Putting standard CSP login in front of a web application with a REST dispatch class

Question

Question

Timothy Leavitt · Jan 3, 2023

Has anybody ever enabled the standard CSP login page for a web application with REST dispatch class? Any ideas how to do this?

(Context: I'm using %CSP.REST with other stuff behind it, not actually a REST API.)

Product version: IRIS 2022.1

$ZV: IRIS for Windows (x86-64) 2022.1.1 (Build 374U) Tue Oct 18 2022 17:39:18 EDT

Discussion (4)1

Log in or sign up to continue

Dmitry Maslennikov · Jan 4, 2023

Any reasons for doing this? This is not how it is supposed to be. REST should answer with Status 401, and optionally with methods available. And web application when gets 401, it knows that it has to authorize the user, and shows its own page or initiates SSO, depending on the task.

Anyway, if really do this way, It looks like %CSP.REST extends %CSP.Login, and it has Method Login

Called for a REST page in the event of a login being required

Did not test it, but I would expect it will do what requested

1 0

Timothy Leavitt · Jan 4, 2023

@Dmitry Maslennikov it's not actually a REST service, I just want a web application where I have full control over behavior of URLs under the application root in ObjectScript. %CSP.REST is the easiest (maybe only?) way to do that.

I ended up implementing Login as follows (which at least mostly works):

/// Called for a REST page in the event of a login being required
ClassMethod Login(skipheader As %Boolean = 1) As %Status [ ProcedureBlock = 0 ]
{
    // Support including logo image (most of the time...)
    Set brokerApp = "/csp/broker/"
    Set brokerName = $Replace(%request.URL,$Piece(%request.URL,"/portal",1),brokerApp)
    If (brokerName '= brokerApp) {
        Set filename = $System.CSP.GetFileName(brokerName)
        If ##class(%Library.File).Exists(filename) {
            Set %response.ServerSideRedirect = brokerName
            Quit $$$OK
        }
    }

    // Redirect with trailing slash (supports above)
    If ($Extract(%request.CgiEnvs("REQUEST_URI"),*) '= "/") && (%request.URL = %request.Application) {
        Set %response.Redirect = %request.Application
        Do %response.WriteHTTPHeader()
        Quit $$$OK
    }

    // Suppress "Access Denied" error message
    If %request.Method = "GET" {
        Set %request.Data("Error:ErrorCode",1) = $$$ERROR($$$RequireAuthentication)
    }

    Quit ##class(%CSP.Login).Page()
}

0 0

score 0 · Answer 1 · 2023-01-03T17:00:11-05:00

I'm not sure you can do that, but is there any reason you can't define it as two web applications, one with the dispatch class and one without?

score 1 · Answer 2 · 2023-01-04T08:01:23-05:00

Yeah, actually, in several projects I've used %CSP.REST to process the whole application. Static web files and REST itself. And the main cause to do so is that the internal webserver did not accept index.html as default index. So, it required to putting it manually to the URL, or using %CSP.REST, which work with static files, and correctly processes index.html. And it requires just one Web Application configured. But in case, when an application is partly anonymous, requires more attention to security.