Authentication with REST

Question

Question

Pasi Leino · Apr 11, 2017

#Angular #REST API #Authentication #Access control #Caché

We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).

Two questions:

1. The initial authentication seems only work if credentials are placed in the url parameters. Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-Origin. How can I resolve this?

2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?

I have Parameter UseSession As Integer = 1 in my service class, but what else do I need to do?

thank you

Discussion (7)1

Log in or sign up to continue

Fabio Goncalves · Apr 12, 2017

In order to solve Access-Control-Allow-Origin error you can use the HandleCorsRequest feature from your rest service.

Set class parameter HandleCorsRequest = 1 in your rest service class.

Override the OnHandleCorsRequest method in order to provide the origin domain that you want to allow acces to your application.

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

0 0

Fabio Goncalves · Apr 12, 2017

Additional comments:

Basic authentication is the easiest to implement security to your application and it can be implemented without additional libraries. Everything needed to implement basic authentication is what you have done. The problem with basic authentication is that it is (well “basic”) and it offers the lowest security options of the common protocols.

As far as I know there are no advanced options for using basic authentication, so you are just sending a username and password as base64 encoded.

Basic authentication should never be used without SSL encryption because the username and password combination can be easily decoded otherwise.

The UseSession = 1 as you mentioned will break the stateless caracteristics of restfull services and you will also consume a CSP license until the session ends.

You could take a look at other autorization frameworks as OAuth2.0, SAML (supported by Caché and Ensemble) or create your own custom protocols for access token control by using the ZAUTHENTICATE routine and Caché/Ensemble delegated access.

There are 2 nice posts from Daniel Kutac that may help you with additional options:

https://community.intersystems.com/post/cach%C3%A9-open-authorization-fr...

2 0

score 0 · Answer 1 · 2017-04-11T04:54:20-04:00

1. Do you send Authorization Basic header? What's the status code?

2. Include session cookie with the request. It should be done automatically.

score 0 · Answer 2 · 2017-04-12T08:18:37-04:00

Eduard Lebedyuk · Apr 12, 2017

OPTIONS request should be available to unauthorized users.

0 0

score 0 · Answer 3 · 2017-04-12T07:49:18-04:00

Setting Authorization Basic header results Access-Control-Allow-Origin error.

login:1 XMLHttpRequest cannot load http://<ens_host>:57773/csp/nnn/login. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access.

I have cors enabled in the service and the service works just fine with

curl -H "Authorization: Basic <base64_coded_username_password>" ur

l

So it looks like Chrome wants to perform OPTIONS request in stead of plain GET and things go wrong there after and this might be a combination of many things.

I anyone has any ideas, I would appreciate.

-Pasi-

score 0 · Answer 4 · 2017-04-24T09:18:57-04:00

I think the problem is that the browser turns the GET request into OPTIONS request and the question is how do I deal with this in the service end. There seems to be a OnHandleOptionsRequest() method in %CSP.REST but I don't get how to use it?

score 0 · Answer 5 · 2017-04-24T09:22:00-04:00

As Fabio said

Set class parameter HandleCorsRequest = 1 in your rest service class.

To enable CORS support.