REST Service Authentication

An overview with examples on the various authentication methods supported by the REST Infrastructure of the Product Manager. All authentication methods are implemented as core functionality of the REST/WebService infrastructure. This means that this authentication will automatically be active for your own REST Services as well as for the REST Service API which comes out of the box.

Basic Authentication

Product Manager allows REST clients to authenticate themselves with a user name and password using basic authentication .

Basic authentication is unsafe as long as it's not combined with the SSL protocol, since the username and password are transmitted more or less in plain text!

Simple example

Most client software provides a simple mechanism for supplying a user name and password and will build the required authentication headers automatically. For example you can specify the -u argument with curl as follows

curl -D- -u myUsername:myPassword -X GET -H "Content-Type: application/json" http://hpm.heiler.com:1501/rest/V1.0/list/suppliercatalog/all

Username / Password Basic Authentication

If you need to you may construct and send basic auth headers yourself. To do this you need to perform the following steps:

  1. Build a string of the form username:password

  2. Base64 encode the string

  3. Supply an "Authorization" header with content "Basic " followed by the encoded string, e.g. "Basic YWRtaW46YWRtaW4="

curl -D- -X GET -H "Authorization: Basic bXlVc2VybmFtZTpteVBhc3N3b3Jk" -H "Content-Type: application/json" http://hpm.heiler.com:1501/rest/V1.0/list/suppliercatalog/all

Token Basic Authentication

Instead of supplying username/password clients can also use a token to authenticate calls. This token can be retrieved the following ways:

  • When running inside the Product 360 Server / Client by using the API : com.heiler.ppm.security.core.auth.Authenticator.createTokenAsString(). This token is valid for one hour.

  • When already authenticated, a token can also be retrieved via REST by sending a POST to /rest/V1.0/manage/system/security/token. For further details, see chapter REST System API. This token is valid for one hour.

  • When using SAML for authentication (see chapter SAML Configuration), a token can by retrieved for the user contained in a SAML Assertion resp. SAML Response. This is done via REST by sending a POST to /rest/V1.0/manage/system/security/tokenForSaml. For further details, see chapter REST System API. The token validity period can be configured, and is one day by default.

The token then can be passed base64-encoded as Basic Authentication header. Example:

GET /rest/V1.0/list/Article/byCatalog
Authentication: Token MkZDRDVDMkMyRjEwQTk0OTBFMTAwOEVDNjhFNTREOEEyREMyMUMzQzNGN0I5Q0RGMDVBNkE1MzVBODlFMkFCRjA1MzFGMzE5Q0E0QkM5OTczRjAyM0QyQzc2RUEwQTNGODQ2ODA3MTQyMjM5NjdBOTIyM0UyNTlCQzNDOTI1Q0MwQkM2MEIyRjk5RTg5MTBDRDFFNERERUMzNENGM0MzNUY2OEY3NTM0MTdGMUM5MzU1NzQwRjJFMUVDMkJDNTJCMUE5RTg4OUFFMjczRUM0MDc0NURDNDJCQTMyOERGRjVGRDNGRjY1ODk3RDk2NEVDMkE2MEI5RTcwOTI4ODlGMERCQTM2MzdFNEIzOTAxMDYzOTQ4MjM4RjkxODcwQjk3RTgwOEZDQzZGMTIwMkIxNkIzQThCRkZERjIwMDkxOUI5MDZBNzAwRUM3MzM1QjQ1RTY5QkM4NUM3MEEzMDY2N0U4OTkxRTQxQ0YwMUREN0FFOUY5QjJEMjk0NUE2MjQ2RjgyN0IyNUUzRUQ2MEQxNjVDN0U1OUQyOERENDcwNUQzRkU1QTMyMjlGRUZCQUQzNjRDNThGNjg2NTQ2QjA1OEQzQTdEMzE1QkQ4M0QzRjlFQUFCQUVENTM0RDE0RTFGMzdCNTkxRDQ5REVEMTM1NjM2RkQyNTFGQ0NGNDRGNUY=

OAuth

Not yet supported.