SwaggerUI REST API Calls Still Successful If Invalid Credentials Entered
Article ID: 426918
Updated On:
Products
Issue/Introduction
When logging in with SSO username, the SwaggerUI URL [server]/niku/rest/describe/index.html
is accessible.
There is a login icon available.
Click it and click Authorize button.
After the invalid credentials are entered and Authorize button is clicked, REST calls can continue to be made resulting in HTTP status 200 OK.
Resolution
The page: [server]/niku/rest/describe/index.html to display the Clarity REST API library will not be available
if a user is not logged into the system.
As the SSO login is valid and being used, this is the session that is being validated when SwaggerUI is accessed.
Once authenticated with the SSO login, the SwaggerUI will show the Clarity REST API library.
The bogus invalid username/password combination is not used as it will be ignored and as evidenced in the APP-ACCESS logs,
will show the session cookie associated with the SSO user, not the invalid credentials entered.
The APP-ACCESS logs will confirm it is the SSO user that is logged in and performing any REST call.
Feedback
