Joget DX 8 Stable Released
The stable release for Joget DX 8 is now available, with a focus on UX and Governance.
i am reading about the Json API , they say for security reason to include the Master Login Username & Master Login Password in the web service call, such as
/jw/web/json/workflow/process/start/testcall?j_username=kermit&hash=9449B5ABCFA9AFDA36B801351ED3DF66&loginAs=john
but this raised a question in my mind what is the idea of hashing the password? since i am displaying the password hash value that will be matched against the hash value in the database?
So it is still unsecure to say that the password hash value is 944....etc instead of saying that the password is for example "password123" ? i mean at the end the value of the password is visible either as a hash value it or not ?
5 Comments
Owen Ong
HI John,
We are aware of this issue and have already started implementing a better solution for this in version 3.1. The authentication method is based on Cryptographic Nonce. But, users have a choice to use back the existing authentication method if they wish.
Any feedback is appreciated. Thanks.
Best regards,
Owen
johnjohn123
If i understand you well , do you mean that the current JSON API Authentication method is not secure enough ?
Owen Ong
Hi John,
That is depended on use case. The reason we introduced Master Login is for API call that no actual user is involved.
Example: In a scheduler, kick start a scheduled process for a user.
The master login should not used in the javascript, because it will be disclosed to the end user. It is for server-side processing only. If you are plan to call JSON api by using javascript, you are encouraged to login the user by their actual username and Hashed Password.
Hope this clear. :)
Best regards.
johnjohn123
Thanks a lot for your reply, and i would appreciate if you could answer my below 4 concerns:-
First concern:-
Do you mean that i should NOT use any of the below parameters in the API call if i am doing the API call using java script:--
1. j_username=kermit
2.hash=9449B5ABCFA9AFDA36B801351ED3DF66
3. loginAs=john
Since i will be exposing both the master login info (username & password) and also the loginAS info (username) ??
Second Concern
Calling the API using the folloiwng URL "/jw/web/json/workflow/process/start/testcall?j_username=kermit&hash=9449B5ABCFA9AFDA36B801351ED3DF66&loginAs=john" will be secure as long as i will be calling the API from the server and not from the client side using java script -as i am currently doing-?
Third concern
If i use SSL , then will it still secure to call the API suing JavaScript.?.
Fourth Concern
I read the link regarding the Hashed Password , but i can not understand where & how i will write the java class to do the hash for the LoginAs parameter in my case? and in my case i am calling the joget API from an asp.net web application, so how i will be hashing the usernames from my asp.net web application?
Best Regards
ardi priasa
I think you can create a plugin implements PluginWebSupport.
and put this code :
ApplicationContext ac = AppUtil.getApplicationContext();
WorkflowManager workflowManager = (WorkflowManager) ac.getBean("workflowManager");
workflowManager.processStart(processDefinitionName);
...
then using url
localhost:8080/jw/web/json/plugin/org.joget.plugin.PluginName/service
So, you dont need put your username and hash password.