It's all about the answers!

Ask a question

Retrieve session information of a already logged session in DNG


vontean lucian (132) | asked Feb 28, 3:45 a.m.
edited Feb 28, 3:46 a.m.
Hello,

 We have the following situation where the user logs in the DNG web application and uses our custom made widget (Open Social Gadget).

<o:p> </o:p>

Our custom made widget uses mostly the JavaScript API : https://jazz.net/wiki/bin/view/Main/RMExtensionsAPI702#MoveUpdate, but because of the limitations of this API <o:p> </o:p>

we also have the need to use the OSLC API in order to have some actions performed. We have our small backend only for the OSLC API calls which is not on the DNG server and it uses a different domain. <o:p> </o:p>

In order to make a call to OSLC API we need again the username and password of the user. We would like to avoid requesting from the user the username and password again. <o:p> </o:p>

<o:p>   </o:p>

Is there a way to automatically retrieve (using a script or a request) the already created session ID (JSESSIONID,LtpaToken2,…) from the DNG web application in order to reuse it in our backend for the OSLC API calls ?


Thank you.

<o:p> </o:p>

Accepted answer


permanent link
Ian Barnard (1.4k613) | answered Mar 01, 7:29 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Mar 01, 7:30 a.m.

 Hi


You can't retrieve the username+password,that would be a horrible security chasm. But there's a widget function gadgets.io.makeRequest which gets the server to pass the logged-in user's authentication cookies through the RM server to a web service being called from your RM server which can then make e.g. OSLC API calls back into RM as the user. Obviously your web service design needs to handle this with appropriate care.

There's a minimal working example in the extensions documentation https://jazz.net/wiki/bin/view/Main/RMExtensionsUsingExternalWebService702

NOTE If you're using Jazz authorisation Server, I believe you'll need to add JSA_IDENTITY_SESSION (which is the cookie name for an authenticated JAS session) to the advanced property "Jazz authentication proxy SSO Cookies" see https://jazz.net/wiki/bin/view/Main/RMExtensionsAndWhitelists702 - or for WAS deployments it may be a different cookie name. Inspect the cookies your browser/widget uses to check the relevant authentication cookie names.

Possibly best to get the minimal working example to work on your deployment first, because that reduces variables if something isn't quite configured correctly, before then adapting your own web service to use this method.

HTH
Ian

vontean lucian selected this answer as the correct answer

One other answer



permanent link
Ralph Schoon (61.1k33643) | answered Mar 01, 1:54 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Here my 2 cents. 


No, it is not possible to get information such as used passwords from an authenticated session. In fact, as far as I have been involved with these technologies, there are built in features to actively prevent users from being able to do that. 

You would need to use techniques such as OAuth to be able to access the other server. OAuth is the mechanism that is used in the Jazz Tools and that sometimes shows when the popup window comes up and authenticates you when switching from JTS to RM.

See


For some additional information.

Your answer


Register or to post your answer.