Hello there.
I am facing an authorization issue on the Integration Server.
I have developed a REST Service which checks the state of each IS package. In order to perform the check
that service calls wm.server.packages:packageList to get the complete list of available packages and then iterates over the returned array.
Unfortunately most of the Wm* packages set the “Package List ACL” to “Developers”.
As the user that requests the REST resource is not a member of this group, the wm.server.packages:packageList
does not return the complete list. When i call the REST service with the Administrator user everything is working fine.
(As a workaorund i put the requesting user into my admin group, so the wm.server.packages:packageList returns all packages - but i do not want that user to be part of our administrators)
Is there a way to run the wm.server.packages:packageList service (or other services) within my service implementation with another user (maybe the Administrator) than the user from the originally HTTP Request?
Kind regards,
Martin
Hi,
you can put the requesting users in a (custom) group which is member of the Developers ACL, but not of the Administrators ACL.
Additionally make sure that these users are able to list your custom packages.
Regards,
Holger
Hi Holger,
thank you for your reply. I think this will be the last option.
I have tried to call the wm.server.packages:packageList as a rest service via http://hostname/invoke/wm.server.packages:packageList which is working. Unfortunately that service call returns a html page .
Do you (or anybody else) know how to call the rest service to get a response that can be parsed into a IData structure?
Kind regards,
Martin
You should be able to run a service as a specific user because the Scheduler does something similar with the Run As User option. However, you will have to use undocumented API’s and you’ll have to spend some time trying to figure out how to do it. I’m not sure it’s worth it. If you want to go down that route, I suggest you start with the class com.wm.app.b2b.server.InvokeState.
One alternative to this is to write your own packageList service that gets the list of packages without ACL restrictions (e.g. get it directly from the file system).
Another alternative would be to have some other service generate the list of packages every so often (e.g. via a scheduled task) and store it somewhere (e.g. in a static ArrayList). Then, your web service could simply return that list. The advantage is that the scheduled task could run as Administrator and your web service could run under whatever ACL you want. Also, it may speed up the execution of the web service since the list will always be ready to go.
Regarding your last question, you need to set the Content-Type or Accept header to something like text/xml or application/json, and the IS will return the results in that format.
By the way, what are you trying to accomplish? I’m curious.
Percio
Hi Percio,
we want to offer that service to our Nagios emvironment. We are focussing on monitoring the IS processes from outside the IS. This is why i can not use the service as a sceduled one.
But your hint regarding the Accept Header was perfect. I´ve tried it out and i am getting exactly what i expect.
So thank you very much for your help!
Kind regards,
Martin