[shinsoft]

Is there a way I can have my ASP.NET web application authenticate a user using OTM (web service, API) if I pass the user id and password? I just need to know if the user is a valid user in OTM and if possible their SCAC code they are associated with.

I would appreciate any info or links to this subject.

Thank you.

[chrisplough]

I can't think of a way to handle this with the currently exposed web service or XML APIs, though I can tell you that OTM 6.0 is going to expose much more functionality (including Agents) via web service APIs.

I can think of two ways to tackle this.

1. Create a servlet or similar lightweight app that verifies the OTM user directly against the OTM DB -- make sure that it only makes read requests and you won't ever have to worry about data issues.
2. Utilize an SSO (Single Sign-On) infrastructure, so that a centralized LDAP repository is used for all applications, including OTM. You can then query against this to see whether a user has access to OTM and/or other applications.

Does anyone have an alternate suggestion?

--Chris

[shinsoft]

Chris,
Thanks for your quick reply.

Option 1 sounds good but I believe the password is stored with encryption so I couldn't validate it without first decrypting it. Is there way to decrypt this within OTM?

Thank you.

[gig]

Here's another suggestion, but I've don't have an application in front of me to test it so it may not work.

Couldn't you just send an empty/bad XML message to the integration servlet? I know this will not validate the SCAC, but I think you can build an XML message that will fail purposely due to construct or some other reason. You could ignore that.

Now I do realize this causes a little more overheard than one might desire.


I think the DB method is probably the simplest, but like the other poster I believe it is encrypted.

Good Luck!

[chrisplough]

Actually, OTM uses a one-way password hash, so there's no way to decrypt. In order to compare, you'd have to encrypt the user-supplied password and then compare the two encrypted values to each other.

Now, it has been a long time since I've worked with this code (around 4 years), but I believe that the password encryption in OTM is based on the Base64 algorithm (no pun intended). If your OTM environment and classpath are setup, you can get the Base64 encoded version of a password by using the following command:

Code:

glog.util.appclass.Base64Encoding <text password>

You'll need to test this, to ensure it hasn't changed, but this should help.

--Chris

[shinsoft]

Quote:

Originally Posted by chrisplough

Actually, OTM uses a one-way password hash, so there's no way to decrypt. In order to compare, you'd have to encrypt the user-supplied password and then compare the two encrypted values to each other.

Now, it has been a long time since I've worked with this code (around 4 years), but I believe that the password encryption in OTM is based on the Base64 algorithm (no pun intended). If your OTM environment and classpath are setup, you can get the Base64 encoded version of a password by using the following command:

Code:

glog.util.appclass.Base64Encoding <text password>

You'll need to test this, to ensure it hasn't changed, but this should help.

--Chris

Thanks for the suggestion. We'll give that a try. Is there a documentation that would describe

Code:

glog.util.appclass.Base64Encoding <text password>

in more detail?

Thank you.

[chrisplough]

No - unfortunately, there is no documentation. I only know about this functionality because I was involved in the development of OTM and this was one of the internal classes that we used now and then to Base64 encode passwords.

Here's a quick description, though: The password that you pass to the class in clear text (<text password>) will be returned to you on the command line as the Base64 encoded equivalent. So, you pass it an argument, which is the clear-text password and it gives you the encoded version.

--Chris

[rwitalka]

There is a databse stored procedure that will do the trick for you.

pkg_gl_password.validate_password('user name','password')

This is a boolean function that will return true if you supply the correct password for the user id. We are running version 5.5, CU2. I don't know in what other versions this function is available.