Web Connection
Rest Service Security
Gravatar is a globally recognized avatar based on your email address. Rest Service Security
  Apr 20, 2019 @ 11:19am

Hi Please could you point me to any example of adding security to the Rest service methods?

Gravatar is a globally recognized avatar based on your email address. re: Rest Service Security
  Rick Strahl
  Apr 20, 2019 @ 05:11pm

I don't have an example handy, but here's what you have to do:

  • Log in a user before calling the service
    • Cookie Authentication (Authentication already in your application)
    • Token based Authentication (Call Login API - get a token, pass token on each request)
  • Make calls to your API endpoints
  • Check either globally (in OnProcessInit()) or locally (each method) whether user is authenticated

This is probably the easier way to do this and it works fine if you are building an application that's used on a single Web Server or within a single application as opposed to a public API. Usually you can use this for rich client (Angular, Vue, React etc.) applications that are connected to the running server app.

The idea with this is that you use the standard Web Connection Authentication methods and get a cookie back. Because all traffic is on the same domain any requests made from the client including XHR requests all use the same cookie which you can check using cAuthenticatedUser and lIsAuthenticated in the process class. Cookies are automatically forwarded by the browser and XHR, so this is a little easier for client code because you don't have to explicitly send data to the server.

However, Cookies will not easily work across domains - if you're calling from a different domain the cookie may not be passed across and then you need to use Token authentication.

Token Authentication

This requires that you create your API and have a special method to allow people to login. You can call it Authentication or Signin and accept a username and password used to validate the user. Once validated you return a token.

That token is then sent on any request you make to the other API calls. You can either pass it as a parameter (not recommended) or pass it as a Bearer token in the Authorize header of a request. The reason to use a header is that it more easily can be centralized as part of an application that sets up requests. Client apps can use HTTP interceptors (like Angular, Vue etc.) to push a token into every request. Desktop apps calling the API (like wwHttp) can just have a generic create request factory method that can generate the HTTP client with the token preset.

Hope this helps,

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Rest Service Security
  Rick Strahl
  Apr 23, 2019 @ 03:31am

Hi Rick

Thank you very helpful.


© 1996-2019