cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

Access to mashup without logging - but without appKey

ZbigniewK
12-Amethyst

Access to mashup without logging - but without appKey

I need to make application where logging is a blocker. 
Yes, I know, cybersecurity - but risk analyses shows, logging is not necessary. That must be common use interface, where most important for us is EVERYBODY can use this interface, just simple interface where user is requested to click & go to report some circumstances (and we do not need to know who was that). 
Yes, I know I can use appKey and add it to link - so it's like 
server/Thingworx/Runtime?appKey=<...>&x-thingworx-session=true#mashup=MUName_MU
But I found in docu, that next version will not support this solution, appKey must be given via POST method - so I can not pass it via link.
Can I somehow make app starts without requesting logging? 

ACCEPTED SOLUTION

Accepted Solutions

1. Thanks! That's exactly why I was curious, since I saw the "next version".

I suggest sending feedback in that article, to ask exactly when will that option be deprecated.

People have been using that capability for a long time to have a "low touch" way of accessing a mashup, without requiring an authenticator.

 

2. The Custom Authenticator is not really a complex thing to implement, just that you need to have some training in it, and I believe one day should be enough if you have some Java experience.

 

Regarding the "SIMPLE" programming: ThingWorx as a platform has lots of capabilities, but, as with any platform, I hope it is obvious we can't offer absolutely anything in the platform.

Therefore, we created the ThingWorx Extension SDK, in Java, to give people options to extend the platform capabilities as they need for their use-cases, giving access to low-level platform capabilities than what's available in Composer.

Typically in 99% of situations, in ThingWorx there's no need to use that Extension SDK and you can use the platform capabilities, just that in this situation you need to go at a low level.

 

I personally recommend self-training or locating resources with Java knowledge, because there are situations when the systems you want to interact with can only do that via third party libraries (offered as Java JARs). What I mean is that in some situations you need to use the Extension SDK or Java, and there's no way around that. Again, to be taken as thing to keep in mind and not reject this option automatically. This should take, again, less then 1% of your total dev time.

 

A third option that some customers use, is to have ThingWorx setup in SSO mode, and there's one very specific configuration I've seen for customer that makes that each time when they access ThingWorx instance, they are automatically authenticated as their Windows user (with no auth window).

 

View solution in original post

3 REPLIES 3

Hi @ZbigniewK,

1. Can you please provide the URL of the documentation you mentioned that says the next version will not support this solution (the app-key)?

2. You can create a Custom Authenticator (documentation here) that can, in conditions you define, bypass the authentication completely. I will say this for anyone who's looking at this type of solution: make sure you really understand how it works (eg: please experiment, don't only rely on documentation) before using it, as it has the potential to open huge holes in your ThingWorx security setup if not implemented correctly.

1. Article - CS227935 - Accessing Mashups using Application Key (appKey) Authentication in ThingWorx (ptc.com)
Ok, maybe not exactly next version, but there is writtten:

There is an insecure method for passing an Application Key to ThingWorx as a query string parameter

  • This method has been deprecated since ThingWorx 8.0 and will be removed in a future version!

2. Will read about custom authenticator, but it does not sound like simple solution - and my corpo choosed TWX to have SIMPLE programming. If I will be familiar with Java - what do I need TWX for? ;)I am afraid it's not my level of skills, also not my level on authorities on server
Still looking for some easier solutions. 
 

1. Thanks! That's exactly why I was curious, since I saw the "next version".

I suggest sending feedback in that article, to ask exactly when will that option be deprecated.

People have been using that capability for a long time to have a "low touch" way of accessing a mashup, without requiring an authenticator.

 

2. The Custom Authenticator is not really a complex thing to implement, just that you need to have some training in it, and I believe one day should be enough if you have some Java experience.

 

Regarding the "SIMPLE" programming: ThingWorx as a platform has lots of capabilities, but, as with any platform, I hope it is obvious we can't offer absolutely anything in the platform.

Therefore, we created the ThingWorx Extension SDK, in Java, to give people options to extend the platform capabilities as they need for their use-cases, giving access to low-level platform capabilities than what's available in Composer.

Typically in 99% of situations, in ThingWorx there's no need to use that Extension SDK and you can use the platform capabilities, just that in this situation you need to go at a low level.

 

I personally recommend self-training or locating resources with Java knowledge, because there are situations when the systems you want to interact with can only do that via third party libraries (offered as Java JARs). What I mean is that in some situations you need to use the Extension SDK or Java, and there's no way around that. Again, to be taken as thing to keep in mind and not reject this option automatically. This should take, again, less then 1% of your total dev time.

 

A third option that some customers use, is to have ThingWorx setup in SSO mode, and there's one very specific configuration I've seen for customer that makes that each time when they access ThingWorx instance, they are automatically authenticated as their Windows user (with no auth window).

 

Announcements


Top Tags