cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - When posting, your subject should be specific and summarize your question. Here are some additional tips on asking a great question. X

How to invoke service via REST in HTML?

olivierfresse
15-Moonstone

How to invoke service via REST in HTML?

Hi,

I try to setup an OData connector from Thingworx to PDMLink.

Version is 11.0 for PDMLink, 8.1.5 for TX.

Navigate is installed, SSO mode with a PDMLink authentication ( ie no PingFederate )

Everything works fine in Navigate.

But I can't make the OData connector works.

 

My configuration :

No Auth ( driven by SSL certificate... )

 

Sélection_023.png

 

Connection definition

 Sélection_024.png

 

Base url is https://kora.4cad.fr/Windchill/sslClientAuth

Also added 

Sélection_025.png

 

But when I try to use the "validate connection" service, 403 error, and in PDMLink log

 

ERROR : wt.servlet.AuthBridgeServlet  - Request rejected due to lack of remote user

 

 

What do I miss ?

 

regards,

 

 

ACCEPTED SOLUTION

Accepted Solutions

Ok I think I understand what's going on.
PDMLink's REST API is protected of CSRF attacks, so you have to use a  specific header in the request.
Only the POST requests, GET requests don't need it.

I thought that the connector's CSRF settings would do this, but it doesn't
Sélection_012.png

I checked the network exchange with wireshark, no CSRF token.
So it fails...
Now I need to find how to set this token, maybe in the GetCustomHeaderParameters, but I need to make a call to PDMLink to retrieve the token !

 

View solution in original post

11 REPLIES 11

Hello

I am trying the same configuration for ODataConnector, and I learned that a Javascript is required to set wt.effectiveUid (or else there is no remote user, and you get code 403). In the GetCustomerHeaderParameters service on the connector, add this script:

 

var sessionQueryParam = "wt.effectiveUid";
var Language = Resources["CurrentSessionInfo"].GetCurrentUserLanguage();

var params = {
infoTableName : "InfoTable",
dataShapeName : "NavigateCustomHeadersDataShape"
};
var result = Resources["InfoTableFunctions"].CreateInfoTableFromDataShape(params);

var CurrentUser = Resources["CurrentSessionInfo"].GetCurrentUser();

params = {
tableName: "GenericConnectorConnectionSettings" /* STRING */
};
var configTable = me.GetConfigurationTable(params);

var row = configTable.getRow(0);
var authType = row.getStringValue("AuthenticationType");

if("None".equals(authType)) {
var camelHttpQuery = sessionQueryParam + "=" + CurrentUser;
row = {"Accept-Language" : Language, "CamelHttpQuery": camelHttpQuery };
} else {
row = {"Accept-Language" : Language };
}

result.AddRow(row);

 

 

With this addition, I am able to successfully execute the ValidateConnection test. I am working now on issues with the GetEndpointList service, but I get authenticated.

barko
16-Pearl
(To:barko)

Follow up:

 

Setting Relative URL to: /servlet/odata/IE restricts the connection to the IE endpoint. Using /servlet/odata will allow access to all endpoints.

 

You also need Windchill 11.0 M030 to be patched to at least CPS06 for the REST services to be up to date. Remember that you need to re-apply the Windchill Extension for Navigate after completing the CPS patch.

olivierfresse
15-Moonstone
(To:barko)

Hi,

My version is

M030-CPS08

Not sure my rest module is up to date...
M010        1.0             odata.1.0.10.00.10              01         windchill 1.0 REST Services

 

 

I tried servlet/odata but it's not working.

 

[https://kora.4cad.fr/Windchill/sslClientAuth/servlet/odata/$metadata?wt.effectiveUid=Administrator] with status [ - Invalid domain request]

However, GetEndPointList works... in the new composer :-)

 

Sélection_045.png

Last update, I can create the service, calling it raise an error

 

Unable to Invoke Service InvokeIE on ODATAConnector2 : Your route exchange has failed. Service operation failed [https://kora.4cad.fr/Windchill/sslClientAuth/servlet/odata/IE/InvokeIETask?wt.effectiveUid=Administrator] with status [ - A potential security problem was detected. Refresh the page and try again. If the problem persists, contact your administrator.]

 

But this comes from the CSRF_NONCE header, so I can fix it I guess.I'll post the final result 

Here's a clarification I received from R&D:

 

The relative url should be /servlet/odata only. Any domains like IE, ProdMgmt, etc should be set as values of the ServiceRootRelativeURL configuration. By setting the relative url that includes the domain name in it, you are restricting the connector to expose endpoints only in that domain. The expected protocol is to list all domains in the ServiceRootRelativeURL configuration, even if it's just one domain like IE in this case.

barko
16-Pearl
(To:barko)

The final trick to this configuration is that ODataConnector is only fully supported in the New Composer (aka Next Gen Composer). You can edit it in the old composer, but to successfully run all the services you need to open the New Composer and select the service to run from there. You make the New Composer available by clicking on your login name in the upper right, clicking Preferences, and checking the box for "Turn on New Composer Feature". That will add the new composer as a choice on the black bar at the top of the interface.

 

We have documented all of this in Article CS291231 (https://www.ptc.com/en/support/article?n=CS291231)

olivierfresse
15-Moonstone
(To:barko)

Thanks for all the infos.

I can call some services, like getGroups

Sélection_047.png

I can't call more complex serevices, like getBom. Works with postman, but no way from TX.

I tried with TX 8.3.1, but it's even worse as calling the test connection service returns an invalid service name error.

Still digging ...

 

Hello.

 

For that last error, take a look at this article. There is a bug report open for this but the article also offers a possible workaround.

 

-- Craig A.

olivierfresse
15-Moonstone
(To:CRArko)

Well,

I don't have any special characters in the payload, not sure it's related

 

Ok I think I understand what's going on.
PDMLink's REST API is protected of CSRF attacks, so you have to use a  specific header in the request.
Only the POST requests, GET requests don't need it.

I thought that the connector's CSRF settings would do this, but it doesn't
Sélection_012.png

I checked the network exchange with wireshark, no CSRF token.
So it fails...
Now I need to find how to set this token, maybe in the GetCustomHeaderParameters, but I need to make a call to PDMLink to retrieve the token !

 

Ok I think I understand what's going on.
PDMLink's REST API is protected of CSRF attacks, so you have to use a  specific header in the request.
Only the POST requests, GET requests don't need it.

I thought that the connector's CSRF settings would do this, but it doesn't
Sélection_012.png

I checked the network exchange with wireshark, no CSRF token.
So it fails...
Now I need to find how to set this token, maybe in the GetCustomHeaderParameters, but I need to make a call to PDMLink to retrieve the token !

 

Announcements


Top Tags