How to extract password from an Echelon script when doing Basic Authentication

We're working on an app that requires us to integrate with multiple
backend systems (Siebel, PeopleSoft, Oracle) using the user's provided
login credentials.

We are able to get the user entered password into an echelon login
hook when using custom authentication, so we can persist it to the
user table and use it for authenticating with the backend systems.

But we also require to authenticate through WebSEAL - so when we set
the Auth Type to Basic, we no longer see the password coming into the
python login hook. We do however get the username, but the password is
blank. We are using the #USERID# and #PASSWORD# macros in the REST
plugin configuration.

Is there any way that the user entered password can be pulled up in
the app while using Basic authentication?

Additionally, is it possible to extract the HTTP header values in the
incoming request to the AppServer within the app, as WebSEAL can be
configured to pass additional parameters along with the request to the
AppServer.

Kanishka

Have more questions? Submit a request

3 Comments

  • 0
    Avatar
    ALEXANDER GOLDEN

    A few clarifications: In Verivo terminology, 'Basic' authentication refers to using the Verivo database as the source for username and password validation.  Based on your description above, I assume you mean 'Integrated' authentication, where the authentication is handled by the IIS instance, and not by the Verivo database.

    Echelon is a feature that is built into several Verivo plug-ins to allow for the execution of custom scripts as part of the plug-in request and response process.  Because integrated authentication takes place directly between the phone client and the IIS instance, no plug-in is utilized and so no echelon scripts will be invoked.  Therefore it is not possible to intercept and store a password when using integrated authentication.

    If your back-end systems also require the typical windows-style LDAP authentication, you may instead want to consider using ASP.NET impersonation (see http://msdn.microsoft.com/en-us/library/aa292118%28v=vs.71%29.aspx).  This feature ensures that, once a user logs in using integrated authentication, that user's credentials (and not those of the application pool owner) will be used in all future communication with back-end systems.  This way, you can avoid intercepting and storing the credentials, and instead allow IIS to manage this process on your behalf.

    As to your final question, exposure to the underlying HTTP header values is at the discretion of the individual plug-in.  At this time, neither the REST nor the WSDL plug-in (which are the foundation for more advanced plug-ins such as Siebel) do not expose this value.  I definitely recommend logging an enhancement request if there is a particular plug-in where you'd like to see these values exposed.

    If this feature is an absolute requirement in the short-term, a custom plug-in can be developed to address this need.

     

    -Alex

    Mobile Architect

    Verivo Software

  • 0
    Avatar
    Kanishka Dhanasekara

    Hi Alex,

    Thanks for the response. We are using Basic Auth but the login request is processed before arrival at Verivo server by WebSeal that works as a reverse proxy (Client ==>WebSeal ==> Verivo AppSvr) and authenticates the user with LDAP.  In this case is there any option for us to capture the password as some of the downstream components require user name/password for authentication and we really don't want to request the user to enter credentials multiple times.

    Thank You

    Kanishka

  • 0
    Avatar
    ALEXANDER GOLDEN

    Hi Kanishka,

    As noted above, if your downstream components also support basic authentication, you can use ASP.NET impersonation so that the user's credentials are 'cached' by IIS and then used in subsequent calls to other data sources.  In this case, the credentials (i.e., the username and password) are managed entirely by IIS and are transparent to the plug-in.

    At this time there is no way to intercept credentials when basic authentication is used.  Custom authentication through the use of a plug-in is the only supported method for intercepting and storing credentials.

     

    -Alex

    Mobile Architect

    Verivo Software

Please sign in to leave a comment.
Powered by Zendesk