Trusted Authentification + REST API: how to make it secure ?

Hi,

I’m starting to play around with the Trusted Authentification functionality in the CMC.
I managed to set it up.

Now I am using the REST API to refresh reports on behalf of other users ( /login/trusted).
In order to make it work, I followed https://launchpad.support.sap.com/#/notes/0002437493 and copied the Trusted conf in “C:/Program Files (x86)/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/java/pjs/container/bin”

But by enabling this, I am afraid of the security fallouts :
Now , if I understand correctly, anyone who can access the API can now log on as any other user (not just my program).

How can I make it secure and prevent anyone else from using /login/trusted ?


guigui42 (BOB member since 2014-06-12)

Trusted Authentication is very risky, mostly due to that particular exposure. One way I can think of to mitigate that risk is to create a separate, dedicated WACS on a different port, configure that WACS for Trusted Auth, and create a firewall rule on the server that only allows access to that port from the machine that your program will be running on. Not perfect, but it will limit the exposure somewhat.


joepeters :us: (BOB member since 2002-08-29)

thanks


guigui42 (BOB member since 2014-06-12)