Posted by bwallis42 on
URL: https://discuss.orbeon.com/Secure-persistence-API-access-tp4659372.html

I want to pass the current user credentials when accessing an implementation of the persistence API. I was wondering what is the recommended way of doing this?

I see that there are a couple of request parameters, orbeon-username and orbeon-token on the calls to the persistence API.

orbeon-token: 1d6087d6eab20c2930b8774eb25f4c6ae650ae71
orbeon-username: system

I logged in as a user named "system" so that one is obvious but what is the other value? It isn't the session ID as far as I can tell. My web session with Orbeon has two cookies:

JSESSIONIDSSO: 098D3EED5FF25103698274D8F7805FBE
JSESSIONID: F96456823D8BC1E1AC2EFC4E49953C78

so it isn't one of these values. These cookies are not passed on the calls to the persistence API so I cannot use them to validate the session (in other cases where we have server to server calls over HTTP we pass the JSESSIONIDSSO cookie to allow sharing of the current user session).

Is there a way I can use the "orbeon-token" value to validate that the user is what "orbeon-username" says they are?

thanks,
brian wallis...