|
||
Every REST request needs to be authenticated. You can select the Authentication type of the REST service in Site Manager -> Settings -> Integration -> REST.
With Basic authentication, you need to specify the username and password through the Authorization line in the header of every REST request. The header line consists of:
The authentication type (Basic)
The username and password connected by a colon (username:password), encoded using the Base64 algorithm
For example:
Authorization: Basic UmVzdENsaWVudDpzZWNyZXQ= |
Note: We strongly recommend using SSL to protect the authentication credentials in the request headers. See also: SSL (HTTPS) support
When using forms authentication of requests, the system identifies users based on the active session and the authentication ticket stored in the .ASPXFORMSAUTH cookie. You can use forms authentication to create a web interface with a login page, and allow users to send REST requests through their browser.
Forms authentication can pose a security threat, because logged in users may unknowingly click links that send malicious REST requests to your site. To protect yourself from such attacks, take the following steps:
1. Immediately after creating the session (i.e. first authentication), you need to set up an authentication token by sending a POST request to the following URL:
http://<your project URL>/rest/settoken?username=<your user name>&password=<your password>&token=<your authentication token> |
The authentication token can be an arbitrary string of characters, for example a GUID.
2. Include the authentication token in the HTTP header of every REST request:
Cms-Session-Token: <your authentication token> |
You can authenticate individual REST requests by adding a hash parameter to the URL. The hash parameter allows you to prepare REST requests that can be executed by unauthenticated users. Requests that contain the hash parameter ignore the other types of authentication — the value of the Authentication type setting does not affect hash authentication.
Restrictions:
•Only works for GET requests (read only data retrieval)
•You cannot use hash parameter authentication for /all object retrieval requests (~/rest/<objecttype>/all). This is an intentional security limitation that protects global data in the system.
|
Warning
Only use hash parameter authentication for loading data that you want to make publicly available. REST requests with hash authentication can be executed by anyone who obtains the URL (for example by intercepting the web request).
|
To get the authentication hash for REST requests:
1.Prepare the URL of your REST request in advance.
2.Go to Site Manager -> Settings -> Integration -> REST.
3.Click Generate authentication hash.
4.Enter the full absolute URL of the REST request, including the protocol, website domain name, virtual directory, REST path, and query string parameters. For example: http://mywebsite.com/rest/content/currentsite/en-us/all/news?format=json
5.Click Authenticate.
The system adds the authentication hash parameter to the URL. You can copy the URL and use it to perform the REST request without any other type of authentication.