Question
· Apr 11, 2017

Authentication with REST

We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).

Two questions:

1. The initial authentication seems only work if credentials are placed in the url parameters.  Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-Origin. How can I resolve this?

 

2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?

I have Parameter UseSession As Integer = 1 in my service class, but what else do I need to do?

 

thank you

Discussion (7)1
Log in or sign up to continue

Setting Authorization Basic header results  Access-Control-Allow-Origin error.

login:1 XMLHttpRequest cannot load http://<ens_host>:57773/csp/nnn/login. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access.

I have cors enabled in the service and the service works just fine with 

curl -H "Authorization: Basic <base64_coded_username_password>" ur

l

So it looks like Chrome wants to perform OPTIONS request in stead of plain GET and things go wrong there after and this might be a combination of many things. 

I anyone has any ideas, I would appreciate.

-Pasi-

In order to solve  Access-Control-Allow-Origin error you can use the HandleCorsRequest feature from your rest service. 

Set class parameter HandleCorsRequest = 1 in your rest service class.

Override the OnHandleCorsRequest method in order to provide the origin domain that you want to allow  acces to your application.

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

Additional comments:

Basic authentication is the easiest to implement security to your application and it can be implemented without additional libraries. Everything needed to implement basic authentication is what you have done. The problem with basic authentication is that it is (well “basic”) and it offers the lowest security options of the common protocols. 

As far as I know there are no advanced options for using basic authentication, so you are just sending a username and password as base64 encoded. 

Basic authentication should never be used without SSL encryption because the username and password combination can be easily decoded otherwise.

The UseSession = 1 as you mentioned will break the stateless caracteristics of restfull services and you will also consume a CSP license until the session ends. 

You could take a look at other autorization frameworks as OAuth2.0, SAML (supported by Caché and Ensemble) or create your own custom protocols for access token control by using the ZAUTHENTICATE routine and Caché/Ensemble delegated access.

There are 2 nice posts from Daniel Kutac that may help you with additional options:

https://community.intersystems.com/post/cach%C3%A9-open-authorization-fr...

https://community.intersystems.com/post/cach%C3%A9-open-authorization-fr...