Hello Community,

 

The Academy guides on how to create anonymous custom configuration services using WCF / .Net Framework - https://academy.creatio.com/docs/developer/back-end_development/configuration_web_service/configuration_web_service#title-1243-3

Suppose, I have a Creatio cloud instance on Linux using .Net Core. How does one go about creating an anonymous custom configuration service??

 

Regards
Shrikanth

Like 0

Like

4 comments
Best reply

Hello Shrikanth, 

In order to enable Anonymous service for .Net Core edition of Creatio all you need to do is to add information about this service to "AnonymousRoutes" block of ..\Terrasoft.WebHost\appsettings.json file. 
It should look like this:

"Terrasoft.Configuration.[Service name]": [
    "/ServiceModel/[Service name].svc"
]

Please note that there is no need to change service's source code.
Also, in case if "System.Web" name space is being used, it has to be changed to "Terrasoft.Web.Http.Abstractions". 

Kind regards,
Roman

Hello Shrikanth,

 

To create a configuration service you need to authorize via the AuthService.svc. Please refer to the following article: https://academy.creatio.com/documents/technic-sdk/7-16/creating-configu…

Please let us know if any questions or concerns left,

Regards,
Kseniia

 

 

Kseniia Prokopenko,

The documentation clearly says that there is way to create a configuration service with Anonymous authentication. Hope you went through the Academy link I pasted in the question.

My question was - 
The documentation only lists out the steps for the WCF based configuration services (Used by .Net Framework on Windows). How does one go about creating an anonymous service on a Linux installation of Creatio using .Net Core?

Kseniia Prokopenko,

Hi Kseniia, Request and appreciate your assistance for the above query

Hello Shrikanth, 

In order to enable Anonymous service for .Net Core edition of Creatio all you need to do is to add information about this service to "AnonymousRoutes" block of ..\Terrasoft.WebHost\appsettings.json file. 
It should look like this:

"Terrasoft.Configuration.[Service name]": [
    "/ServiceModel/[Service name].svc"
]

Please note that there is no need to change service's source code.
Also, in case if "System.Web" name space is being used, it has to be changed to "Terrasoft.Web.Http.Abstractions". 

Kind regards,
Roman

Show all comments

Hello community,

 

We have a Creatio installation on Creatio SaaS cloud with a few custom configuration services we have built. The security requirements are very stringent and we need to be able to permit access to these custom configuration services only to a few users & only to a few IPs. Pls find below questions in this regard - 

  1. From what we understand, access to the GUI application and to the back end services are shared across the same Creatio credentials (via user setup). Can we disable GUI access to a few users and only enable access to these specific custom configuration services? Also, can we disable access to these configuration services for all other GUI users? In short - A few users only for these configuration services. A few users only for the GUI.
  2. We would like to permit only certain IPs access these configuration services. This can be handled in 4 layers - Network infrastructure layer (Load balancer etc), IIS Configuration on the WebServer, Explicitly verify and restrict access to certain IPs inside the configuration service logic. Which of these 3 is recommended from a feasibility & security perspective on Creatio SaaS cloud?

Thanks in advance

Like 0

Like

1 comments
Best reply

Hello,

 

Here are the answers to your questions:

 

1) You can restrict login to the application UI in the root Web.config file. You need to find this location in the file:

<location path="0/Nui">
    <system.web>
      <authorization>
        <deny users="SysPortalConnection" />
      </authorization>
    </system.web>
  </location>

and add your system user to this list after the comma seprator:

<location path="0/Nui">
    <system.web>
      <authorization>
        <deny users="SysPortalConnection,1" />
      </authorization>
    </system.web>
  </location>

In the example above the system user with "1" login won't be able to login to the application.

 

As for disabling access to custom configuration service you need to find a location record for this service in the /Terrasoft.WebApp/Web.config file (just an example below):

<location path="ServiceModel/GeneratedWebFormService.svc">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

And add this denying rule to the location (it's important to add it above permitting rules):

<location path="ServiceModel/GeneratedWebFormService.svc">
    <system.web>
      <authorization>
		<deny users="Supervisor" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

As a result the Supervisor won't be able to get access to the GeneratedWebFormService service.

