#Authentication

I have a question about using OnInit() within a Ens.BusinessOperation.

When you include OnInit(), does OnInit() only execute when you start a Business Operation? Or does it execute OnInit () every time you send a REST request to the operation. I am trying to pinpoint when the best time is to execute the POST command to get the Token

I am needing to get a Bearer Token from a REST POST call and return the Authorization key prior to making the rest of the REST calls to pull down data.

When not using OAuth, what have you done to get the Token prior to executing any Requests?

Thanks

Scott

Hi

I'm trying to use JWT authentication on a REST application in IRIS. The login API are correctly "injected" into the application. Login works fine with Postman and other REST clients, and subsequent calls to my REST API using the bearer token work fine (correctly authenticated). So far, so good.

The problem is that it doesn't work with Axios, so I can only test it, I cannot integrate it into my application.

Hi!   

I'm trying to set up a Clinical Viewer demo env with HealthShare 2024.2. 
I've done the standard installation following the doc : 

• UCR - UCR demo with IHE
• CV - CV demo

Everything works until I get to the point where I have to enable federated SSO (UCR demo - Federated SSO). Once it is activated, I can no longer access the instance through the portal, and the browser displays the following error:

Checking the messages.log, I see that every time I try to enable federated SSO and access the portal, I encounter the following error:

12/24/24-10:51:55:639 (98515) 2 [Utility.

When trying to save ZAUTHENTICATE.mac the following error occurs 

If it is wrongly named as like ZATHIENTICATE.mac in the %SYS namespace it saves ok so it is something blocking saving a new fresh ZAUTH code of the correct name- we have no other delegated auth that I am aware of. 

Hi guys, I defined a subclass to %CSP.Login and assigned csp/sys login page to this subclass:

But did not work, I get this error:

And more, the default %CSP.Login continues to be called to login when the user not logged yet
So, how can I do to replace the default %CSP.Login by my subclass?

Hi:

I see a lot of cool REST apps and i'm trying to host something in the TIE using REST/Axios with VITE. 

At the moment i will probably host the application in web applications in Intersytems. 

For authorisation and getting the logged in user and password to any app, is there a standard people are doing? 

I.e. for axios you might have this from the app

auth: {
        username: apiUser,
        password: apiPass
      }

But surely you want to pass through credentials from the IRIS logged in user, or alternatively pass the credential request to IRIS API to first receive the data.

We recently moved from using the Private Web Server, to using an Apache/Web Gateway setup and moved towards using the built in LDAP functionality within IRIS. Since then, we have 1 user that uses VSCode (/api/atelier) heavily that continues to have issues signing into IRIS through VS Code and the /api/atelier extension.

I am trying to troubleshoot two issues..

• User having login failures with correct

I am attempting to configure an inbound service that utilizes the EnsLib.SOAP.GenericService class. This service receives HL7-v3 content wrapped in SOAP requests. Despite reading the documentation on configuring SOAP services, I am still confused.

In my current configuration item "Fr_Centrak_RTLS", I have ‘Enable Standard Requests’ checked, ‘Pool Size’ set to 0, and the port is unspecified.

I have also configured a web application with the following details:

My challenge is determining the correct URL address for sending SOAP traffic to this service.

When I attempt to start my local IRIS instance (named LATEST) I am getting the below error

"(111) Error starting service: LATEST
Reason: (1069) The service did not start due to a logon failure."

Does anyone have experience with this or know how to resolve the logon credentials associated  with this start? 

I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.

I've already set  Parameter HandleCorsRequest = 1; on the spec class and All the endpoints I am have (a mix of GET, POST, PATCH and DELETE) are working from postman without issue, the problem is when consuming from the web front-end and the preflight checks the browser instigates. Most of the endpoints work in the browser, but some are triggering the preflight (OPTIONS) check causing the CORS issue.

