros).replace(/@/g,"")); %>

    This script will return a JSON object containing all defined macros in JSON format.  The removal of @ characters is needed to stop macro substitution.  This will be logged to messages and trace.log.

    Not exactly what you're looking for but here's an example login.json file that can return alternative JSON response for the password login mechanism in AAC:

    <%
    templateContext.response.setStatus(401);
    var errorMsg = templateContext.macros["@ERROR_MESSAGE@"];
    if (errorMsg == "") {
      output = "\"message\" : \"Provide username and password\"";
    } else {
      output = "\"error_message\" : \"" + errorMsg + "\"";
    }
%>
{
    <%=output%>,
    "location" : "@ACTION@",
    "mechanism" : "@MECHANISM_ID@"
}
​

    ​​​Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 04:45 AM
    Are the *.json files in the management root, jsp files?
    I was not aware the you could in fact call java from the json files!

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------

    Original Message


  • 5.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 06:04 AM
    Joao,

    The ability to include scripting only applies to the "template files" served by the Advanced Access Control / Federation runtime.
    There is no server-side processing (other than macro-substitution) performed for the pages served by the Reverse Proxy.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 6.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 09:56 AM
    Thank you Jon and Laurent for sharing few examples and inputs. I've created a sample mapping rule called testotp and a file called testotp.json shown as below. 

    TestOTP - InfoMap
    ---------------
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
    var test = "testjson"
    macros.put("@VALUE@", test);
    page.setValue("/authsvc/authenticator/testotp/testotp.json");
    IDMappingExtUtils.traceString("JSON Value" + json);
    success.setValue(false);

    testotp.json
    ----------------
    {
    "status": "@STATUS@",
    "mechanism": "@MECHANISM_ID@",
    "stateId": "@STATE@",
    "location": "@ACTION@",
    "value": "@VALUE@"
    }

    When I use the page.setValue to render the testotp.json file, it's not working. I had to change it to testotp.html to get it working. I am not sure why am not able to load the .json file but the .html is working. Please let me know if this is the expected behavior in AAC module.

    Thanks
    Vamsi

    ------------------------------
    Vishnu Vamsi
    ------------------------------

    Original Message


  • 7.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 10:01 AM
    Hi Vamsi,

    It is expected behaviour that you should reference a .html file.  The internal processing of the AAC will replace this with .json when the client is connecting via the .../apiauthsvc endpoint.

    I'll admit this is not super intuitive but it is how we manage serving pages to different client types with the same code.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 8.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 10:08 AM
    Hi Jon,

    Thanks for your reply. I noticed few .json files under authsvc folder of template files. May I know how these are loading when using /apiauthsvc endpoint.

    Thanks,
    Vamsi.

    ------------------------------
    Vishnu Vamsi
    ------------------------------

    Original Message


  • 9.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 10:38 AM
    The built-in authentication mechanisms specify pages to return.  For some of these there are JSON and HTML versions.  Where there is a .json file, this will be returned when client connects to the .../apiauthsvc endpoint (otherwise the .html file will be returned).

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 10.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 10:44 AM
    Understood, can we implement the similar pattern using custom auth mechaism and infomaps. For example, I would like to return result.json for api requests coming from /apiauthsvc and result.html for requests coming from /authsvc. How do I achieve these from single mapping rule. 

    Thanks,
    Vamsi.

    ------------------------------
    Vishnu Vamsi
    ------------------------------

    Original Message


  • 11.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 10:52 AM
    Yes.

    Create result.json and result.html in the same location in AAC template files.
    In your JavaScript, specify result.html as the page to return.

    When client connects to .../authsvc they will get the result.html page.
    When client connects to .../apiauthsvc they will get the result.json page.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 12.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 10:05 AM
    Also, I would like to generate a custom JSON response when the result is set to true (success.setValue(true)) instead of a blank response with http code 204. Please let me know your inputs.

    Thanks,
    Vamsi.

    ------------------------------
    Vishnu Vamsi
    ------------------------------

    Original Message


  • 13.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 10:48 AM
    Vamsi,

    When you set success.setValue(true) you have no control over the response that it returned.  The response is built internally by the system and it's only purpose is to provide the HTTP headers that are consumed by the Reverse Proxy to create an authenticated session.

    There is a workaround if you want to avoid using this built in function - but it requires a good understanding of how the Authentication Service and Reverse Proxy interact.  You would have to create a custom template page which sets the required External Authentication Interface (EAI) headers to trigger authentication to the Reverse Proxy - and then return this page by setting success.endPolicyWithoutCredential();

    As far as the Authentication Service is concerned, it has terminated the authentication... but the headers returned by the template page complete the authentication at the Reverse Proxy - while giving you control over the headers and content of the response.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 14.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 11:15 AM
    Hi Jon,

    Thank you much for your explanation. Do you have any examples which does the workaround solution that was mentioned?

    Thanks,
    Vamsi.

    ------------------------------
    Vishnu Vamsi
    ------------------------------

    Original Message


  • 15.  RE: Dynamic JSON response to a json template file

    Posted Tue November 17, 2020 11:27 AM
    I do not have examples.  Maybe others on this community can provide something.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message