CS HttpOnly Setting and REST API

We migrated our Premise CS 16.2 Environment to MS AZURE CS 21.3. During our migration we ran into some problems with REST API calls within some complex HTML forms. We found out after investigation that the HttpOnly setting was set on our new environment and not in our old environment. This enabled the HTML form to retrieve the LLCookie via a Javascript call. We do this because we support SSO and do not want the user to provide credentials once he/she is logged in. In our forms that are built using Web Reports, we can do the same with [LL_REPTAG_OTCSTICKET QUOTE /] within the Ajax Call. Unfortunately, changing this HTML form which has a lot of relative references to .js and .css libs would be very tedious and undesirable. In the interim, we have disabled the HttpOnly setting and flagged the issue as a medium security threat which we are trying to deal with.

My Question is whether anyone would have some suggestions or guidance.

I have thought of a couple of options:

The HTML form is called from a Web Report via a formatted GRID with an edit button for each row (record). I could retrieve the OTCS/OTDS Ticket from the WR and pass it as a parameter to the HTML form. This would be relatively easy, but I wonder about passing the security token, but this would be encrypted via SSL/TLS.
Create a Web Report with one line[LL_WEBREPORT_EXCLUDEHTML /][LL_REPTAG_OTCSTICKET QUOTE /] which will have the token of the user who runs it. That would be great, but I don't know if you can run a WR from a HTML page and retrieve the results.

Any input would be appreciated.

Find more posts tagged with

Comments

Appu Nair

There's always going to be a "chicken & egg" thing. What I think you would benefit is basically "emulate" what the smartui page does which is essentially writing the credential to a webpage that one doesn't see ,the smartui page then retrieves this from the html page and starts calling rest api request with it .Perhaps if you look in a dev server the app.html which is the loading point of any smartui you will understand its mechanism. theres a onload page that usually hits this endpoint rest/authentication/headers .Thi sis the standard mechanism of rest to retrieve a SSO token so the output of this is used to call subsequent. It will take some digging . I think @Ferdinand Prantl actually has some articles written that may be more correct than what I said .

Ed Davis

I'll have a look at this. I did do a conversion to a Web Report of one of the less complicated forms and put all the required files (e.g. .js libs, .css styles, images, etc) in the Support Asset Volume (aka /appimg). At least I can preserve the URL's rather than a WR "Fetch" with the ID. Also makes it more manageable as it is less cryptic.

/appimg/common/IDA/IDA_Forms_Common/js/EcmaJSAPI.js

vs.

/otcs-sso/llisapi.dll?func=doc.Fetch&nodeid=4283904

Thanks!

Ed Davis

Would anyone else have any additional information on this. I did a forum search on "app.html", but did not find anything that seemed related. How does one look at (inspect) app.html. In my browser debugger I do not see app.html just node# endpoints plus all the supporting libs. Would I require "Back Office" access to the server to view this? Currently this is restricted for developers because of Segregation of Duties (SOD) procedures. I may be able to get that for dev though.

Appu Nair

Here are some @Ferdinand Prantl gems

Good one 1 https://forums.opentext.com/forums/support/discussion/comment/944878#Comment_944878

Good one 2 https://forums.opentext.com/forums/developer/discussion/comment/950248#Comment_950248

https://forums.opentext.com/forums/support/discussion/comment/951625#Comment_951625

https://forums.opentext.com/forums/developer/discussion/comment/947030#Comment_947030

you will find a Oscript weblingo file called app.html in this path

<OTHOME>\core\module\csui\html

OT recently re architected a whole lot but the idea is a vanishing iframe is responsible for collecting the ticket from OTDS

Ed Davis

Thanks do much, I will review