0

I created an iWidget for IBM Connections, which has to retrieve data from our external web application through the provided proxy. However, said application requires the user to be authenticated before providing an answer.

Is there any general recommendation on how to solve this? I'm aware that I can get the current user from the iScope of the widget, but just forwarding this information to our application is not secure - since everyone could just create such a request, pretending to be any user. I also know that the proxy can be configured to forward ltpa credentials, but I dont know how to validate such a token - maybe IBM provides a library for this task, that I'm just not aware of?

BennyLau
  • 107
  • 8
  • is it external to your org? is it hosted on websphere? – Paul Bastide Oct 11 '13 at 13:46
  • For simplicity's sake let's assume it runs in the same local network. It runs behind Microsoft IIS however - users typically are authenticated through ntlm desktop authentication and not ltpa. – BennyLau Oct 12 '13 at 17:43
  • you'll probably want to create a custom proxy, where you can be sure the java.security.principal is trusted, and then you can either retrieve a stored credential, or automatically login to the back end, without login – Paul Bastide Oct 14 '13 at 12:41
  • mh, I'm not sure I understand this. the widgets would make calls to our application using a trusted proxy, right? but then how would the proxy make sure to only serve/forward "genuine" requests from an authenticated user in connections? – BennyLau Oct 15 '13 at 08:40
  • I'd install it in your Connections Server, where you can be sure the java.security.principal is trusted through the server side servlet, which can then forward only genuine requests – Paul Bastide Oct 15 '13 at 11:44
  • Thanks for your insights, that sounds good! Since all communication between iWidget and external application is already going through a proxy (to ensure same origin policy): do you know if it is possible to establish a shared secret for this proxy? I did not find anything about that on the proxy configuration documentation http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_admin_config_ajax_proxy.html This way, as the provider of said 3rd party app & widgets, we would not have to have another deployment step by introducing our own proxy. – BennyLau Oct 16 '13 at 07:35
  • it's perfectly acceptable to do that. However, you may want to look at the WebSphere Proxy in this case. – Paul Bastide Oct 16 '13 at 12:28
  • It's acceptable to do what? Using the Ajax proxy for that? I don't think, it can be configured to have a shared secret with the 3rd party app such it can be trusted. I'm currently exploring decrypting and verifying the LTPA token myself, just like a regular ibm application would. However there are no official libraries to decrypt/verify - i will have to live with the small uncertainty, that my code will break when the LTPA encryption algorithms change. – BennyLau Oct 17 '13 at 14:57
  • it's not going to, and there are backwards compatibility in the tokens – Paul Bastide Oct 17 '13 at 15:02
  • In this case, it seems to be the best solution to decrypt the token and extract the user information from there. The included Signature in the token should guarantee that the token can not be forged by an attacker. Thanks again for your insights, Paul. – BennyLau Oct 18 '13 at 09:56

0 Answers0