 

2) As for restricting access from IP-addresses - such a possibility is present to restrict login to the UI, but there is no in-built possibility to restrict access to the endpoint via IP. We don't have any recommendations on this matter and you can test all the possible approaches and choose the most suitable one.

 

Best regards,

Oscar

Hello,

 

Here are the answers to your questions:

 

1) You can restrict login to the application UI in the root Web.config file. You need to find this location in the file:

<location path="0/Nui">
    <system.web>
      <authorization>
        <deny users="SysPortalConnection" />
      </authorization>
    </system.web>
  </location>

and add your system user to this list after the comma seprator:

<location path="0/Nui">
    <system.web>
      <authorization>
        <deny users="SysPortalConnection,1" />
      </authorization>
    </system.web>
  </location>

In the example above the system user with "1" login won't be able to login to the application.

 

As for disabling access to custom configuration service you need to find a location record for this service in the /Terrasoft.WebApp/Web.config file (just an example below):

<location path="ServiceModel/GeneratedWebFormService.svc">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

And add this denying rule to the location (it's important to add it above permitting rules):

<location path="ServiceModel/GeneratedWebFormService.svc">
    <system.web>
      <authorization>
		<deny users="Supervisor" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

As a result the Supervisor won't be able to get access to the GeneratedWebFormService service.

 

2) As for restricting access from IP-addresses - such a possibility is present to restrict login to the UI, but there is no in-built possibility to restrict access to the endpoint via IP. We don't have any recommendations on this matter and you can test all the possible approaches and choose the most suitable one.

 

Best regards,

Oscar

Show all comments

Hi community,

 

We have this situation where we need to create a bi-directional connection with our customer platform, using SOAP protocol. We would like to know if its possible to create a SOAP based services in Creatio to be accessed by our customer? If yes, any information on how to implement this?

 

Thanks in Advance.

 

Best Regards,

Pedro Pinheiro

Like 0

Like

2 comments

Hello Pedro,

 

You need to develop a configuration service (either regular or anonymous) using SOAP. Here is the article that describes how to configure web-services and integrate them into the Creatio app.

 

For example:

1) Create a source code for the service contract SPMSUBPServiceContract:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.ServiceModel;
using System.ServiceModel.Web;
using System.Text;
 
namespace SPMSUBPService
{
    [ServiceContract]
    public interface IService
    {
        [OperationContract]
        SPMClientInfoResponse SPMClientInfo(string Login);
    }
 
    [DataContract]
    public class SPMClientInfoResponse
    {
        bool success = true;
        string errorText = "";
 
        [DataMember]
        public bool Success
        {
            get { return success; }
            set { success = value; }
        }
 
        [DataMember]
        public string ErrorText
        {
            get { return errorText; }
            set { errorText = value; }
        }
    }
}

and the source code of the SPMSUBPService service directly:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.ServiceModel;
using System.ServiceModel.Web;
using System.Text;
 
namespace SPMSUBPService
{
    public class SPMSUBPService : IService
    {
        public SPMClientInfoResponse SPMClientInfo(string Login)
        {
            return new SPMClientInfoResponse();
        }
    }
}

2) Create a file with SPMSUBPService.svc name in the Terrasoft.WebApp\ServiceModel folder with the following text:

 

<%@ ServiceHost Language="C#" Debug="true" Service="SPMSUBPService.SPMSUBPService" Factory="System.ServiceModel.Activation.ServiceHostFactory" %>

 

3) Add the description of the service to the Terrasoft.WebApp\ServiceModel\http\services.config file:

&lt;services&gt;
    ...
    &lt;service behaviorConfiguration="BaseServiceBehavior" name="SPMSUBPService.SPMSUBPService"&gt;
        &lt;endpoint name="SPMSUBPServiceEndPoint"
            binding="webHttpBinding"
            behaviorConfiguration="RestServiceBehavior"
            bindingNamespace="http://Terrasoft.WebApp.ServiceModel"
            contract="SPMSUBPService.IService" /&gt;
        &lt;endpoint address="soap" binding="basicHttpBinding" contract="SPMSUBPService.IService"/&gt;
        &lt;endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /&gt;
    &lt;/service&gt;
    ...
&lt;/services&gt;

