Posted: 31 Jan 2020 21:09 EST Last activity: 6 Feb 2020 16:57 EST
Service REST rules and Custom/Kerberos Authentication
Hi Pega Community,
I am trying to setup Kerberos authentication for my REST Service rules.
I already have a working Kerberos Authentication Service Rule + properly configured Tomcat/SPNEGO SourceForge/Web.xml for Web/Portal SSO login.
For the REST Services I did a "Save As" for my existing Authentication Service and created a new one of type "Custom" running the same activity, and configured my Service Package to "Custom" authentication and chose my new Authentication Service - "ServiceKerberos".
However I think I might be missing in my web.xml configuration. I configured a new servlet called "ServiceKerberos1" which is basically copied from the my working (delivered) WebKerberos1 servlet. What I did change/add was these params (taken from the "WebRestService" servlet):
I am prompted for a User/Pass and after successfully logging in I get an HTTP 500 with this exception in the log:
Caused by: com.pega.pegarules.pub.PRException: Failed to retrieve Rule-Service-HTTP instance myPackage.v1.myService using service package access group APP:APPAdmin
I am sure the user I am logging has this Access Group and when I turn off "Use External Authentication" and revert the Service Package back to "Basic" authentication I can successfully invoke the service.
It's a tough one, anyone have any ideas? Is my approach correct? What am I missing?
I believe your issue is with the custom servlet definition in web.xml. Pega looks for PRRestService in the URL to route requests to Service REST. Since you are using a custom servlet, Pega is looking for a Service HTTP instance and hence the error that the Service HTTP instance isn't found. Just curious, why do you need a custom servlet definition? Can you not use the OOTB servlet WebRestService?
I had a feeling about that exact thing, the error message states "Failed to retrieve Rule-Service-HTTP instance", and it seemed strange to me why it was not looking for a Rule-Service-Rest.
Thank you so much for confirming this, I really appreciate it.
The reason I used a custom servlet is because my Authentication Activity is expecting pxRequestor.pxSessionContext.pxUserPrincipalObject to be populated by the SPNEGO filter defined in my web.xml. However, now that you brought it up, I could add a filter mapping tp the SPNEGO filter for the delivered /PRRestService/* url pattern. Only caveat would be that all my REST services would be to need authenticated in the same way.
I'll try it tomorrow and update the post with results.
Thanks again for all the help, and if you can think of a way to workaround Pega hardcoding PRRestService in URLs for REST Service rules please share!
I've given this a bit more thought, and even if wrapping the /PRRestService endpoint with the SPNEGO filter would get this to work, I can't afford having all my REST services behind Kerberos authentication.
There are too many internal Pega integrations (Agile Studio/Deployment Manager/different strategic apps/etc.) that rely on this endpoint that would break if I do this.
So apparently, there is no solution to my problem.
I will try to downgrade to LDAP authentication since it does not rely on a Java Filter in the web.xml.
If there are any Pega Product people out there, in the future please provide a separate Servlet to map to for REST services so this can be achievable.