BlueMix SingleSignOn, How to call REST API of a BlueMix App with SSO service enabled

2
votes

I have a BlueMix app with a few RestAPI calls. After adding SignleSignOn Service to this app, i am not able to make RestAPI calls via the app endpoint. Is there a way to pass the Authentication of SSO via the REST call headers ?

The SSO is configured with cloud Directory enabled. How should i pass user details along with Bluemix app Rest api call?

As of now i can only use the browser to login via SSO into the app and perform REST call only in the same browser.

Example RestCall -> http://myapp.mybluemix.net/sm/metadata

web.xml extract:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"xmlns:xsi="http://www.w3.org/2001/XMLSc hema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<display-name>SolutionManager</display-name>
<filter>
    <filter-name>RequestRedirect</filter-name>
    <filter-class>com.ibm.ba.ssl.RedirectFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>RequestRedirect</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
    <filter-name>AuthenticationFilter</filter-name>
    <filter-class>com.ibm.ba.sm.auth.AuthenticationFilter</filter-class>
</filter>   
<filter-mapping>
    <filter-name>AuthenticationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>   
<servlet>
    <description>
    </description>
    <display-name>sample</display-name>
    <servlet-name>sample</servlet-name>
    <servlet-class>com.ibm.ba.ers.ErsServlet</servlet-class>
    <enabled>true</enabled>
    <async-supported>false</async-supported>
</servlet>
<servlet-mapping>
    <servlet-name>sample</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
    <welcome-file>index.html</welcome-file>
</welcome-file-list>
<resource-ref>
    <description>MQLight Service</description>
    <res-ref-name>jms/MQLight-mc</res-ref-name>
    <res-type>javax.jms.ConnectionFactory</res-type>
    <res-auth>Container</res-auth>
    <res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>

<listener>
  <listener-class>
      com.ibm.ba.SMAppStart
  </listener-class>
</listener>

<security-constraint>
    <display-name>Authenticated Users</display-name>
    <web-resource-collection>
        <web-resource-name>ALL</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>HEAD</http-method>
        <http-method>TRACE</http-method>
        <http-method>POST</http-method>
        <http-method>DELETE</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Users</role-name>
    </auth-constraint>
</security-constraint>

Thanks, Lokesh

2
restsingle-sign-onibm-cloud
Is the caller of this REST API on Bluemix and bound to the same SSO service? - Ram Vennam
Yes, the REST api is part of my bluemix app and Exposed via the App's Endpoint. Without SSO service if i do a GET call for the above Example Restcall, it would return a JSON. After binding the SSO to my App, the same GET call with return a HTML of the SSO landing page. How should i be passing SSO credentials along with the GET call to reach My app's endpoint ? - Lokesh Sreedhar

2 Answers

1
votes

To access any service on Bluemix, you need to provide bearer token to provide along with it. To get bearer token, use the below API call:

POST http://login.ng.bluemix.net/UAALoginServerWAR/oauth/token

request body: "grant_type=password&username=[your-bluemix-id]&password=[your-bluemix-password]

headers: { 'authorization': 'Basic Y2Y6', 'accept': 'application/json', 'content-type' : 'application/x-www-form-urlencoded }

Response would be like: { "access_token": "[value_from_access_token]", "token_type": "bearer", "refresh_token": "[value2]", "expires_in": 43199, "scope": "password.write cloud_controller.write openid cloud_controller.read", "jti": "20e70e6e-5700-476c-bc15-7869c5fb4b07" }

To make REST calls for you services, use below mentioned headers:

{'accept': 'application/json', 'content-type': 'application/json',

'authorization': 'bearer[space][value_from_access_token]'}

0
votes

The answers you have received so far are not correct for the new SSO service (which includes support for in-cloud registry). When you added the SSO service to your application, J2EE security constraints are applied to your application and the SSO service becomes the authentication source for satisfying those security contraints. This is ultimately why you currently require the browser cookie(s) obtained after browser authentication to make your REST calls.

Without seeing your deployed applications web.xml and server.xml files it's not clear what the best way forward is, however you may need to build an EAR file with explicitly defined security constraints and make your REST API endpoints unauthenticated or authenticated via another mechanism.