Versions Compared

Old Version 9

changes.mady.by.user Don Bakke

Saved on

compared with

New Version 10

changes.mady.by.user Don Bakke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Some security methods combine the two, such as OAuth. Other security methods just assume an authenticated user is fully authorized to access everything. The pros and cons of these methods is worthy of another article. The main takeaway here is to understand the caveats of each implementation and to avoid the mistake of treating authentication the same as authorization (or vice-versa).

Enabling Authentication

Regardless of the which authentication method(s) of authentication being will be used, the Enable Authentication option needs to be set. Otherwise, all the SRP HTTP Framework will automatically authenticate each request as valid (although any internal authorization logic will still work as normal). To set this option, run the HTTP Framework Setup form (e.g., EXEC NDW_HTTP_FRAMEWORK_SETUP from the System Monitor) and then click on the Authentication menu to open the Authentication Options page. Make sure the Enable Authentication? box is checked:

Image AddedUsing HTTP Basic Authentication

The SRP HTTP Framework provides built-in support for HTTP Basic Authentication. This is a simple username and password method for identifying the web user. It conforms to the stateless constraint of REST because it assumes that each and every request will use HTTP Basic Authentication. Thus, this does not inherently provide a way of "logging in" to the web application. Because the user credentials are passed included in the HTTP request, it is highly recommended that this form of authentication only be used through an encrypted transmissions (i.e., HTTP over SSL or HTTPS for short).

In addition to the Enable Authentication option being set, the Enable HTTP Basic Authentication option also needs to be set. This option is immediately below the Enable Authentication option on the Authentication Options page. We'll review the sub-options for this later.

Unless changed by the developer, user credentials are maintained in the WEB_ACCOUNTS database table. To manage web accounts just run the Web Accounts form (e.g., EXEC NDW_WEB_ACCOUNTS). To create a new user you can enter in an ID and populate the rest of the fields manually or you can click on the New Account menu option. This will dynamically generate an ID and prepopulate other fields for you:

Image AddedThe Name field must be updated (it's a required field in this form) and the Save Account menu option clicked. We'll review the other fields later. just make sure