Article
· Aug 9 2m read

WebTerminal is broken on IRIS 2024.2

I'm posting this for the benefit of WebTerminal users who have upgraded to the recently-released IRIS 2024.2 -- (Build 247U) Tue Jul 16 2024 09:52:30 EDT -- or are considering doing so.

That version of 2024.2 contains a change (DP-432503) which requires that the user under which the Web Gateway initially connects to IRIS (usually CSPSystem) must have READ permission on the database hosting the dispatch class of the REST web application.

For cases where that is not true an error is raised, but this returns an HTTP 404 status to the caller instead of the expected HTTP 401.

Apparently the problem will be fixed in 2024.3, reference DP-432898 / ALI048 : REST Login endpoints to return 401 HTTP error instead of 404, but as a Continuous Delivery (CD) release 2024.2 won't get a maintenance release correction.

Workaround is to arrange for CSPSystem to have READ permission on the database of the namespace you installed WebTerminal in.

Here's how I did it:

  1. Create a new security resource %DB_WEBTERMINAL and set the WEBTERMINAL database to use this instead of %DB_%DEFAULT.
  2. Create a role %DB_WEBTERMINAL that gives the role-holder RW access to the %DB_WEBTERMINAL resource.
  3. Create another role (I called mine DBread_WEBTERMINAL) that gives the role-holder only R access to that resource.
  4. Give the CSPSystem user the DBread_WEBTERMINAL role. This works around the 2024.2 bug.
  5. Edit the /terminalsocket web application and add %DB_WEBTERMINAL to the Application Roles tab. This step is necessary because WebTerminal initially runs its websocket process as UnknownUser and needs to update state information in its database even before it switches to run as the authenticated user.

An easier but less secure technique would be:

  1. Create a new security resource %DB_WEBTERMINAL with RW public privileges, then set the WEBTERMINAL database to use this instead of %DB_%DEFAULT.

More details at https://github.com/intersystems-community/webterminal/issues/155

Discussion (2)2
Log in or sign up to continue

Hi @John Murray

I was able to fix this in a dev environment bij adding the %All role to the /terminalsocket web application
and adding Public Read Permission on the DB permission for the database that has the webterminal package.

No changes were necessary to the CSPSystem user or anything.

I am not sure how this compares in terms of security, but it works for a dev environment or sandbox.

Thanks @John Murray for arising this... I was getting crazy thinking I was doing something wrong with a simple webterminal installation. 🤯

Thanks @Theo Stolker It works for me also doing in the way you mention. I think you don't need to include %All role to /terminalsocket... as John mentioned at the end, one easier (but less secure) way would be just to set RW privilegies to %DB_USER or to a specific resource %DB_xxxxxx, associated to the database where WebTerminal was installed.