i am reading about the Json API , they say for security reason to include the Master Login Username  & Master Login Password in the web service call, such as

/jw/web/json/workflow/process/start/testcall?j_username=kermit&hash=9449B5ABCFA9AFDA36B801351ED3DF66&loginAs=john

but this raised a question in my mind what is the idea of hashing the password? since i am displaying the password hash value that will be matched against the hash value in the database?

So it is still unsecure to say that the password hash value is 944....etc instead of saying that the password is for example "password123" ? i mean at the end the value of the password is visible either as a hash value it or not ?

  • No labels

5 Comments

  1. Owen Ong

    HI John,

    We are aware of this issue and have already started implementing a better solution for this in version 3.1. The authentication method is based on Cryptographic Nonce. But, users have a choice to use back the existing authentication method if they wish. 

    Any feedback is appreciated. Thanks.

    Best regards,

    Owen

    1. johnjohn123

      If i understand you well , do you mean that the current JSON API Authentication method is not secure enough ?

  2. Owen Ong

    Hi John,

    That is depended on use case. The reason we introduced Master Login is for API call that no actual user is involved.

    Example: In a scheduler, kick start a scheduled process for a user.

    The master login should not used in the javascript, because it will be disclosed to the end user. It is for server-side processing only. If you are plan to call JSON api by using javascript, you are encouraged to login the user by their actual username and Hashed Password.

    Hope this clear. :)

    Best regards. 

    1. johnjohn123

      Thanks a lot for your reply, and i would appreciate if you could answer my below 4 concerns:-

      First concern:-

      Do you mean that i should NOT use any of the below parameters in the API call if i am doing the API call using java script:--

      1. j_username=kermit

      2.hash=9449B5ABCFA9AFDA36B801351ED3DF66

      3. loginAs=john

      Since i will be exposing both the master login info (username & password) and also the loginAS info (username) ??

      Second Concern

      Calling the API using the folloiwng URL "/jw/web/json/workflow/process/start/testcall?j_username=kermit&hash=9449B5ABCFA9AFDA36B801351ED3DF66&loginAs=john" will be secure as long as i will be calling the API from the server and not from the client side using java script -as i am currently doing-?

      Third concern

      If i use SSL , then will it still secure to call the API suing JavaScript.?.

      Fourth Concern

      I read the link regarding the Hashed Password , but i can not understand where & how i will write the java class to do the hash for the LoginAs parameter in my case? and in my case i am calling the joget API from an asp.net web application, so how i will be hashing the usernames from my asp.net web application?

      Best Regards

  3. ardi priasa

    I think you can create a plugin implements PluginWebSupport.

    and put this code :

    ApplicationContext ac = AppUtil.getApplicationContext();

    WorkflowManager workflowManager = (WorkflowManager) ac.getBean("workflowManager");

    workflowManager.processStart(processDefinitionName);

    ...

    then using url 

    localhost:8080/jw/web/json/plugin/org.joget.plugin.PluginName/service

    So, you dont need put your username and hash password.