Hello Everyone,

We currently have CSP application that runs under 2 servers(usually primary), and every month the server reboots for patching SERVER1(primary) in the morning and SERVER2(backup) at night.

Whenever the SERVER1 reboots SERVER2 behaves as primary and when SERVER1 comes back up it will act as backup server.

First Patching:

So, when SERVER1 is down, I need to start httpd service for SERVER2 and stop httpd service for SERVER1 (which is now backup server).

I tried using the code below in terminal to start httpd service for SERVER2 with no success.

I'm trying to call a SOAP web service which is implemented in .NET Classic and requires NTLM authentication. The client class was generated by %SOAP.WSDL.Reader. The problem is that neither NTLM authentication works nor can I handle the exception since VSCode debugger says that all meaningful fields and properties are empty (the same request works fine in Postman):

ClassMethod Test()
{
    #Dim client as My.Client
    Set client = ##class(My.Client).%New()
    Try
    {
        Set client.SSLConfiguration = "SSL"
        Set client.Location = "https://server/service.asmx"
        Set client.

Hi Guys,

For Login in CSP application, I am displaying custom Login page which is rendered from subclass CSS.CSP.Login that extends %CSP.Login, and also got IBA.CSP.Page that extends %CSP.Page with overridden method OnPreHTTP(). This setup is working perfectly for normal login.  

When I define Invalid login limit and enable Disable account if login limit reached in System > Security Management > System-wide Security Parameters, the users get disabled after certain invalid login attempts.

Recently i've been using Restforms2 to create a CRUD API for a project. But it lacks some advanced functionality that we need, so we have created a production with a REST WS which handles those advanced methods. That works great but there's a drawback, it does not have authentication. 
I would want to use the same authentication method as Restforms2 which is a basic auth using IRIS users and passwords. 
Searching for this, i have found a similar topic. It uses $SYSTEM.Security.Login(user, pass) in a similar manner to create a token.

Hi, I need to make a prompt for a password and to not display what the user is typing in a CMD. I want to use the read command but i'm not sure if it is possible with it.

Our client says the call to send email (method (%Net.SMTP).Send) started returning error # 6167 (Authentication expected but failed.) after installing IRIS 2022.1.2; email had worked before. Properties (%Net.Authenticator).UserName and .Password were configured. We can get email to work when we don't set property (%Net.SMTP).authenticator.

Any ideas what is going on? Thanks.

Hi community,

A colleague gets ERROR #822: Access denied every time he tries to log in via Management portal. It is NOT the case of wrong credentials: I reset his password password to a temporary one so it would prompt him to create a new one upon first login. He did get the prompt, changed his password and his next attempt at logging in displayed the same error.

The audit log record displays this:
Error message: ERROR #862: User is restricted from running application /csp/sys/op, %Admin_Operate:U required -- cannot execute.

Hello everyone,

I am attempting to enable two-factor authentication for a user account through the System Administration > Security > Users > Edit User (Security Settings) section. However, I am encountering an error with the Qrcode class.

ERROR #5002: ObjectScript error: <NOTOPEN>zGenerate+27^%SYS.QRCode.1

Update:
I tried to create a QR code image using the command from the %SYS.Qrcode class, and I encountered the same error. I believe it may be related to folder permissions, but I have already granted all the permissions that I am aware of to the InterSystems database.

Hi experts

I'm trying to configure an IRIS ODBC connection with "Windows NT authentication using the network login ID". I have created the System DSN as below:

and user (PROD\test) in the SQL Gateway connection 

However, as the error message suggests, IRIS is trying to connect with PROD\svc_mist, rather than PROD\test configured above. 

Is there anyway to configure the ODBC connection with specified account with Windows Auth method? 

I have to create a SOAP WebService that receives the username/password as part of a field in the Request. I have no control of the client's application.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org">
   <soapenv:Body>
      <tem:ProcessRequest>
         <!--Optional:-->
         <tem:myRequest>
            <tem:NomUtilisateur>ACGendron</tem:NomUtilisateur>
            <tem:MotDePasse>MyPassword</tem:MotDePasse>
            <!-- Other request fields -->
            <tem:PrenomMere>?

