[Remote API]How to Authenticate User Without Prompting for Password

[Lorenzo C.]

Hi,

I am using the Remote Java API with jBPM 6.4 and I am trying to achieve one of the followings:

1) Either Single Sign On

2) Or basic authentication with empty password

Regarding 1), I understand the Remote API does not support Single Sign-On. Is that correct? Is there perhaps any workaround I could use? Any idea?

Regarding 2), although it is possible to set up empty password in jBOSS, I have read somewhere that Remote API does not support it and a password must always be provided. Is there any way to bypass this control?

Or can you think of any other solution to achieve my use case which is: the user should be able to interact with jBPM via Remote Java API without having to enter their password.

Thank you so much.

[Maciej Swiderski]

by default it’s not possible to have it without authentication, but you can simply include the Authorization header with predefined user/password and that will authenitcate directly without prompting.

On 15.11.2016, at 16:09, Lorenzo C. <harle...@gmail.com> wrote:

Hi,

I am using the Remote Java API with jBPM 6.4 and I am trying to achieve one of the followings:

1) Either Single Sign On

2) Or basic authentication with empty password

Regarding 1), I understand the Remote API does not support Single Sign-On. Is that correct? Is there perhaps any workaround I could use? Any idea?

depends on the sso solution. remote api has pluggable mechanism that allows you to set headers that will instruct app server how to deal with authentication 

Regarding 2), although it is possible to set up empty password in jBOSS, I have read somewhere that Remote API does not support it and a password must always be provided. Is there any way to bypass this control?

it relies on app server to perfrom authentication so if server will accept that request then it should work, but main question is why???

Maciej

Or can you think of any other solution to achieve my use case which is: the user should be able to interact with jBPM via Remote Java API without having to enter their password.

Thank you so much.

--
You received this message because you are subscribed to the Google Groups "jBPM Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jbpm-developme...@googlegroups.com.
To post to this group, send email to jbpm-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jbpm-development/a9cf33d7-8bcf-4c1d-a83d-cf061367b5dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Lorenzo C.]

Maciej, thank you so much for your quick reply.

May I please follow up on your response?

depends on the sso solution. remote api has pluggable mechanism that allows you to set headers that will instruct app server how to deal with authentication 

The SSO solution is Kerberos. Do you think it is possible then? Would you have any useful link handy with how I can get started with this? Or even some key words would do.

it relies on app server to perfrom authentication so if server will accept that request then it should work, but main question is why???

So here is my use case: the user logs in via SSO in my Java application. Then, I need the user to be able to interact with jBPM via Remote API used in my Java application. As of now, I need to ask the user for username/password although from my perspective they are already logged in via SSO. Thus, my options are: either I pass an empty password to JBOSS via the jBPM API (but this does not work although I set the "allow empty password" property to true in the LdapExtended module) or I authenticate the user again to JBOSS via Kerberos SSO but I don't know how to do that. You told me above that should be possible setting the headers and let the app server (JBOSS) deal with the authentication, so it would be great if you could lead me towards the right direction :)

Thank you so much,

Lorenzo

[Lorenzo C.]

My requirement #2 has been solved with this: https://github.com/uberfire/uberfire/pull/572

Still struggling to enable Kerberos SSO for REST API. I don't know where to start and was not able to find much available online :(

[Maciej Swiderski]

for wokrbench REST api I don't think you'll be able to achieve SSO as it only supports BASIC authentication type - it explicitly looks for Authorization header and assumes it's BASIC.

For kie server this might be more applicable as it completely delegates to application server for authentication and authorization.

Maciej

2016-11-29 16:43 GMT+01:00 Lorenzo C. <harle...@gmail.com>:

My requirement #2 has been solved with this: https://github.com/uberfire/uberfire/pull/572

Still struggling to enable Kerberos SSO for REST API. I don't know where to start and was not able to find much available online :(

--

You received this message because you are subscribed to the Google Groups "jBPM Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jbpm-development+unsubscribe@googlegroups.com.
To post to this group, send email to jbpm-development@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jbpm-development/caadd2d9-44f3-4943-927c-3eb88e18534d%40googlegroups.com.

[Lorenzo C.]

Hi Maciej,

I was about to reach to the same conclusion as I was going through the Uberfire code while fixing the empty-password login. However, something got me confused about one of your previous statements:

depends on the sso solution. remote api has pluggable mechanism that allows you to set headers that will instruct app server how to deal with authentication

Which case is the above then? I thought you meant to say that I could just add my SPNEGO token to the headers and it will work for REST API. Or perhaps you were referring to some different APIs?

Thank you

On Wednesday, November 30, 2016 at 1:24:08 AM UTC-5, Maciej Swiderski wrote:

for wokrbench REST api I don't think you'll be able to achieve SSO as it only supports BASIC authentication type - it explicitly looks for Authorization header and assumes it's BASIC.

For kie server this might be more applicable as it completely delegates to application server for authentication and authorization.

Maciej

2016-11-29 16:43 GMT+01:00 Lorenzo C. <harle...@gmail.com>:

My requirement #2 has been solved with this: https://github.com/uberfire/uberfire/pull/572

Still struggling to enable Kerberos SSO for REST API. I don't know where to start and was not able to find much available online :(

--
You received this message because you are subscribed to the Google Groups "jBPM Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jbpm-developme...@googlegroups.com.
To post to this group, send email to jbpm-dev...@googlegroups.com.

[Maciej Swiderski]

That was mainly regarding kie server as it does rely on app server completely. 

Maciej 

To view this discussion on the web visit https://groups.google.com/d/msgid/jbpm-development/1b7d3014-f328-4aa7-ae4d-139d6508c2d3%40googlegroups.com.