Credential Viewer Application

Edit online

The credential viewer application provides a mechanism by which a client can retrieve details associated with their authenticated credential.

Security Considerations

This application allows a user to see all of the attributes associated with their credential, which could potentially include sensitive information. As a result of this an administrator should take care to only enable this application on systems which require this capability. The administrator should also ensure that the ACL which protects this application is appropriately restrictive on access.

Configuration

To enable the credential viewer application, a configuration entry for the application, used to map the application to a specific URI, must be added to the [local-apps] stanza. See [local-apps] stanza. The supplied URI should define a single path segment. In other words, it must not include a '/' character and will be relative to the root of the local junction.

[local-apps]
cred-viewer = creds

In the above configuration example the credential viewer application is enabled and mapped to the creds path segment. If the local junction has a path of '/', which is the standard local junction path in a WebSEAL environment, the credential viewer application can be accessed at the following URL:

http[s]://<webseal-host>:<webseal-port>/creds

For example,

https://www.ibm.com/creds

Response Types

The application is capable of returning the credential attributes of the current session, formatted as a JSON response, or it can return a static HTML file which is used to render the JSON data. The 'Accept' header of the request is used to determine the type of response generated by the application. If an Accept header of 'application/json' is specified the response will contain the JSON representation of the user credential, otherwise the static HTML file will be returned.

The generation of the static HTML file can be enabled/disabled by modifying the [cred-viewer-app] enable-embedded-html configuration entry. See [cred-viewer-app] stanza The static HTML file itself cannot be modified. If a different response is required the embedded HTML file should be disabled and a new HTML file should be written to handle the rendering of the JSON data. The embedded HTML file can be viewed and used as a starting point for this new HTML file. The new HTML file could potentially be hosted on the WebSEAL local junction, or on a separate junctioned server.

API Definition

A single API is provided by the credential viewer application:

Method:

GET

Request Headers:

Accept: application/json: Required for requests to this service as the response data will be provided in JSON format.

Response Code

200

The request was successful.

Response Body

A JSON object containing name/value pairs which correspond to the attributes associated with the user credential.

Response Example


{  
  "AUTHENTICATION_LEVEL":"1",
  "AZN_CRED_AUTHNMECH_INFO":"LDAP Registry",
  "AZN_CRED_AUTHZN_ID":"cn=SecurityMaster,secAuthority=Default",
  "AZN_CRED_AUTH_EPOCH_TIME":"1563144801",
  "AZN_CRED_AUTH_METHOD":"password",
  "AZN_CRED_BROWSER_INFO":"curl/7.54.0",
  "AZN_CRED_GROUPS":[  
     "SecurityGroup",
     "ivmgrd-servers",
     "iv-admin",
     "secmgrd-servers"
  ],
  "AZN_CRED_GROUP_REGISTRY_IDS":[  
     "cn=SecurityGroup,secAuthority=Default",
     "cn=ivmgrd-servers,cn=SecurityGroups,secAuthority=Default",
     "cn=iv-admin,cn=SecurityGroups,secAuthority=Default",
     "cn=secmgrd-servers,cn=SecurityGroups,secAuthority=Default"
  ],
  "AZN_CRED_GROUP_UUIDS":[  
     "1bcda68a-9df3-11e9-90c5-000c29b240c4",
     "1bd2b5a8-9df3-11e9-90c5-000c29b240c4",
      "1bd32f38-9df3-11e9-90c5-000c29b240c4",
     "1bd3b700-9df3-11e9-90c5-000c29b240c4"
  ],
  "AZN_CRED_IP_FAMILY":"AF_INET",
  "AZN_CRED_MECH_ID":"IV_LDAP_V3.0",
  "AZN_CRED_NETWORK_ADDRESS_BIN":"0x0afb8c01",
  "AZN_CRED_NETWORK_ADDRESS_STR":"10.251.140.1",
  "AZN_CRED_PRINCIPAL_DOMAIN":"Default",
  "AZN_CRED_PRINCIPAL_NAME":"sec_master",
  "AZN_CRED_PRINCIPAL_UUID":"1bcf9d1e-9df3-11e9-90c5-000c29b240c4",
  "AZN_CRED_QOP_INFO":"SSK: TLSV12: 9C",
  "AZN_CRED_REGISTRY_ID":"cn=SecurityMaster,secAuthority=Default",
  "AZN_CRED_USER_INFO":"",
  "AZN_CRED_VERSION":"0x00000908",
  "tagvalue_login_user_name":"sec_master",
  "tagvalue_max_concurrent_web_sessions":"unlimited",
  "tagvalue_session_index":"2da54972-a68a-11e9-9e54-000c29b240c4"
}

400

An issue was was encountered which prevented the application from generating a valid response.

Response Body

error_code: A code which can be used to identify the error. This code will correspond to an IBM Security Verify Access error code.
error_description: A textual description of the error.

Response Example


{
    "error_code":953091113,
    "error_description":"Method Not Allowed"
}