Accessing BE's from outside the authenticated system

Posted by christian.bryan@capita.co.uk on 01-Mar-2019 16:00

Hi All 

We are looking to create a password reset option for our PAS application.

As part of this we need to allow the user to call various business entities to facilitate this i.e. to lookup OTP's and reset their password essentially unauthenticated.

Our PAS is form based authentication so will not allow the above unless you have authenticated a 'catch 22'.

What have other folks done?

Could you use a 'dummy' account with limited privileges to give access to the password reset BE's only.

Do you create an anonymous PAS instead to serve these BE's and other like them.

Am i missing a trick?

Thanks

Christian.

Posted by Irfan on 01-Mar-2019 16:23

You can always change the authorization URL's.

For example, if you want to access /web/SportsBE URL without any authentication then in the oeablSecurity.csv you can modify the authorization from a role to "permitAll()". This will allow you to run your ABL without going through any security authentication.

"/web/SportsBE","GET","permitAll()"

But if your ABL code does CP validation then you have to take care of that.

All Replies

Posted by Irfan on 01-Mar-2019 16:23

You can always change the authorization URL's.

For example, if you want to access /web/SportsBE URL without any authentication then in the oeablSecurity.csv you can modify the authorization from a role to "permitAll()". This will allow you to run your ABL without going through any security authentication.

"/web/SportsBE","GET","permitAll()"

But if your ABL code does CP validation then you have to take care of that.

Posted by christian.bryan@capita.co.uk on 01-Mar-2019 16:51

HI Irfan

Thanks for that.

I was coming to the same conclusion!

Christian.

Posted by christian.bryan@capita.co.uk on 01-Mar-2019 16:58

Irfan

How would you call an invoke or method on this unauthenticated BE using the JSDO?

Thanks

This thread is closed