Breadcrumbs

REST Service Authentication

Together with the REST Service features, you can use the normal security interceptor features as described on Security Model pp.

security_model.png

The authentication headers can be accessed via the Bridge REST Test Tool, to e.g. set them for testing purposes.

swagger_authorization.png

Click Authorize in the top right corner to enter the credentials.

Enabling Authentication

If you want to use authentication with a REST service, set the tags tokenTypetokenHeaderName, and useBasicAuth on the REST service component in the component diagram.

Error rendering macro 'multiexcerpt-include' : Page loading failed

Setting these tagged values does not implement anything yet. The authorization headers have to be inspected in a security interceptor preprocessor to implement authentication and authorization.

Implementing Authentication

In the preprocessor of you security interceptor, you can implement the authentication process.

  1. Read the authentication headers (see REST Service Authentication | id (25.1)RESTServiceAuthentication ReadingtheRESTHTTPHeaders further below), which areAuthorization for basic authenticationThe basic authentication headers are base64 encoded. You have to decode them before usage.<name of token header> in component diagram for token authentication

  2. Decode the basic authentication if necessary (see REST Service Authentication | id (25.1)RESTServiceAuthentication DecodingBasicAuthentication further below).

  3. Implement your security settings depending on the header values.
    In case of the REST Support Manager example, this is a very simplified role assignment based on hard coded header values.

Reading the REST HTTP Headers

To read the REST HTTP headers, use getRestHttpRequest().

Error rendering macro 'multiexcerpt-include' : Page loading failed

Figure: getRestHttpRequest()

get_rest_http_request.png

Receive the result in an object of type Request and get all request headers in an array object of type HeaderField.
HeaderFieldis a type containing a key value pair (see Request and Response Types).

Getting the API Key from the Request Headers

To get the API key value pair from the request headers array, look for the API key name you defined in the component diagram. In our example, this is "API-Key".

Figure: Lookup API Key

lookup_api_key.png

Getting the Authorization Headers from the Request Headers

To get the Authorization key value pair from the request headers array, look for "Authorization".

Figure: Lookup Authorization Header

lookup_basic_authentication.png

Decoding Basic Authentication

To decode the base64 encoded basic authentication header value, use operations convertBase64ToBlob() and transcodeToString().
decode_basic_athentication.png

  1. Remove string "Basic " from the beginning of the header value, e.g.

    local cred = "";
set cred = authHeader.value.substringAfter("Basic ");


  2. Convert the base64 string to a Blob object using convertBase64ToBlob(), e.g.

    set credentials = cred.convertBase64ToBlob();


  3. Convert the Blob object to a readable string using transcodeToString(), e.g.

    set cred = credentials.transcodeToString("UTF-8");


  4. Split user and password from the credentials string, e.g.

    set user     = cred.substringBefore(":");
set password = cred.substringAfter(":");


Related Pages: