Hi Rick,

Silly question time again. As I make more progress with my REST application project, I am starting to think about how to make sure it only accepts requests from authorized user(s). As I am not presenting any login/out UI, am I right in concluding that I don't really need to add this as a process class, or add any script mapping? IOW I can just add the necessary prgs to my project, then instantiate a usersecurity object and call the necessary methods, etc in the context of my REST requests. Obviously, I have to make sure everything is properly decoupled from any FE.

Thanks!

No the separate process class is merely for administration and optionally for handling authentication separately.

For a REST Service you wouldn't be using any of that - you'd only use the class directly to do the authentication and user lookup.

+++ Rick ---

Thanks. That's what I thought but it's good to have that confirmed.

Ok, that's working out pretty well. Next question: I assume it's better to have the auth credentials set as a header in the request as opposed to params on the URL, correct? And I can use Request.GetExtraHeader to retrieve the auth credentials.

I'm also thinking I need to override the wwprocess.authenticate method?

... only if you need to change the functionality. If you're using default authentication you don't have to change anything.

+++ Rick ---

Sorry for all the n00b questions. I tend to think out loud while working thorough this sort of stuff. Authenticate is overloaded. I figured out I have to instantiate my security object in the process OnInit and then call its authenticate method instead of the process' authenticate method. Another step forward.

Next thing to figure out; how to get a 401 into the response when the auth fails. I just tried populating ErrorMessage but there must be more. 😃

Add:

Response.Status = "401 Unauthorized"

in your request anywhere before the response is sent out.

+++ Rick ---

I used this:

RETURN this.ErrorResponse([Access denied],[401 Access Denied])  

Works fine.

I may want to book a little time, probably next week depending on your availability, to review my overall approach with you before I open this up to my internal audience just to make sure I'm following best practices. I have to say I'm having fun figuring out how to do this.

The status message generally is UnAuthorized not Access Denied. You can put that in the body but the status message should probably be proper...

+++ Rick ---

Thanks! I'll update that text.