REST service and passing Passwords

rocketman

I have a BS (BS1)consuming REST services and some BS (BS2-12) exposing web services and I'm 90% there with my functionality but have hit a big waal that I don't know how to get round.

A senior member from any of the BS's 2- 12 will log in to BS1 as a guest and enter some details (Club ID, user name at his club and the password he uses at his club which is stored encrypted in a standard password attribute. So I want to pass his userName and password from BS1 to lets say BS2 so that BS1 can verify his /her identity by searching for a username and password match before proceeding to set up their national account on BS1. There's some other stuff BS2 will pass back like is the person the Chief Flying Instructor or just a mere mortal pilot - All of which is working EXCEPT when I add in the password match. At that point it fails. The log shows the following (sorry - I still don't know how to add a screenshot after all these years.)

[timestamp] Evaluating rule 'check the password' IF CFI_Validate_Reply.PW=Members.Password THEN
[timestamp] null null Evaluating condition CFI_Validate_reply.PW=Members.Password
[timestamp] null null condition evaluated to false: @@BAS_PASSWORD@@=
[timestamp] [BUSINESS SPACE] Started external request executeQuery
[timestamp] [BUSINESS SPACE] Finished external request executeQuery

Any help much appreciated. I'm thinking maybe unencrypt at one end then re-encrypt at the other. A bit out of my depth with encrypted password, or maybe I could mask the entry on BS1 when the visitor signs up but not actually have it stored as a password? - is that even possible?

joben

Just to add some clarifications about passwords.
They are stored hashed in the database. This is not the same as encrypted since it is impossible to decrypt these values.
Authentication works by entering a password, letting the Aware IM hashing algorithm convert this into a hash, then compare it against the stored hash in the database. If it matches, you will be logged in. The hashed value can never be converted back into a plain-text password.

There is a function called PWD_ENCRYPT that you can use in AwareIM. This could be the right way forward, but I don't know.
It is mentioned in this thread: I need to authenticate a user from OUTSIDE of Aware, against his Aware password

BobK

Here is a possible solution:

Set up the BS2.RegularUser BO in BS1 as an external table.
When the senior member accesses BS1, compare the user name and password he enters with the data in the external table. If a match is found, call the REST service to get the other needed data from BS2.

Note: on the external RegularUser BO, AwareIM changes attribute names LoginName and Password to EXT_LoginName and EXT_Password

This could get complicated if you need to do this for 11 BSs, but it should work.

rocketman

OK - thanks for all suggestions. Here's what I've temporarily ended up doing.
BS1 does a "Display URL" [My Doman name:8443/AwareIM/logonOp.aw?domain=[one of BS2-12]&startCommand=('Somecommand")

This logs them out of and BSV but forces the user to then ;log into their home club BSV and requires userName and Password.
the process Somecommand then generates a random string which it sores in the user's account record before displaying it on screen with instructions to copy to clipboard
Finally that process passes the user back to BS1 (where they are required to log in again) and the first page they hit requests them to paste their clipboard contents into the secret key field. Once entered, the secret field is never seen again.

I will probable refine this before going live by exposing a service on BS1 so the secret key and user Name can be passed back automatically, reducing the need for the "paste" (and so the secret keys are never shown) Once the keys are in place, I can then validate future calls from BS1 using the secret key rather than the user's password