Announcement

Collapse
No announcement yet.

Interfacing from ASP.NET

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Interfacing from ASP.NET

    Is there a way I can have my ASP.NET web application authenticate a user using OTM (web service, API) if I pass the user id and password? I just need to know if the user is a valid user in OTM and if possible their SCAC code they are associated with.

    I would appreciate any info or links to this subject.

    Thank you.
    Last edited by shinsoft; January 9, 2008, 15:43. Reason: added more tags
    Tags: api, aspnet, authentication, interfacing, net, otmfaq.com, password, security, user id, web service
  • #2
    Re: Interfacing from ASP.NET

    I can't think of a way to handle this with the currently exposed web service or XML APIs, though I can tell you that OTM 6.0 is going to expose much more functionality (including Agents) via web service APIs.

    I can think of two ways to tackle this.
    1. Create a servlet or similar lightweight app that verifies the OTM user directly against the OTM DB -- make sure that it only makes read requests and you won't ever have to worry about data issues.
    2. Utilize an SSO (Single Sign-On) infrastructure, so that a centralized LDAP repository is used for all applications, including OTM. You can then query against this to see whether a user has access to OTM and/or other applications.
    Does anyone have an alternate suggestion?

    --Chris
    Chris Plough
    twitter.com/chrisplough
    MavenWire

    Comment

    • #3
      Re: Interfacing from ASP.NET

      Chris,
      Thanks for your quick reply.

      Option 1 sounds good but I believe the password is stored with encryption so I couldn't validate it without first decrypting it. Is there way to decrypt this within OTM?

      Thank you.

      Comment

      • #4
        Re: Interfacing from ASP.NET

        Here's another suggestion, but I've don't have an application in front of me to test it so it may not work.

        Couldn't you just send an empty/bad XML message to the integration servlet? I know this will not validate the SCAC, but I think you can build an XML message that will fail purposely due to construct or some other reason. You could ignore that.

        Now I do realize this causes a little more overheard than one might desire.


        I think the DB method is probably the simplest, but like the other poster I believe it is encrypted.

        Good Luck!

        Comment

        • #5
          Re: Interfacing from ASP.NET

          Actually, OTM uses a one-way password hash, so there's no way to decrypt. In order to compare, you'd have to encrypt the user-supplied password and then compare the two encrypted values to each other.

          Now, it has been a long time since I've worked with this code (around 4 years), but I believe that the password encryption in OTM is based on the Base64 algorithm (no pun intended). If your OTM environment and classpath are setup, you can get the Base64 encoded version of a password by using the following command:
          Code:
          glog.util.appclass.Base64Encoding <text password>
          You'll need to test this, to ensure it hasn't changed, but this should help.

          --Chris
          Chris Plough
          twitter.com/chrisplough
          MavenWire

          Comment

          • #6
            Re: Interfacing from ASP.NET

            Originally posted by chrisplough View Post
            Actually, OTM uses a one-way password hash, so there's no way to decrypt. In order to compare, you'd have to encrypt the user-supplied password and then compare the two encrypted values to each other.

            Now, it has been a long time since I've worked with this code (around 4 years), but I believe that the password encryption in OTM is based on the Base64 algorithm (no pun intended). If your OTM environment and classpath are setup, you can get the Base64 encoded version of a password by using the following command:
            Code:
            glog.util.appclass.Base64Encoding <text password>
            You'll need to test this, to ensure it hasn't changed, but this should help.

            --Chris
            Thanks for the suggestion. We'll give that a try. Is there a documentation that would describe
            Code:
            glog.util.appclass.Base64Encoding <text password>
            in more detail?

            Thank you.

            Comment

            • #7
              Re: Interfacing from ASP.NET

              No - unfortunately, there is no documentation. I only know about this functionality because I was involved in the development of OTM and this was one of the internal classes that we used now and then to Base64 encode passwords.

              Here's a quick description, though: The password that you pass to the class in clear text (<text password>) will be returned to you on the command line as the Base64 encoded equivalent. So, you pass it an argument, which is the clear-text password and it gives you the encoded version.

              --Chris
              Chris Plough
              twitter.com/chrisplough
              MavenWire

              Comment

              • #8
                Re: Interfacing from ASP.NET

                There is a databse stored procedure that will do the trick for you.

                pkg_gl_password.validate_password('user name','password')

                This is a boolean function that will return true if you supply the correct password for the user id. We are running version 5.5, CU2. I don't know in what other versions this function is available.

                Comment

                Previous template Next
                Working...
                X