Hi,
Our requirement is to have a separate login page within IS for our application.
I tried looking into User class but could’nt find a way to validate username/password entered by the user. Does anyone have any suggestions on how to implement this functionality using java-service/flows?
when you logon to the IS your username and password is validated (expect flows with anonymous ACL). What are you trying to do?
I think you need to configure flows protected with acl’s and users belonging to groups who are allowed to access flows. protect your .dsp with .access. Please check the wm docs for this.
You can construct a pluggable authentication module that IS will use to authenticate users invoking services. This is an expert-level task.
In addition, you can configure IS authentication to use an LDAP-based user repository including MS Active Directory’s LDAP interface. NIS-based authentication was deprecated with IS 6.5, I think.
Unless your requirements are really specialized either the default or LDAP-based authentication should be more than sufficient.
From a flow service, how can you find out who the user is? Example, an external user invokes a flow service. The message itself says the sender is 1111 (1111), but I want to make sure it’s 1111 and not 7777 actually sending the message.
I thought pub.flow:transportInfo or pub.flow:getTransportInfo might give me what I need, but it doesn’t appear they do.
Service.getSession() will get the current Session object. Session.getUser() will get the user object from the Session.
I don’t see the value in what you are attempting to do. If the user has rights to invoke your service they have already been authenticated looking inside data passed to that service to see if a userID matches does not provide much, if any, additional security unless the data contains a set of credentials that can be authenticated and/or authorized separately.
Thanks, that works great. I was actually looking to see if flow could do it, but this is fine too.
Sure, the IS validates the user, but I’m trying to make sure the user is sending his own information and not forging another users info.
For example, Acme and Widgets are my trading partners. They may be each others main competitor. I want to verify that Acme is sending Acme data, etc. Acme should send data like this:
Acme
and not like this:
Widgets
So, I simply want to check the communication user to the sender element (or some derivative there of).
Yes, but merely comparing a username against the username that the user logged in with will not do much for you. You can do it and it might increase security by a small amount, but don’t kid yourself that this is much more secure.
Real, message level security needs to contain some type of user credentials that can be authenticated against an authoritative source. A sender id alone is not sufficient for this.
A late comment, but just thought I’d say that the ‘sender authorized’ check ‘biggunks’ mentioned is pretty important. Otherwise it’s possible for (authenticated) user to ‘forge’ transactions undetected.
The main webMethods Trading Network receive service – wm.tn:receive – does this check. However, other WM-supplied services (eg: the receive service in the WM CommerceOne OnRamp adapter) miss out on it.
Long back, I had discussed this check in this ezine article:
[url]wmusers.com
(see ‘The Importance of “Sender Verification”’ towards the end)