none
Security parameter in code, API RRS feed

  • Question

  • Hi Experts,

    I have put this question before but still struggling to achieve this.

    http://searchunleashed.wordpress.com/2012/04/21/how-to-query-authenticated-secure-results-qrserver-fast-search-for-sharepoint/#comment-176

    The above post by Leo (Thanks for the post Leo) help us to know how to pass the security parameter in FAST Search.

    Any idead how to form the secruity parameter in the code, &qtf_securityfql:uid=<token>=   ?

    To add a refiner parameter (&r=format%3d%22AQlBZG9iZSBQREYGZm9ybWF0AQJeIgIiJA%3d%3d%22) we can use

    keywordQuery.RefinementFilters.Add(RPart)// to add refiner

    But how do we form the &qtf_securityfql:uid=<token>=  using API?

    Much Thanks!!


    Freddie Maize ..A story with Glory is History. Doesn’t matter whether Glory rest in the world of Demon or God. Lets create History..

    Friday, December 28, 2012 9:58 AM

Answers

  • Hi,

    Yes you are correct, you cannot set this parameter via the API. And in my opinion this is not bad at all. Having worked for banks and government agencies there is no way they would allow an enterprise search engine where a coder could arbitrary spoof an ident if they new how. Also for the military there can be items which you as a consultant is not aware of exists, and you can't even debug it or know if it works or not.

    If there is security in place, it should be taken seriously. If you have to impersonate users you could look into using the secure store in SharePoint.

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    • Marked as answer by freddieMaize Wednesday, January 2, 2013 5:41 AM
    Monday, December 31, 2012 7:43 PM

All replies

  • Hi,

    The token is generated per search query and as you see in the comment on leo's blog, they are valid for a certain time period. These tokens are generated internally in SharePoint/FAST in order to prevent security tampering and unwanted impersonation.

    I think it would be hard to generate the token yourself, requiring a lot of reverse engineering, or maybe not possible at all.

    If your goal is to execute a query on another users behalf, this can only be done if you have the other users credentials, or that user is executing the query. I think this is also why you don't have search alerts with FS4SP, and why RSS works as it's pulled using the users credentials.

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    Sunday, December 30, 2012 8:40 PM
  • I think it would be hard to generate the token yourself, requiring a lot of reverse engineering, or maybe not possible at all.

    If your goal is to execute a query on another users behalf, this can only be done if you have the other users credentials, or that user is executing the query. I think this is also why you don't have search alerts with FS4SP, and why RSS works as it's pulled using the users credentials.

    And even if I somehow manage to generate now I will not able to fire a query as a different user, using API? This is very bad. And using credentials is out of the picture, ofcourse.

    Thanks for the reply Mike. Much Appreciated.

    Much Thanks!!


    Freddie Maize ..A story with Glory is History. Doesn’t matter whether Glory rest in the world of Demon or God. Lets create History..

    Monday, December 31, 2012 5:23 AM
  • Hi,

    Yes you are correct, you cannot set this parameter via the API. And in my opinion this is not bad at all. Having worked for banks and government agencies there is no way they would allow an enterprise search engine where a coder could arbitrary spoof an ident if they new how. Also for the military there can be items which you as a consultant is not aware of exists, and you can't even debug it or know if it works or not.

    If there is security in place, it should be taken seriously. If you have to impersonate users you could look into using the secure store in SharePoint.

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    • Marked as answer by freddieMaize Wednesday, January 2, 2013 5:41 AM
    Monday, December 31, 2012 7:43 PM
  • Hi,

    Yes you are correct, you cannot set this parameter via the API. And in my opinion this is not bad at all. Having worked for banks and government agencies there is no way they would allow an enterprise search engine where a coder could arbitrary spoof an ident if they new how. Also for the military there can be items which you as a consultant is not aware of exists, and you can't even debug it or know if it works or not.

    If there is security in place, it should be taken seriously. If you have to impersonate users you could look into using the secure store in SharePoint.

    Yes. You are correct. Thanks for the explanation.

    Happy New Year folks. :)


    Freddie Maize ..A story with Glory is History. Doesn’t matter whether Glory rest in the world of Demon or God. Lets create History..

    Wednesday, January 2, 2013 5:43 AM