Test Secure REST services with Chrome Browser Plugin

Most of us want to test out the REST services via Advanced Rest Client or Postman for some reason or debug an issue.

But if the REST services are secure and protected by Ping Access or SiteMinder or any other tool, then we will get a login page. So we have to hard code the browser cookies to bypass the login page.

There is an another way to do that.

If you are using Advanced Rest Client(https://advancedrestclient.com), then you can use ARC cookie exchange plugin.
So this plugin helps ARC plugin to retrieve the browser cookies and send it in the request.

If you are using Postman(https://www.getpostman.com), then you can use Postman interceptor. So the Postman interceptor plugin helps the Postman plugin to use the browser cookies for each service call.

PingAccess vs Ping Federate

PingAccess is a policy server so it handles authorization requests in which we can implement all kinds of business logic to validate and authorize the requests.

PingFederate is a federated server so it knows how to authenticate the user and provides an access to a particular resource.

PingAccess provides a way to manage our web application and API in a secure manner. It can be used along with Ping Federate, otherwise we have to implement our own logic to implement the authentication and authorization logic. You can refer the diagram available in this link https://www.pingidentity.com/en/products/pingaccess.html

We have three protocols under the Identity management category.

SAML – Security Assertion Markup Language
OAuth (Open Authorization)

SAML facilitates both authentication and authorization and OpenID is used mainly for Authentication and OAuth is for Authorization alone.

So PingAccess internally uses OpenID for authentication and also leverage Ping
Federate Server which internally uses OAuth or SAML for authentication

I have used CA SAML siteminder federation and also PingAccess in the past. I assume that using PingAccess is somewhat easy compared to Siteminder

Please feel free to add your comments if i misstated anything.

Excel – PingAccess hyerlink redirect issue

I hope that most of you got an error If you embedded an authentication enabled hyperlink in excel file(https://support.microsoft.com/en-us/kb/218153)

I have also got the same issue in my Rest application. My rest application generates a report in excel format which contains a hyperlink to view other information which is dynamically updated multiple times in a day and it’s an another Rest service. So the user has to click on that link to view more content. the user has to authenticate himself before proceeding. We use Ping Access to authenticate the user. So once the user clicks on that link, the user will be shown with a login page and upon entering the valid login credentials, he/she will be landed on the more information service.

The flow will be like.
Excel == > Login Page == > Target Service

As we know that the excel does not follow the browser redirect hence it’s not allowing me to open the target page

We have followed the below approach to resolving this issue. I hope that this will also help others.

1. I have created a redirect Rest service which will take the service URI information. If you look carefully you can come to know that the below service takes the serviceUri and replace that URL in the REDIRECT_CONTENT string and return that whole HTML to the browser.

For example

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;

public class RedirectService {

        private static final String REDIRECT_CONTENT = "<html><head> <title>%s</title> <meta http-equiv=\"refresh\" content=\"0;URL='%s'\" /></head> <body> <p>Redirecting</p></body></html>";

        public Response redirect(@QueryParam("serviceUri") String serviceUri) {
            return Response.status(200).entity(String.format(REDIRECT_CONTENT, serviceUri)).build();

2. The next step is to embed the redirect service URL in the excel report instead of the actual target service URL and make sure that you pass the actual service URL as a query parameter. Assume that the hyperlink will be like below,

Assume that 1234234 is a unique id, in this case, it a content id

3. Make some changes in Ping access to disable the authentication for this service(/service/redirect)

That’s it. We are done. So when the user clicks on the link from the excel, it will just open up a browser window and don’t show anything but on the back end, the META refresh will work and will redirect the user to /service/content/1234234 as this service is authentication enabled, so it just shows up the login page and upon entering the login credentials it will take you to the target page