BlueMix SingleSignOn,如何在启用 SSO 服务的情况下调用 BlueMix 应用程序的 REST API
[英]BlueMix SingleSignOn, How to call REST API of a BlueMix App with SSO service enabled
问题描述
I have a BlueMix app with a few RestAPI calls.
我有一个带有几个 RestAPI 调用的 BlueMix 应用程序。 After adding SignleSignOn Service to this app, i am not able to make RestAPI calls via the app endpoint.将 SignleSignOn 服务添加到此应用程序后,我无法通过应用程序端点进行 RestAPI 调用。 Is there a way to pass the Authentication of SSO via the REST call headers ?有没有办法通过 REST 调用标头传递 SSO 的身份验证?
The SSO is configured with cloud Directory enabled. SSO 配置为启用了云目录。 How should i pass user details along with Bluemix app Rest api call?我应该如何将用户详细信息与 Bluemix 应用程序 Rest api 调用一起传递?
As of now i can only use the browser to login via SSO into the app and perform REST call only in the same browser.截至目前,我只能使用浏览器通过 SSO 登录到应用程序并仅在同一浏览器中执行 REST 调用。
Example RestCall -> http://myapp.mybluemix.net/sm/metadata示例 RestCall -> http://myapp.mybluemix.net/sm/metadata
web.xml extract: web.xml 提取:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"xmlns:xsi="http://www.w3.org/2001/XMLSc hema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<display-name>SolutionManager</display-name>
<filter>
<filter-name>RequestRedirect</filter-name>
<filter-class>com.ibm.ba.ssl.RedirectFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RequestRedirect</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>com.ibm.ba.sm.auth.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<description>
</description>
<display-name>sample</display-name>
<servlet-name>sample</servlet-name>
<servlet-class>com.ibm.ba.ers.ErsServlet</servlet-class>
<enabled>true</enabled>
<async-supported>false</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>sample</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<resource-ref>
<description>MQLight Service</description>
<res-ref-name>jms/MQLight-mc</res-ref-name>
<res-type>javax.jms.ConnectionFactory</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
<listener>
<listener-class>
com.ibm.ba.SMAppStart
</listener-class>
</listener>
<security-constraint>
<display-name>Authenticated Users</display-name>
<web-resource-collection>
<web-resource-name>ALL</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Users</role-name>
</auth-constraint>
</security-constraint>
Thanks, Lokesh谢谢,洛克什
2 个解决方案
解决方案1
1 已采纳 2015-06-15 19:07:54
To access any service on Bluemix, you need to provide bearer token to provide along with it.要访问 Bluemix 上的任何服务,您需要随同提供不记名令牌。 To get bearer token, use the below API call:要获取不记名令牌,请使用以下 API 调用:
POST http://login.ng.bluemix.net/UAALoginServerWAR/oauth/token POST http://login.ng.bluemix.net/UAALoginServerWAR/oauth/token
request body: "grant_type=password&username=[your-bluemix-id]&password=[your-bluemix-password]请求正文: “grant_type=password&username=[your-bluemix-id]&password=[your-bluemix-password]
headers: { 'authorization': 'Basic Y2Y6', 'accept': 'application/json', 'content-type' : 'application/x-www-form-urlencoded }标头: {'授权':'基本 Y2Y6','接受':'应用程序/json','内容类型':'应用程序/x-www-form-urlencoded }
Response would be like: { "access_token": "[value_from_access_token]", "token_type": "bearer", "refresh_token": "[value2]", "expires_in": 43199, "scope": "password.write cloud_controller.write openid cloud_controller.read", "jti": "20e70e6e-5700-476c-bc15-7869c5fb4b07" }响应如下:{ "access_token": "[value_from_access_token]", "token_type": "bearer", "refresh_token": "[value2]", "expires_in": 43199, "scope": "password.write cloud_controller.写 openid cloud_controller.read", "jti": "20e70e6e-5700-476c-bc15-7869c5fb4b07" }
To make REST calls for you services, use below mentioned headers:要为您的服务进行 REST 调用,请使用下面提到的标头:
{'accept': 'application/json', 'content-type': 'application/json', {'接受':'应用程序/json','内容类型':'应用程序/json',
'authorization': 'bearer[space][value_from_access_token] '} '授权':'承载[空格][value_from_access_token] '}
解决方案2
0 2015-06-15 21:21:20
The answers you have received so far are not correct for the new SSO service (which includes support for in-cloud registry).到目前为止,您收到的答案对于新的 SSO 服务(包括对云内注册表的支持)不正确。 When you added the SSO service to your application, J2EE security constraints are applied to your application and the SSO service becomes the authentication source for satisfying those security contraints.当您将 SSO 服务添加到您的应用程序时,J2EE 安全约束将应用于您的应用程序,并且 SSO 服务成为满足这些安全约束的身份验证源。 This is ultimately why you currently require the browser cookie(s) obtained after browser authentication to make your REST calls.这就是您目前需要在浏览器身份验证后获得的浏览器 cookie 来进行 REST 调用的最终原因。
Without seeing your deployed applications web.xml and server.xml files it's not clear what the best way forward is, however you may need to build an EAR file with explicitly defined security constraints and make your REST API endpoints unauthenticated or authenticated via another mechanism.在没有看到您部署的应用程序 web.xml 和 server.xml 文件的情况下,不清楚最好的前进方式是什么,但是您可能需要构建一个具有明确定义的安全约束的 EAR 文件,并使您的 REST API 端点未经身份验证或通过另一种机制进行身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.