Question

How can we directly launch a service Task without need to login (not using SSO) with a specific user?

Answer 1

We can construct a URL with the credentials embedded in the URL as follows

https://{hostname}:{port}/teamworks/redirect-login.jsp?credentials={EncodedUserName}:{EncodedPassword}=&j_forward=executeServiceByName%3FprocessApp={ProcessAppAcronym}%26serviceName={Service Name}

The EncodedPassword and EncodedUserName can be created by running the following utility

1. From a command prompt, go to the install_root/BPM/Lombardi/lib directory.
2. Run the java -cp utility.jar com.lombardisoftware.utility.EncryptPassword password command, where password is the password that you want to encrypt.

The use of encoded username and password is controlled through 00Static.xml via the following line

<authoring-environment>
   <encode-redirect-url-credentials merge="replace">true</encode-redirect-url-credentials>
</authoring-environment>

if you need to you can make use of clear text username and password also by changing the above to false.

Comments

How efficient is the encryption of the password?

I believe so this is a recommended approach to go with for a internet based application.

---

From what i remember during Teamworks days this was just a base64 encoding not even encryption so it is not recommended to use this for security unless after IBM acquiring the product something has changed, you can have a anonymous user without any priviliges except launching the service if you need to use it as an entry point to your apps unsecured area.
I just tested its still base64 encoded, if you copy and paste the credentials=? encoded string from your service run urls in process Center using the base 64 decode utilities e.g. at
https://www.base64decode.org/
you will get the username=password

---

Try to avoid using usernames and passwords in the URL which could be easily hackable.

1. Trust Association Interceptor can be used as an alternative where you can define parameters of username.

2. It requires to built a java component and deploy it into WAS server.

3. It takes the URL as input which doesn't have username and password provided in it.

4. TAI will consume the traffic and bypass the authentication driven by IBM event manager and let the screen to be displayed.

---

By the way when you play a service from Process Designer the url is a GET url with the base64 password in plain sight of network listeners on the same switch and in most organizations its your windows credentials also.