5 Replies Latest reply on Nov 16, 2016 8:40 AM by jacekgra RSS
    jacekgra Apprentice

    Java Edge SDK Agent problem with Windchill Extension SSO

    I have a big problem with running Java edge SDK agent when I am enabling Windchill filter on Tomcat (for SSO).

    When I remove the filter the agent is able to connect, so the filter is blocking the agent from working.

     

    Any hints? I am preety sure this is common problem

     

    EDIT:

    I am using Thingworx 7.1  and Windchill extension 1.3.0, but the problem was reproducible on older versions also.

      • Re: Java Edge SDK Agent problem with Windchill Extension SSO
        mneumann Creator

        When the Tomcat filter is enabled for the Windchill extension, it will contact Windchill for authentication (via a special URL).

        So if you're trying to connect your Edge SDK agent the credentials might be verified by Windchill and it's LDAP (Windchill DS) instead of ThingWorx.

        As soon as you remove the filter, the ThingWorx authentication is back in the game to verify the credentials.

         

        Are you authenticating with a AppKey or with username / password?

          • Re: Java Edge SDK Agent problem with Windchill Extension SSO
            jacekgra Apprentice

            This is something I am aware of. But normally Tomcat filter should be skipped when appKey is present in the request or parameter (I've decompilled the filter code and it works as expected).

             

            I am authentication with the appKey in "normal" Java SDK way (in ClientConfigurator):

             

            @PostConstruct
            private void configure() {

               this.setUri(thingworxWsUrl);
              this.setAppKey(thingworxAppKey);
              this.ignoreSSLErrors(ignoreSSLErrors);
            }

             

            In other words - I am using setAppKey method on ClientConfigurator object which I use for the conectivity afterwards.

            I was not involved in Java SDK development so I do not know how exactly the SDK is treating the appKey when establishing websocket connection, but definatelly its working OK.

             

            The problem is related to the filter implementation/configuration itself and I am wondering whether anybody has faced this issue (I've heard that it's possible that ticket to Thingworx R&D was opened for this).

              • Re: Java Edge SDK Agent problem with Windchill Extension SSO
                mneumann Creator

                Looking at the code it indeed checks for using an AppKey or "normal" authentication.

                So whenever you're connecting via an AppKey the whole mechanism (authenticating via Windchill as setup by the Tomcat filter) will be bypassed.

                 

                There seems to be some logging that could help out here.

                I'll check if and how we can utilize it to bring the issue to R&D's attention.

            • Re: Java Edge SDK Agent problem with Windchill Extension SSO
              yevans Explorer

              Did you ever figure this out? I am having a similar issue, trying to let terminals on the shop floor open a mashup using an appkey, but even using the URL with the appkey specified, and x-thingworx-session set to true. they still get prompted for authentication.

               

              Thanks,

              Yale

              • Re: Java Edge SDK Agent problem with Windchill Extension SSO
                jacekgra Apprentice

                Unfortunatelly not, I had to disable Windchill SSO. I think that the problem is raised with Thingworx R&D.

                 

                The only solution is to write own Tomcat filter which will bypass redirection to Windchill if the request contains appKey (so normally you can have SSO with Windchill, but devices which are using appKey can be authorized with normal appKey Thingworx authenticator).