Hello,

I'm making rest API service with Authentication.

How I can return HTTP Status 403 if user enter invalid login or password?

Now returning Http status 200.

Class RestAPI Extends %CSP.REST
{

XData UrlMap [ XMLNamespace = "http://www.intersystems.com/urlmap" ]
{
<Routes>

<Map Prefix="/restforms" Forward="Form.REST.Main"/>
<Route Url="/auth/:login/:pass" Method="GET" Call="CheckUser" Cors="true"/>
</Routes>
}

ClassMethod CheckUser(userAw, pwdAw) As %String
{

set %response.ContentType = "application/json"

// my code to check auth

Set object = {}
Set object.status = -1
Set object.message = "HTTP/1.

I am working on iris-for-money app: https://github.com/oliverwilms/iris-for-money

Account.csp posts a rest call with _SYSTEM username and the password.

xhttp.open("POST", "/restapi/sql/" + query, true,"_SYSTEM","SYS");
xhttp.send();

The error is logged in Riches.REST for this line:

Set tSC = tStatement.%Prepare(pQuery)

ClassMethod PostSQL(pQuery As %String = "", pIndex As %String = -1) As %Status
{
    Do ..DebugTEST("Riches.REST - PostSQL")
    Do ..DebugTEST("pQuery = "_pQuery)
    Set tSC = ..TestQuery(pQuery,.pQuery)
    Do ..DebugTEST("TestQuery = "_pQuery)
    Set tStatement =

Hi Team,

My SOAP functions were working perfectly before enabling basic authentication. To set up basic authentication, I created web applications for the SOAP service, checked the password option, and assigned a user to this web application. However, after enabling basic authentication, the SOAP service stopped working.

I've been trying for a while now to get OS authentication working on IRIS running on Ubuntu 20.04 and subsequently 22.04. I have the following authentication methods enabled for %Service_Terminal:

• Operating System
• Password
• Operating System Delegated Authorization

And i have these options selected in Authentication/Web Session Options:

But when logging in via iris session <instancename> I am always prompted for a username and password. I am logged into the operating system with a username that matches my IRIS username, and the same configuration and login method works fine on Red Hat 8.5.

I am trying to use postman to start the restapi classes from a json openapi2.0.0 file.

POST: https://myserver.com/api/mgmnt/v2/requestAPI. The body contains the openapi2.0.0. The application api/mgmnt has in security settings: password. JWT is not selected. I set postman authentication to basis authentication and gave username and password. I also set in headers IRISUsername and IRISPassword. I have 401 Unauthorized.

Is the only way to go through is to build an oauth token? or do I miss something?

Thank you very much.

I am trying to secure a rest service but I lack the understanding of how to achieve this if anyone will explain  in details how I could achieve the following:

Securing The REST Service with Basic Auth (username and password)

if any one has a sample code on this will appreciate 

Getting proctect error on csp custom login page. 

It says to add role to CSPSYSTEM i have given role to db (rw i would like to change to R once working). It has not solved issue 

Dear All,

I am currently part of a team that is developing an application using Microsoft PowerApps as the front end and IRIS as the backend.  Effectively that frontend screens, which are house and an Azure serve, call a series of REST interfaces exposed by IRIS from a physical Microsoft server.  During the development stage we have not had any security in place but now we need to secure the application using a single sign on.  PowerApps relies on Microsoft Entra for its security both LDAP and OAuth.  Has anyone in the community connected IRIS to Microsoft Entra?

Does anyone happen to have a sample Configuration (CPF) Merge file that includes Action parameters setting up authentication methods (e.g. Password, Kerberos) for certain Services and Web Applications (e.g. via the ModifyService or Modify/CreateApplication AutheEnabled property)?

Thanks!

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?