cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - When posting, your subject should be specific and summarize your question. Here are some additional tips on asking a great question. X

Access to mashup without logging - but without appKey

Go to solution
ZbigniewK
10-Marble
10-Marble
‎Sep 05, 2023 03:44 AM
‎Sep 05, 2023 03:44 AM

Access to mashup without logging - but without appKey

I need to make application where logging is a blocker. 
Yes, I know, cybersecurity - but risk analyses shows, logging is not necessary. That must be common use interface, where most important for us is EVERYBODY can use this interface, just simple interface where user is requested to click & go to report some circumstances (and we do not need to know who was that). 
Yes, I know I can use appKey and add it to link - so it's like 
server/Thingworx/Runtime?appKey=<...>&x-thingworx-session=true#mashup=MUName_MU
But I found in docu, that next version will not support this solution, appKey must be given via POST method - so I can not pass it via link.
Can I somehow make app starts without requesting logging? 

Labels:
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
VladimirRosu
18-Opal
18-Opal
(To:ZbigniewK)
‎Sep 05, 2023 08:47 AM
‎Sep 05, 2023 08:47 AM

1. Thanks! That's exactly why I was curious, since I saw the "next version".

I suggest sending feedback in that article, to ask exactly when will that option be deprecated.

People have been using that capability for a long time to have a "low touch" way of accessing a mashup, without requiring an authenticator.

 

2. The Custom Authenticator is not really a complex thing to implement, just that you need to have some training in it, and I believe one day should be enough if you have some Java experience.

 

Regarding the "SIMPLE" programming: ThingWorx as a platform has lots of capabilities, but, as with any platform, I hope it is obvious we can't offer absolutely anything in the platform.

Therefore, we created the ThingWorx Extension SDK, in Java, to give people options to extend the platform capabilities as they need for their use-cases, giving access to low-level platform capabilities than what's available in Composer.

Typically in 99% of situations, in ThingWorx there's no need to use that Extension SDK and you can use the platform capabilities, just that in this situation you need to go at a low level.

 

I personally recommend self-training or locating resources with Java knowledge, because there are situations when the systems you want to interact with can only do that via third party libraries (offered as Java JARs). What I mean is that in some situations you need to use the Extension SDK or Java, and there's no way around that. Again, to be taken as thing to keep in mind and not reject this option automatically. This should take, again, less then 1% of your total dev time.

 

A third option that some customers use, is to have ThingWorx setup in SSO mode, and there's one very specific configuration I've seen for customer that makes that each time when they access ThingWorx instance, they are automatically authenticated as their Windows user (with no auth window).

 

View solution in original post

0 Kudos
Notify Moderator
3 REPLIES 3
VladimirRosu
18-Opal
18-Opal
(To:ZbigniewK)
‎Sep 05, 2023 07:23 AM
‎Sep 05, 2023 07:23 AM

Hi @ZbigniewK,

1. Can you please provide the URL of the documentation you mentioned that says the next version will not support this solution (the app-key)?

2. You can create a Custom Authenticator (documentation here) that can, in conditions you define, bypass the authentication completely. I will say this for anyone who's looking at this type of solution: make sure you really understand how it works (eg: please experiment, don't only rely on documentation) before using it, as it has the potential to open huge holes in your ThingWorx security setup if not implemented correctly.

0 Kudos
Notify Moderator
ZbigniewK
10-Marble
10-Marble
(To:VladimirRosu)
‎Sep 05, 2023 08:14 AM
‎Sep 05, 2023 08:14 AM

1. Article - CS227935 - Accessing Mashups using Application Key (appKey) Authentication in ThingWorx (ptc.com)
Ok, maybe not exactly next version, but there is writtten:

There is an insecure method for passing an Application Key to ThingWorx as a query string parameter

  • This method has been deprecated since ThingWorx 8.0 and will be removed in a future version!

2. Will read about custom authenticator, but it does not sound like simple solution - and my corpo choosed TWX to have SIMPLE programming. If I will be familiar with Java - what do I need TWX for? ;)I am afraid it's not my level of skills, also not my level on authorities on server
Still looking for some easier solutions. 
 

0 Kudos
Notify Moderator
VladimirRosu
18-Opal
18-Opal
(To:ZbigniewK)
‎Sep 05, 2023 08:47 AM
‎Sep 05, 2023 08:47 AM

1. Thanks! That's exactly why I was curious, since I saw the "next version".

I suggest sending feedback in that article, to ask exactly when will that option be deprecated.

People have been using that capability for a long time to have a "low touch" way of accessing a mashup, without requiring an authenticator.

 

2. The Custom Authenticator is not really a complex thing to implement, just that you need to have some training in it, and I believe one day should be enough if you have some Java experience.

 

Regarding the "SIMPLE" programming: ThingWorx as a platform has lots of capabilities, but, as with any platform, I hope it is obvious we can't offer absolutely anything in the platform.

Therefore, we created the ThingWorx Extension SDK, in Java, to give people options to extend the platform capabilities as they need for their use-cases, giving access to low-level platform capabilities than what's available in Composer.

Typically in 99% of situations, in ThingWorx there's no need to use that Extension SDK and you can use the platform capabilities, just that in this situation you need to go at a low level.

 

I personally recommend self-training or locating resources with Java knowledge, because there are situations when the systems you want to interact with can only do that via third party libraries (offered as Java JARs). What I mean is that in some situations you need to use the Extension SDK or Java, and there's no way around that. Again, to be taken as thing to keep in mind and not reject this option automatically. This should take, again, less then 1% of your total dev time.

 

A third option that some customers use, is to have ThingWorx setup in SSO mode, and there's one very specific configuration I've seen for customer that makes that each time when they access ThingWorx instance, they are automatically authenticated as their Windows user (with no auth window).

 

0 Kudos
Notify Moderator
Top Tags