Support

Expand all | Collapse all

Access to REST API does not acknowledge setting in System Properties and is always enabled

Jump to Best Answer
  • 1.  Access to REST API does not acknowledge setting in System Properties and is always enabled

    Posted 02-13-2017 02:00
    Edited by Anna Henke 02-13-2017 04:32
    Hi,

    in the course of switching our SOAP calls to REST we found out that enabling the "Allow access to REST API" only has effect on the display of the Swagger-Help-pages, but not to the actual API which is enabled regardless of the option being enabled or not.
    I doubt that this is the way it actually should work, but as there is no documentation about the option in the Help-files I cannot verify this through the documentation.

    In other words: Although our REST-API is disabled, calling [jama-base-url]/rest/latest/projects brings back results also with REST-API setting set to No. This sounds much like a very unwanted behaviour.

    We have Jama 8.4.2 and Jama 8.10.2 running and the behaviour is the same on both instances.

    Any enlightenment is appreciated.

    Anna

    ------------------------------
    Anna Henke
    MeVis BreastCare GmbH & Co. KG
    ------------------------------


  • 2.  RE: Access to REST API does not acknowledge setting in System Properties and is always enabled
    Best Answer

    Posted 02-13-2017 11:08

    Hi Anna,

    We once logged the inability to actually turn off REST as a bug (SOS-DEF-338), but it was dropped as being designed behavior, more or less. Browser REST requests will still be honored even if the service is turned off, if you are logged into Jama. This is because the Jama front-end makes REST calls for some of its functionality. Making the request from anywhere that doesn't have a JSESSIONID cookie should show the standard 'REST is disabled' message or a 404 or whatever it's supposed to do.

    You make a good point about the documentation saying nothing to this end. I'm submitting a documentation task to clarify this; you should expect that update to be visible in the next Standard release.



    ------------------------------
    Kristina King
    Jama Software
    ------------------------------



  • 3.  RE: Access to REST API does not acknowledge setting in System Properties and is always enabled

    Posted 02-14-2017 01:42
    Hi Kristina,

    thanks for giving this insight.
    We talked about this with one of our REST developers and what we don't understand yet is what the option in the system properties is about at all then, as the only difference the option makes is that the swagger documentation is viewable or not - is that correct? It is not what the labelling of the option somehow conntes: "Allow access to REST API".
    Making the request from anywhere that doesn't have a JSESSIONID cookie should show the standard 'REST is disabled' message or a 404 or whatever it's supposed to do.
    The response on a system with "disabled" REST API with no JSESSIONID cookie is actually a REST-answer:

    {"meta":{"status":"Not Found","timestamp":"2017-02-14T09:31:44.210+0000"}}
    and the response on a system with "enabled" REST API with no cookie is:
    {"meta":{"status":"Unauthorized","timestamp":"2017-02-14T09:35:04.348+0000","message":""}}
    So yes, the answers are different, but the effect is somehow the same.

    I think for now we have the information we need.

    Thank you,
    Anna

    ------------------------------
    Anna Henke
    MeVis BreastCare GmbH & Co. KG
    ------------------------------



  • 4.  RE: Access to REST API does not acknowledge setting in System Properties and is always enabled
    Best Answer

    Posted 02-14-2017 11:39
    Yes, I'd say you and  your developer are correct. The option to turn it off prevents access to the swagger documentation and prevents basic authentication (e.g. passing along username and password from the Jama Integration Hub). But overall, you're right—what the UI states is not entirely accurate. I imagine it's because we used the same text from the SOAP option even though REST and SOAP function differently in terms of back-end vs front-end.

    ------------------------------
    Kristina King
    Jama Software
    ------------------------------