Question

Inlog REST in browser

1

Hi, At the moment we have created a couple of REST services and they are working with SoapUI. The services can be retrieved at http://appname.com/rest/. One REST service has a basic authentication (GetToken) where the service creates a Token for that user and uses this Token to authenticate the user for all the other services. This authentication happens in a microflow. But when I try to click on one of them I have to enter a username and password, but that only works for the GetToken. I have also tried to enter the name of the token as username and the token as password, but it still doesn’t work. Can anybody help me with this? Another question I have is, a couple of services has a POST, PUT or DELETE method. And when I click on one of those in a browser it instantly shows the message Method not allowed for service at: 'wsrestadddevice/' Where wsrestadddevice is the REST service. Can anybody tell me why this is? With kind regards, Rens

asked 2015-08-28

Rens Janssen

3 answers

Michel Weststrate · Answer 1 · 2015-08-31

Hi Jens,

For the first question: You can use a microflow instead of a user role as authentication method, that verifies the tokens and returns a user object if valid, see: https://github.com/mendix/RestServices#securing-published-services, option 3.

For your second question: browsers cannot fire POST, PUT, DELETE requests out of the box, so actually these links should be disabled. See also: https://github.com/mendix/RestServices/issues/58

Michel Weststrate · Answer 2 · 2015-08-31

Hi Rens,

The browser doesn't understand custom protocols for security; it doesn't send tokens for you automagically. You have to use test tools like curl, postmen or any other thing you can fire arbitrarily http requests with, not a browser.

Rens Janssen · Answer 3 · 2015-08-31

Hi Michel,

Thanks for your reaction.

But what I mend with the first question is, when I click on one of the REST service (in a browser) with the authentication method option 3, the browser asks for a username and password. I’ve tried to login with multiple accounts with different userroles and the name of the token as username and the token as password, but the browser keeps asking for a new username and password. I think it’s because the security of the service expects a header with token instead of an username and password?

Thanks for the second answer. It makes sense, because those services expect some data to execute the service.