OTDSWS authorization fail when upgrading to clustered env

yaronlu

Hi,

We have a Rest API feature running on a backend server in this path:
http://CSAdmin/img/csui/widgets/cust_widgets/test/uploadattrs/OT_UI_DATA.html
This is working fine.

The authentication in the API is made via OTDSWS:
$.ajax({
            url: "http:// ArchiveServer:8080/otdsws/rest/authentication/headers"
            type: "GET",
            dataType: "json",
            crossDomain: true,
            xhrFields: {
                withCredentials: true
            },
            success: function (data) {
                ticket = data.ticket;
                PostLoadActions();
            }
        });
    } 

And the calling to the Rest actions is done like this:

$.ajax({
        type: "GET",
        url: "http:// CSAdmin /OTCS/llisapi.dll/api/v1/" + strRestAct,
        dataType: "json",
        crossDomain: true,
        xhrFields: {
            withCredentials: true
        },
        beforeSend: function (request) {
            request.setRequestHeader("OTDSTicket", ticket);
        },
        success: function (resp) {
            if (intActCode == 4) {
                handleNodeInfo(resp);
                strErrMsg = "The profile ID is not a valid OpenText Node ID";
            }
        },
        error: function (e) {
            alert('Error: \n' + e.statusText + "\n" + strErrMsg);
        }
    });

----------------------------------------------------------------------------------------------------------
All was working well until we moved the API to the FrontendServer.
This is the error message from the tomcat at the clustered env:

HTTP Status 401 – Unauthorized
________________________________________
Type Status Report
Description The request has not been applied because it lacks valid authentication credentials for the target resource.
________________________________________
Apache Tomcat/8.5.14

This is the new structure in the cluster:

API URL
http://CSFrontEnd/img/csui/widgets/cust_widgets/test/uploadattrs/OT_UI_DATA.html

Authentication url: 
http:// CSAdmin:8080/otdsws/rest/authentication/headers - this server name was taken from the login URL to the frontEnd CS

Rest Actions url:
http:// CSFrontEnd /OTCS/llisapi.dll/api/v1/" + strRestAct,

Also in the IIS of the FrontEnd we added these Response Headers:
Access-Control-Allow-Origin =  "http:// CSAdmin:8080/*" 
Access-Control-Allow-Credentials = "true" 

----------------------------------------------------------------------------------

What should I add in the new clustered structure to make the authentication work again?

Thanks

Yaron

 
 

Ferdinand Prantl

1. Please, do not use this:

  xhrFields: {    withCredentials: true  },

CS REST API forbids cookies for authentication. It strips the request and response of all cookies to avoid a CFRF attack.

2. The following is not needed:

  crossDomain: true,

3. Please, remove these headers from the IIS configuration:

  Access-Control-Allow-Origin = "http:// CSAdmin:8080/*"  Access-Control-Allow-Credentials = "true"

They will break the CORS implementation built in to CS REST API. The first one will be duplicated and fail the browser seaurity check. The second one will not have any effect, because CS REST API strips the communication off cookies. But it opens a vulnerability against CSRF for custom request handlers.

4. If you have authentication problems in a clustered or load-balanced environment, you have either ensure, that the same server serves the same client, or that the IP address is not a part of the authentication token. I recommend you going to the CS administration swecurity settings and remove the IP address from the LLCookie sources.