WebService Method, security

[jking]

Hello all,

     Working with adding a NetWebServiceMethod to my NT 12.41, C11.13505 app.  I set the security tab on the NetWebService to require the user to log in.  I see two problems:

1.  When I type the URL to the WebServiceMethod, directly into the browser, such as:

                      https://www.myserver.org/databasePathology

I do see a login screen (login.png).  I have a demo user set up but when I type the user name and password, no login occurs and the login screen remains.

2.  When I call the URL, from a menu item, from within a logged in session of the app, I see all the generated documentation for the WebService.  I tried using the REST GET (JSON RESPONSE) item "Try It Live" (live.png).  I enter the user name and password and an ID of a record to "get" but I always get the response seen in the image.  There is a record in the pathology.tps file.

Any thoughts on what I might have missed in the configuration of the method, or things to check?

Thanks,

Jeff King

[Jane]

Jeff,

Some suggestions.

1. Compile the web77 example - both the client and web server.  Verify that fetching the date works.
2. Open a browser and verify that you can access the date from the web service documentation or a URL in a web browser.
3. Change the Date NetWebServiceMethod: on the Security tab, mark the "User must be logged in" and "Delete Session immediately" checkboxes.
4. In the WebHandler procedure, go to the existing filled embed and change the first line to    if pUser = 'demo' and pPassword = 'demo'
5. Compile and run.  Verify that now the web77 client app fails to fetch the date.  A browser pops open its login window.
6. Open your browser to 127.0.0.1:88, use the Services menu.  System.  Date.  You should be able to type in the user name and password and have it work.
7. Compile the netdemo program.  Run it and open the Web Client window.   On the Authentication tab, select Basic authentication and put in the username and password.
8. On the Address tab, put in the address box: http:/127.0.0.1:88/date
9. Fetch should work.  So should using the Generic Post tab.

That web client is handy to use to figure out what you need to do to make your own code work.  You can open the Logging tab to look at what's sent/received.

If you're not running your web server as a service, you can also look at the Log tab on the web app's window  to help trouble-shoot.

I think that when you're testing this it's important to have the Delete Session immediately marked to avoid muddling what works with what doesn't.  I generally leave it marked for service methods anyway.

Good luck!

[jking]

Jane,

     Thanks!  This got me going.  I found that I was using the wrong key in the NetWebServiceMethod.  Once I set it correctly, my data was found and displayed properly. 
     I set the pUser and pPassword as you recommended in item 4.  This now works as expected.  However, when I see the browser pop up a login screen, it does not work...does not accept the user name and password.  Not a big deal as I can enter the user name and password on the form itself.

Thanks again for your help,

Jeff

[Jane]

Jeff,

My question would be why you'd want to access a netWebService from a browser.  That's not how it's supposed to be used.  ? ? ?

That said, my little test with the Web77 example does accept the password from Chrome.  To avoid caching questions, I close Chrome entirely between tests.  In the second pic, you can see that the username/password was passed in as basic authentication.

jf

[Bruce]

Hi Jeff,

What embed code to authenticate the user is in your LoginForm procedure? Ideally this should be calling p_web.Authenticate(user,password)

then;
What code is in your WebHandler, in the Authenticate (user password) method to log the user in?

Cheers
Bruce

[jking]

Jane,

You asked:

     "My question would be why you'd want to access a netWebService from a browser.  That's not how it's supposed to be used.  ? ? ?"

Good question!

     I'm testing with a colleague.  He likes having the test web app call the NetWebService from an "Admin Menu" within the running test app.  Then he can look at the service documentation to see how he should call the web service.  In addition, he likes the "Try It - Live" option, so he can test posting and getting data, without having to build a proper client app yet.
     We found that we could call the web service from a browser (URL) without first logging into the test app properly.  Doing so, without having the web service require the user to be logged in, was a security hole...we could post and get data with no log in.  Obviously something we won't do in production. 

Thanks,

Jeff
     

[jking]

Bruce,

     I currently don't make a call to the p_web.Authenticate(user,password) method.  I use the "old style" to authenticate a user by looking the user up in a user.tps file and then if successful, call p_web.ValidateLogin().  All this is done in my login form embed without a call to p_web.Authenticate(user,password).  I'll be changing this soon.

Thanks,

Jeff

[Jane]

Hah!  Busted by The Master, Jeff 

A web service request isn't going to be hitting your login form.

How long would it take you to cut your existing code out of the login form and to paste it verbatim into the p_web.Authenticate procedure in the webHandler?


jf

[jking]

Jane,

     I suspect it won't take much time at all to copy my login form code to the p_web.Authenticate() method.  As we are still testing I'll give it a go...stay tuned!

Jeff