4) Modify the Terrasoft.WebApp\Web.config file:

...
&lt;location path="ServiceModel/SPMSUBPService.svc"&gt;
    &lt;system.web&gt;
      &lt;authorization&gt;
        &lt;allow users="*" /&gt;
      &lt;/authorization&gt;
    &lt;/system.web&gt;
&lt;/location&gt;
...

And everything is ready, the service is accessible via /0/ServiceModel/SPMSUBPService.svc and the WSDL as well /0/ServiceModel/SPMSUBPService.svc?singleWsdl

 

Best regards,

Oscar

Oscar Dylan,

 

Thank you for your response.

 

I've tried to implement the solution you provided above and I'm getting this error when sending a request through both Postman and SoapUI.

Can you please tell me what this error means and how can I fix it?

 

Thanks in Advance.

 

Best Regards,

Pedro Pinheiro

 

Show all comments

Hello Community,

 

1. How does one achieve a custom URI path like '/customer/update/{id}' while building a custom configuration service? Can we use the UriTemplate attribute to define a custom path like below - 

[OperationContract]    
[WebInvoke(Method = "GET",UriTemplate = "/customer/update/{id}", BodyStyle = WebMessageBodyStyle.Wrapped,RequestFormat = WebMessageFormat.Json,ResponseFormat = WebMessageFormat.Json)]

2. Is there a way to avoid/bypass the '0/rest' prefix which gets added to every custom configuration service??

Thank you
Shrikanth

 

Like 0

Like

2 comments
Best reply

Hello M Shrikanth, 

1. Yes, you can use it. For more details on this please Check the official Microsoft docs.
For example, the following article;
https://docs.microsoft.com/en-us/dotnet/api/system.servicemodel.web.web…

2. No, unfortunately there is no way to bypass adding of the mentioned prefix. 

Kind regards, 
Roman

 

Hello M Shrikanth, 

1. Yes, you can use it. For more details on this please Check the official Microsoft docs.
For example, the following article;
https://docs.microsoft.com/en-us/dotnet/api/system.servicemodel.web.web…

2. No, unfortunately there is no way to bypass adding of the mentioned prefix. 

Kind regards, 
Roman

 

Roman Brown,

Hi Roman. Thank you for the response. 

How does one enable PUT and PATCH methods on a custom configuration service endpoint?? Are there any specific settings or attributes to be added? 

Show all comments

Hello Community!

The Creatio documentation suggests that basic authentication is only available for the OData API and not for a custom configuration web service. Anonymous/Forms authentication are the only 2 ways to authenticate for configuration web services. Would like to reconfirm this.

A typical system integration use case is the following - 
1. Creatio pings an external product/system asking it to do some asynchronous processing. 

2. External product/system pings a Creatio custom configuration call back to inform it regarding the status.

 

Typically, external products only permit registering a callback URL and do not provide for customization to do forms authentication with Creatio. How does one over come this? One way is to make the call back permit anonymous authentication but this is a bad security practice. Is there a way to enable basic authentication for custom configuration services on Creatio?

Like 0

Like

4 comments

Hello! 

 

Custom configuration service becomes available after user authentication via the AuthService.svc. If you don't have a possibility to call it directly from your integration you can create another layer of service from your side to send a response from external product and call auth service and after that configuration web service. 
https://academy.creatio.com/documents/technic-sdk/7-16/creating-configuration-service

 

Best regards, 

Dennis 

Dennis Hudson,

Hi Dennis. We are not in a position to do any customization on the external system side.

Is there anything we can do on Creatio's side to facilitate this?

M Shrikanth,

 

The only way to bypass the Auth service for configuration web services is to create an anonymous web service. As a workaround, you can path login and password to the method in this service and check the validity of credentials in this service using auth service.

Thank you Dennis!

Show all comments