Rest API Security
- Michael Bodkin (Unlicensed)
Resources
https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
All tulisa videos: https://www.youtube.com/@tulasibeesabathuni772/videos
Supported HTTP Authorization Types
Bearer Token
Digest
Basic
Customer How-tos
Bearer Token
Login Into sunwave.
Create or get your client_id In our case “vQl91X514m11dTHHGYQPQkxJqNPxgbdJ” Master Data → Client Integration this populates
sw_external_application(SunwaveEMR/web/integrations/integrations.dart) Requirements for Client ID and Secret Key:
In the same browser surf to http://localhost:8080/SunwaveEMR/authorizeRealm?client_id=vQl91X514m11dTHHGYQPQkxJqNPxgbdJ
Choose the Realm you what to issue rest commands against.
This will redirect you to something like this: http://localhost:8080/SunwaveEMR/generateCode?code=F26YCVM8F5&state=null This will populate
sw_external_application_codeNote what the code parameter is set to. In our case “F26YCVM8F5”
Get your client secret. In our case “C0iGincSREijXqeuB3P9sDdj1ZU6UwqVaUc6VLwhpcx2sBQmB85k8zWuIKSc6gkCAcnXm4JTk2YBFpH5fFDEPH0JyKg4SgchallGmNDc9fNkO1ojZxyKaZ5murQZFDvSW7iJl1CM5JESube8P0cdlqtiLoHb7BP4293S6FqG557TbIPS61ACp0lfAOu9fNXD6L2LD24j7QMRZpM8GE6GQOnY5nTaHGn42eBMjB8iMS9gx4P7iStJirC0vjq2miSC”
Now get the Bearer Token by issuing the following http://localhost:8080/SunwaveEMR/token?code=F26YCVM8F5&client_id=vQl91X514m11dTHHGYQPQkxJqNPxgbdJ&client_secret=C0iGincSREijXqeuB3P9sDdj1ZU6UwqVaUc6VLwhpcx2sBQmB85k8zWuIKSc6gkCAcnXm4JTk2YBFpH5fFDEPH0JyKg4SgchallGmNDc9fNkO1ojZxyKaZ5murQZFDvSW7iJl1CM5JESube8P0cdlqtiLoHb7BP4293S6FqG557TbIPS61ACp0lfAOu9fNXD6L2LD24j7QMRZpM8GE6GQOnY5nTaHGn42eBMjB8iMS9gx4P7iStJirC0vjq2miSC
This will return something like this:
{ "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJzdW53YXZlLWFkbWluMSIsImF1ZCI6IjEzMSIsImNsaSI6InZRbDkxWDUxNG0xMWRUSEhHWVFQUWt4SnFOUHhnYmRKIiwiaXNzIjoiU3Vud2F2ZSIsImV4cCI6MTY3NDY2OTI0NzAxMX0.VpdznRyCkM6F_YnHaUCzIA6uScttcbssCs1SdRESymXOHT7Sk2z7UpUkJo-Px5ifgajPJlygt1CrByqUMS1T4Q", "expires_in": "24h" }Now set bearer token on your request.
Digest
Basic
Software Design
O-AUTH 2
AuthorizeRealmServlet - (sets client_id and state as attributes in the session using client_id and state parameters) https://github.com/sunwavehealth/SunwaveEMR/blob/d46b653451ce24623a0c6c72d0aa4e2313c5c0f9/src/main/java/com/sunwave/emr/server/security/AuthorizeRealmServlet.java#L14
api_select_realm https://github.com/sunwavehealth/SunwaveEMR/blob/d46b653451ce24623a0c6c72d0aa4e2313c5c0f9/src/main/webapp/api_select_realm.jsp#L1
Generate JWT Token for bearer:
GenerateJWTServlet - (GET: http://localhost:8080/SunwaveEMR/generateCode) https://github.com/sunwavehealth/SunwaveEMR/blob/d46b653451ce24623a0c6c72d0aa4e2313c5c0f9/src/main/java/com/sunwave/emr/server/security/GenerateJWTServlet.java#L16
JWT.genrateJWT (POST: http://localhost:8080/SunwaveEMR/token ex SunwaveEMR/token?code=VKYU5F5W1S&client_id=vQl91X514m11dTHHGYQPQkxJqNPxgbdJ&client_secret=C0iGincSREijXqeuB3P9sDdj1ZU6UwqVaUc6VLwhpcx2sBQmB85k8zWuIKSc6gkCAcnXm4JTk2YBFpH5fFDEPH0JyKg4SgchallGmNDc9fNkO1ojZxyKaZ5murQZFDvSW7iJl1CM5JESube8P0cdlqtiLoHb7BP4293S6FqG557TbIPS61ACp0lfAOu9fNXD6L2LD24j7QMRZpM8GE6GQOnY5nTaHGn42eBMjB8iMS9gx4P7iStJirC0vjq2miSC) -https://github.com/sunwavehealth/SunwaveEMR/blob/d46b653451ce24623a0c6c72d0aa4e2313c5c0f9/src/main/java/com/sunwave/emr/server/util/JWT.java#L45
Manage
sw_external_application_codetable. Master Data → Client IntegrationManage
sw_external_applicationtable Practice Setup → External ApplicationDart external_app_registry - https://github.com/sunwavehealth/SunwaveEMR/blob/d46b653451ce24623a0c6c72d0aa4e2313c5c0f9/web/admin/external_app_registry.dart#L200
Processor Entry - https://github.com/sunwavehealth/SunwaveEMR/blob/5daa4fd9d6563e688ff9ce479c13426040de490f/src/main/java/com/sunwave/emr/server/Processor.java#L528
ExternalApplicaitonProcessor -https://github.com/sunwavehealth/SunwaveEMR/blob/d46b653451ce24623a0c6c72d0aa4e2313c5c0f9/src/main/java/com/sunwave/emr/server/security/ExternalApplicationProcessor.java#L18
Validate Rest request
Tomcat Filters - https://www.codejava.net/java-ee/servlet/webfilter-annotation-examples
APISecurityFilter - https://github.com/sunwavehealth/SunwaveEMR/blob/51252a9bb7a7d193a9cb929a7c22b04c2ad7fcf5/src/main/java/com/sunwave/emr/server/security/APISecurityFilter.java#L28
APISecurityFilter - Path https://github.com/sunwavehealth/SunwaveEMR/blob/51252a9bb7a7d193a9cb929a7c22b04c2ad7fcf5/src/main/java/com/sunwave/emr/server/security/APISecurityFilter.java#L26
JSONArray clients = ReportProcessor.toJSONArrayOfJSONObjects( "select sw_external_application_code.created_by, sw_external_application_code.clinic_id " + "from " + " sw_external_application_code, " + " sw_external_application " + "where " + " sw_external_application_code.client_id = sw_external_application.client_id " + "and sw_external_application_code.code = ? " + "and sw_external_application_code.client_id = ? " + "and sw_external_application.client_secret = ?", new String[]{code, clientId, clientSecret});