Sidebar

Adding QIE Channel Authentication

0 votes
672 views
asked Feb 16, 2018 by (240 points)
I want to restrict access to my QIE channels so that only authenticated users can utitlize them.  Specifically, I'm using HTTP Listeners and Secure Sockets as the entry points to my channels.  Is there existing functionality I can configure in QIE, if not, what's the best course of action?

Currently, I was considering adding HTTP Basic Auth for my HTTP Listeners to decode the token in a Mapping node and do a lookup for the user in a System Variable table.  Although, I don't see a way to hash password data for my user in that table.  So this approach might not be feasible.

And then I'm not sure how I can go about adding authentication to Secure Sockets.

Any advice is appreciated.

1 Answer

+1 vote
 
Best answer

For the HTTP Listener, you are on the right track.  In a mapping, extract the Authentication value.  Here is a snippet of how to extract and find the md5Hash value of the password:

if (source.checkNodeExists('/Request/Headers/Authorization')) {
   var authorization = source.getNode('/Request/Headers/Authorization');
   var base64Decoded = qie.base64Decode(StringUtils.substringAfter(authorization, 'Basic '), 'UTF-8');
   var splitArray = base64Decoded.split(':');
   var username = splitArray[0];
   var password = splitArray[1];
   var md5Password = qie.getMD5Hash(password);
   qie.debug("Authorization = " + authorization + ", base64Decoded = " + base64Decoded + ", username = " + username + ", password = " + password + ", md5Password = " + md5Password);
}

I like the users System Variable table approach.  To help manage that, you could create a helper channel that can add or update a record and hash the password field as you set the value.  Alternatively, you can use an online tool for generating the md5Hash value as you add records to the table or "Link the system variable to external source" and edit it outside of QIE.

As far as Secure Sockets, I'm not aware of any username/password approaches.  It would depend on the format of the payload and where you would put a username/password.  You can always control which clients connect to the server via a Client Authenticated TLS connection by providing a Client Certificate to the authorized endpoints.

Hope it helps.

answered Feb 16, 2018 by mike-r-7535 (13,830 points)
selected Feb 19, 2018 by
...