pega.getAuthenticationHandle().performAuthentication() doesnt work as expected after upgrade
Hi All - We recently upgraded to 7.1.9 from 7.1.5 and now pega.getAuthenticationHandle().performAuthentication() method is always returning true.
We have existing REST service which accepts credential in Post method body and in service activity we are trying to authenticate user which is always returning true whether user id is correct or not and whether password is correct or not. Same service is working as expected in the environment where we didn't upgrade yet.
I also tried using Authentication (BASIC - Use TLS/SSL (REST only))at service package level after upgrade as an alternative to above approach to have authentication at service level but it didn't work and I kept getting 401- Authenticated error from Mozilla REST client as shown below:
Hi All - We recently upgraded to 7.1.9 from 7.1.5 and now pega.getAuthenticationHandle().performAuthentication() method is always returning true.
We have existing REST service which accepts credential in Post method body and in service activity we are trying to authenticate user which is always returning true whether user id is correct or not and whether password is correct or not. Same service is working as expected in the environment where we didn't upgrade yet.
I also tried using Authentication (BASIC - Use TLS/SSL (REST only))at service package level after upgrade as an alternative to above approach to have authentication at service level but it didn't work and I kept getting 401- Authenticated error from Mozilla REST client as shown below:
- Status Code: 401 Unauthorized
- Content-Length: 1468
- Content-Type: text/html; charset=UTF-8
- Date: Sun, 13 Mar 2016 00:51:18 GMT
- WWW-Authenticate: Basic realm="PegaRULES"
- X-Powered-By: Servlet/2.5 JSP/2.1
Could someone let me know if something changed regarding pega.getAuthenticationHandle().performAuthentication() API in 7.1.9 and if not supported now then I will try to debug more about authentication at service package level.
Accepted Solution
Pegasystems Inc.
US
Upon reviewing the corresponding SR, we see that it has been resolved. SA-23383 was created as a result of the investigation. Please reference that if you have the same question.
Pegasystems Inc.
US
can you enable the debug log:
com.pega.pegarules.integration.engine.internal.services.http.HTTPService and share the debug log?
JPMC
US
Thank you Kevin Zheng!! I sent you a message with log details, I could not post here as it has some sensitive information. Please let me know if it give you some clue on the issue. The log entries which I sent you is when I tried hitting my Rest service from Rest client with credentials in message post body.
Pegasystems Inc.
US
I do not see any 401 in the log. I wonder if the same behavior if you use soapui tool. If that is the case, this may be related some of other components other than pega. Are you using load balancer url any web server involved? From the log, it appears that you are running F5 with weblogic? If you can provide some details regarding your env topology, that would help.
JPMC
US
Thanks Kevin Zheng for your response! The logs I provided you was for the existing REST service where we are authenticating userid using pega.getAuthenticationHandle().performAuthentication() method in REST service activity using attributes received in POST method body.
401 error I get when I try to enable authentication at service package level as an alternative to my existing approach mentioned above using performAuthentication API.
Pegasystems Inc.
US
I see. To confirm if there is a potential defect or not, simply write a simple java step to call the api with hard-coded user/password in both 7.1.9 and 7.1.5 envs. If the behavior is still the same, then open a SR with GCS to further investigate.
JPMC
US
Hi Kevin Zheng - I already tested it and as I already mentioned in my original post that same service is working fine from authentication perspective in the environments where we did not upgrade till now. So do you thing this issue is a potential bug? One more thing after upgrade we change the password hashing algorithm from default MD5 to SHA-512, do you thing if this has anything to do with the issue which I am facing?
Pegasystems Inc.
US
it could be related, what exactly did you change (similar to this link: https://pdn.pega.com/about-password-hashing)? A simple test would be to test an OOTB 7.1.9 system for the same use case.
JPMC
US
Hi Kevin Zheng and Eric Osman - I am still facing this issue. I searched on PDN and found https://collaborate.pega.com/comment/139716 article which is nothing but another KA from Mesh question. I wanted to check if I need to raise SR for my issue because as per the PDN article (https://collaborate.pega.com/comment/139716) there has been some changes in pega authentication APIs in 7.1.7 and later releases, due to a fix installed to protect the system from Trojan Horse attacks.
Accepted Solution
Pegasystems Inc.
US
Upon reviewing the corresponding SR, we see that it has been resolved. SA-23383 was created as a result of the investigation. Please reference that if you have the same question.