In this article I will demonstrate a couple of the things which can be passed through a Bluemix secure gateway, allowing us to create normal web based applications.
Introduction
In the previous article I demonstrated how to create a TLS secured hybrid Bluemix application. In this article we will look at some of the web properties/headers, cookies etc which we can pass through the gateway.
The Gateway
To demonstrate what can be passed through the gateway I am using a simple notes form to display the incoming information
The Cookie, Header and username fields are all hidden if the field value is blank
Here is my application running on node, using the secure gateway and once again accessing the domino server hosted on my laptop.
No username, no cookie, no header.
Changing the code back within the calling application we are going to add some additional information. In the following code snippet you can see that we have added some header “Marky” information.
app.get('/secureTunnel', function(req, res) {
tunnel.create('8888', function(){
var options = {
headers: {"Cookie": "", "Marky": "Hi Marky"},
port: '8888',
path: '/xomino/ainx.nsf/testform?readform'
};
var callback = function(obj){
res.writeHead(200, {"Content-Type": "text/html"});
res.end(obj.body);
}
var obj = simpleHTTP.run(options, callback);
});
});
When we refresh the application we can see that the header has been passed through the secure gateway to the application itself:
If we try and log into the application (directly on the domino server) we can generate a session authentication token. These screenshots are taken directly from the domino server.
At this point though just because the domino window is logged in, the node app still records anonymous.
Adding the cookie to the node application code, which is passed through the gateway
app.get('/secureTunnel', function(req, res) {
tunnel.create('8888', function(){
var cookie = "DomAuthSessId=D2BF0063D62C9138E9F723BB88C046F5";
var options = {
headers: {"Cookie": cookie, "Marky": "Hi Marky"},
port: '8888',
path: '/xomino/ainx.nsf/testform?readform'
};
var callback = function(obj){
res.writeHead(200, {"Content-Type": "text/html"});
//res.write(JSON.stringify(obj.resHeaders)+"<hr/>")
res.end(obj.body);
}
var obj = simpleHTTP.run(options, callback);
});
});
We can now see that the user is authenticated within the bounds of the hybrid application
Pushing all this code up into Bluemix you can truly appreciate the authenticated hybrid app
Conclusion
In this article we have seen how we can push basic header information through the gateway and pseudo-demonstrate an authenticated application. There are of course multiple hurdles to overcome between this demo and a real world application, but I hope it has given you an idea for what’s possible.
Xomino 
Reblogged this on Unthinkable.
Muchas gracias por el articulo es una excelente forma de utilizar un canal seguro sin embargo he detectado algunos errores que podrían causar vulnerabilidad.
This is really a demonstration of being able to pass a session cookie through the gateway and is not intended as a fool proof secure solution.
I would definitely be interested to see how you would improve
on it though 🙂
Reblogged this on cloudyhi.
[…] Passing authentication information through the Bluemix Hybrid Secure Gateway In this article I will demonstrate a couple of the things which can be passed through a Bluemix secure gateway, allowing us to create normal web based applications. Introduction In the previous article I demonstrated how to create a TLS secured hybrid Bluemix application. In this article we will look at some of the web properties/headers, cookies etc which […] […]
[…] The key component to make all of this work is the Secure Gateway service. To find out more read this blog and the blogs from Mark Roden. […]