AnsweredAssumed Answered

Web services authorizations

Question asked by Steve Alexandre on Aug 16, 2018
Latest reply on Aug 16, 2018 by Mostafa Helmy
  • Comment3

Hello everyone,

 

We are using web services available on RSA IGL to do some interractions with it like getting some informations of review but I missunderstood something ...

 

we should normally use in first step the loginUser to get the token needed to interract with the API but when i'm checking some of interfaces available on the web services, a lot of them does not need the token to be necessary for using them. If I try for example to use findUsers without the token, I get the result with users.

 

1) Why I can query the API without the token ?

2) It is possible to set as "needed", the token for calling them ?

 

Thanks for your help.

Mostafa Helmy
Mostafa Helmy Employee Aug 16, 2018 8:18 AM
Correct Answer

Hi Steve,

 

There are two authorization types for our webservices:

 

  1. Token authorization: which uses a token generated from loginUser web service.
  2. Whitelist IP: This is where you can specify a certain list of IP addresses that can issue web service calls without a token.

 

In your case, either you are calling the web service from a whitelisted IP address or you are allowing all connections (which is not recommended as per Security best practices). You can verify your settings from Admin > Web Services > List of IPs allowed to invoke web services.

 

Here is an example from my lab where I did not restrict any IP address in the White list, which means anyone can call any webservice without a token. By default you should keep this as 127.0.0.1 (localhost).

See the reply in context
No one else had this question

Outcomes