Technical updates to underlying architecture and security features are listed below:
Technical Updates
Configuration of Local Login for REST API
Overview: A new file-based configuration parameter in the application.properties file provides the ability to disable basic authentication (username and password) for REST API calls. Previously this was not possible even if the application itself did not allow users to login via basic authentication.
Benefits and Use Cases: Deactivating Basic authentication for REST API can improve the security significantly. In the case of a Single-Sign-On (SSO) outage, it will be possible to enable Local login again, even when local authentication is disabled at the login page.
Audience: Technical administrators
Setup and Access: The new parameter can be added to the application.properties file and defaulted to ‘false’ if missing. This file is accessible for System administrators via the Support information function by highlighting the 110: configuration files option and clicking the Execute icon to download. Within the file, the following parameter is now possible:
ils.local.login.forbidden=
-
false= basic authentication can be used -
true= basic authentication cannot be used
Considerations and Limitations: This only impacts customers utilising the REST API functionality. Any change to the application.properties file also requires an application server restart; therefore, the Scheer IMC Hosting team would be required to make the change for hosted customers. If you would like to enable the new parameter as ‘true’, please create a ticket with the Scheer IMC Support team.
Testing: If the configuration is changed to ils.local.login.forbidden=true, then you can test by attempting to make a REST API call that authenticates using basic authorisation. This request would fail.
Risk rating: Low
API Support Updates
Overview: REST API support has been extended to meet further requirements using the LMS in headless scenarios. The following possibilities can now be achieved with REST API calls:
-
Usage of external IDs for POST, PUT, GET, and ASSIGN API requests.
-
API endpoints for POST, PUT, DELETE, and ASSIGN topics (Classifications).
-
Course migration (Access rights, Topics / Classifications, Equivalencies, Automatic registrations, Prerequisites).
-
Enhanced Learning History Import tool.
-
Extended course API for searching / filtering courses by meta tags.
-
API endpoints to POST, PUT, DELETE groups and membership assignments including custom attributes.
-
Extension of content creation API to allow multi-language content creation.
-
Usage of existing link media type that also includes the brightcove player and the token authentication when displaying content.
Benefits and Use Cases: Availability of enhanced REST API support is ideal for customers with headless LMS scenarios. These updates help close the gap between backend GUI functionality to API capability.
Audience: Technical administrators
Setup and Access: The new REST API updates are automatically available with this patch.
Considerations and Limitations: Details of all updates are available in the standard Swagger API documentation; please check respective categories for details of new APIs. The Scheer IMC Technical Services team offer charged Second-level support to customers requiring assistance with REST API.
Testing: Test cases are not available due to the number of updates and their technical nature. Once the API documentation is complete, each API update will contain a sample.
Risk rating: Medium
Security Findings (Other)
Overview: There have been no significant security fixes or improvements required in Innovation Pack 28 that impact existing functionality.