Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Retrieve session information of a already logged session in DNG

Hello,

 We have the following situation where the user logs in the DNG web application and uses our custom made widget (Open Social Gadget).

<o:p> </o:p>

Our custom made widget uses mostly the JavaScript API : https://jazz.net/wiki/bin/view/Main/RMExtensionsAPI702#MoveUpdate, but because of the limitations of this API <o:p> </o:p>

we also have the need to use the OSLC API in order to have some actions performed. We have our small backend only for the OSLC API calls which is not on the DNG server and it uses a different domain. <o:p> </o:p>

In order to make a call to OSLC API we need again the username and password of the user. We would like to avoid requesting from the user the username and password again. <o:p> </o:p>

<o:p>   </o:p>

Is there a way to automatically retrieve (using a script or a request) the already created session ID (JSESSIONID,LtpaToken2,…) from the DNG web application in order to reuse it in our backend for the OSLC API calls ?


Thank you.

<o:p> </o:p>

0 votes


Accepted answer

Permanent link

 Hi


You can't retrieve the username+password,that would be a horrible security chasm. But there's a widget function gadgets.io.makeRequest which gets the server to pass the logged-in user's authentication cookies through the RM server to a web service being called from your RM server which can then make e.g. OSLC API calls back into RM as the user. Obviously your web service design needs to handle this with appropriate care.

There's a minimal working example in the extensions documentation https://jazz.net/wiki/bin/view/Main/RMExtensionsUsingExternalWebService702

NOTE If you're using Jazz authorisation Server, I believe you'll need to add JSA_IDENTITY_SESSION (which is the cookie name for an authenticated JAS session) to the advanced property "Jazz authentication proxy SSO Cookies" see https://jazz.net/wiki/bin/view/Main/RMExtensionsAndWhitelists702 - or for WAS deployments it may be a different cookie name. Inspect the cookies your browser/widget uses to check the relevant authentication cookie names.

Possibly best to get the minimal working example to work on your deployment first, because that reduces variables if something isn't quite configured correctly, before then adapting your own web service to use this method.

HTH
Ian

vontean lucian selected this answer as the correct answer

1 vote


One other answer

Permanent link

Here my 2 cents. 


No, it is not possible to get information such as used passwords from an authenticated session. In fact, as far as I have been involved with these technologies, there are built in features to actively prevent users from being able to do that. 

You would need to use techniques such as OAuth to be able to access the other server. OAuth is the mechanism that is used in the Jazz Tools and that sometimes shows when the popup window comes up and authenticates you when switching from JTS to RM.

See


For some additional information.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 10,930

Question asked: Feb 28 '22, 3:45 a.m.

Question was seen: 1,030 times

Last updated: Mar 01 '22, 7:30 a.m.

Confirmation Cancel Confirm