Credential Viewer Application
The credential view application provides a mechanism by which a client can retrieve details associated with their authenticated credential.
This application allows a user to see all of the attributes associated with their credential, which could potentially include sensitive information. As a result of this an administrator should take care to only enable this application on systems which require this capability. The administrator should also ensure the ACL which protects this application is appropriately restrictive on access.
To enable the credential view application, a configuration entry for the application, used to map the application to a specific URI, must be added to the [local-apps] stanza. See [local-apps] stanza. The supplied URI should define a single path segment. In other words, it must not include a '/' character and will be relative to the root of the local junction. Examples
[local-apps]
cred-viewer = creds
cred-viewer = ivcredsIn the above configuration example the credential view application is enabled and mapped to the creds path segment. If the local junction has a path of '/', which is the standard local junction path in a WebSEAL environment, the credential viewer application can be accessed at the following URL:
http[s]://<webseal-host>:<webseal-port>/creds
http[s]://<webseal-host>:<webseal-port>/ivcredsFor example,
https://www.ibm.com/creds
https://www.ibm.com/ivcreds
Response Types
The application is capable of returning the credential attributes of the current session, formatted as a JSON response, or it can return a static HTML file used to render the JSON data. The 'Accept' header of the request is used to determine the type of response generated by the application. If an Accept header of 'application/json' is specified the response will contain the JSON representation of the user credential, otherwise the static HTML file will be returned.
The generation of the static HTML file can be enabled/disabled by modifying the [cred-viewer-app] enable-embedded-html configuration entry. See [cred-viewer-app] stanza The static HTML file itself cannot be modified. If a different response is required the embedded HTML file should be disabled and a new HTML file should be written to handle the rendering of the JSON data. The embedded HTML file can be viewed and used as a starting point for this new HTML file. The new HTML file could potentially be hosted on the WebSEAL local junction, or on a separate junctioned server.
API Definition
A single API is provided by the credential view application:
- Method:
- GET
- Request Headers:
- Accept: application/json
- Required for requests to this service as the response data will be provided in JSON format.
- Response Code
- 200
- The request was successful.
- Response Body
- A JSON object containing name/value pairs which correspond to the attributes associated with the user credential.
- Response Example
{ "AUTHENTICATION_LEVEL":"1", "AZN_CRED_AUTHNMECH_INFO":"LDAP Registry", "AZN_CRED_AUTHZN_ID":"cn=SecurityMaster,secAuthority=Default", "AZN_CRED_AUTH_EPOCH_TIME":"1563144801", "AZN_CRED_AUTH_METHOD":"password", "AZN_CRED_BROWSER_INFO":"curl/7.54.0", "AZN_CRED_GROUPS":[ "SecurityGroup", "ivmgrd-servers", "iv-admin", "secmgrd-servers" ], "AZN_CRED_GROUP_REGISTRY_IDS":[ "cn=SecurityGroup,secAuthority=Default", "cn=ivmgrd-servers,cn=SecurityGroups,secAuthority=Default", "cn=iv-admin,cn=SecurityGroups,secAuthority=Default", "cn=secmgrd-servers,cn=SecurityGroups,secAuthority=Default" ], "AZN_CRED_GROUP_UUIDS":[ "1bcda68a-9df3-11e9-90c5-000c29b240c4", "1bd2b5a8-9df3-11e9-90c5-000c29b240c4", "1bd32f38-9df3-11e9-90c5-000c29b240c4", "1bd3b700-9df3-11e9-90c5-000c29b240c4" ], "AZN_CRED_IP_FAMILY":"AF_INET", "AZN_CRED_MECH_ID":"IV_LDAP_V3.0", "AZN_CRED_NETWORK_ADDRESS_BIN":"0x0afb8c01", "AZN_CRED_NETWORK_ADDRESS_STR":"10.251.140.1", "AZN_CRED_PRINCIPAL_DOMAIN":"Default", "AZN_CRED_PRINCIPAL_NAME":"sec_master", "AZN_CRED_PRINCIPAL_UUID":"1bcf9d1e-9df3-11e9-90c5-000c29b240c4", "AZN_CRED_QOP_INFO":"SSK: TLSV12: 9C", "AZN_CRED_REGISTRY_ID":"cn=SecurityMaster,secAuthority=Default", "AZN_CRED_USER_INFO":"", "AZN_CRED_VERSION":"0x00000908", "tagvalue_login_user_name":"sec_master", "tagvalue_max_concurrent_web_sessions":"unlimited", "tagvalue_session_index":"2da54972-a68a-11e9-9e54-000c29b240c4" }
- 400
- An issue was was encountered which prevented the application from generating a valid response.
- Response Body
- error_code
- A code which can be used to identify the error. This code will correspond to an ISAM error code.
- error_description
- A textual description of the error.
- Response Example
{ "error_code":953091113, "error_description":"Method Not Allowed" }
Parent topic: Embedded Applications