Servoy Forum

[udrescu_bogdan]

Hello,

I've implemented the new authentication mechanism for my RESTful service (http basic authentication).

I need to know in my RESTful methods who is the authenticated user each time the method is called - the user that is sent in the HTTP Authorization parameter and validated by servoy engine (I think). I tried to get the username/UUID from the security ( security.getUserUID() ), but it returns nothing.

Thank you,
Bogdan.

[tgs]

Hi Bogdan,

have you read the Servoy Wiki for that?

http://wiki.servoy.com/display/public/DOCS/Upgrade+existing+implementations+to+Servoy+5.2%27s+Enhanced+Security

[sbutler]

The way the restful webservices plugin is implemented, you can't really implement authentication and get back the Servoy user id (at least not reliably). When you make a call to the webservice you can't expect to always be using the same client since the rest_ws plugin uses a pool of clients. The HTTP Auth option on the updated restful webservices plugin should only be used to restrict access to the web service. It should not be used for session info (like to get users id was used on the HTTP Auth) because that goes against the idea of a "Restful" web service. (although I agree it would be nice to be able to get that info)

If you want a statefull web service, where each client gets its own headless client on the server and can save session based info (and add table filters, etc), I can send you a demo of the web services plugin that we use.

The other option would be to request a new feature to support user/tenant filtering in the rest_ws plugin, but in proper restful format. So for example, instead of:

Code: Select all

http://<serverUrl>/servoy-service/rest_ws/solutionName/formName

You would need an option like:

Code: Select all

http://<serverUrl>/servoy-service/rest_ws/USERNAME/solutionName/formName

and then combine that with the http auth so that it restricts the authentication to only that USERNAME in the url. That would follow proper restful format, and would work better with the plugin since the USERNAME is being passed in the URL, so you can still do client pooling. The trick is to combine that with the HTTP Auth so that it restricts auth to that URL based on the USERNAME specified.

[Lachness]

Hello,

http://<serverUrl>/servoy-service/rest_ws/USERNAME/solutionName/formName

Has anyone requested this addition to the webservice solution provided by Servoy?

I don't plan to use session info with the username/UID. But it would be a convenient way to tie information to the user.

These calls would be done in every webservice method.

Code: Select all

function ws_read(id) {

    if (id) {
        var userName = security.getRestUserName()
        var userInfo = myMethodGetInfo(userName)
        .......
        .......
      }
}

[ptalbot]

Passing anything other than session IDs in a URL is a security breach.
Nothing would prevent anyone to "pretend" he is another user if you did it this way.