VMware {code} Community
kimroz
Contributor
Contributor
‎11-06-2017 12:29 AM

How to maintain session across VCP client and backend integration server?

Hi,

We are building a vSphere client plugin with workflows offloaded to a backend server.

Is there way using which I can use the logged in user session to run these flows in the backend server?

I am looking for a possibility to either using the logged on session on client to run server flows, or a possibility to impersonate based on logged on user.

Can someone point me to a best practices in case of VCP plugin in this respect.

Thanks

Imroz

1 Reply
tganchev
VMware Employee
VMware Employee
‎11-20-2017 06:41 PM

Hi Imroz,

Inside the Java middle tier of your plugin through the UserSessionService API you have access to all vCenter servers and the session cookies for each of them (_userSessionService.getUserSession().serversInfo[].sessionCookie).

Session cookies allow your plugin Java middle tier to reuse an already established vCenter session but should not be exposed outside of the vSphere Client's application server as they can compromise the security of the environment.

Instead, inside the middle tier of your plugin you need to use the vCenter SessionManager.AcquireCloneTicket() API (https://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/vim.SessionManager.html#acq...​) using the vCenter session cookie for authentication. You can pass the ticket you received from this call to your backend (for example in a custom header) and the backend in turn can establish a new vCenter session by calling the SessionManager.CloneSession() vCenter API (https://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/vim.SessionManager.html#clo...). When talking to the SessionManager in your backend you can have an anonymous session - CloneSession() will set up the authenticated session from this point on (depends on what client library you use - works out of the box with the vSphere Web Services SDK for Java).

The proposed approach is more secure than just passing around the vCenter session cookie since the clone ticket can be used only once in a call to CloneSession() and will become invalid afterwards - so if a middle man sniffs the value, it will be too late for it to abuse the ticket.

To pass the session cookie in API calls to vCenter inside your Java middle tier you can refer to DataProviderImpl.getServiceContent() method inside the vsphere-wssdk-service sample from the SDK.

Let me know how this works for you and I can help with further.

Tony