Message-ID: <227492621.2648.1485845890575.JavaMail.confluence@ip-10-127-227-164> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_2647_1076016505.1485845890575" ------=_Part_2647_1076016505.1485845890575 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html REST API Authentication

REST API Authentication

Since 5.0, two authentication methods are supported: session, an= d basic.

Session based authentication is meant to be used for AJ= AX operations. It will let you re-use the visitor's session to execute oper= ations with their permissions.

Basic authentication is often used when writing cross-s= erver procedures, when one remote application executes operations on one/se= veral eZ Publish instances (remote publishing, maintenance, etc).

The default authentication method in 5.x is Basic authentication. As of = release 2015.01, Session has been changed to be default.

Session based a= uthentication

This authentication method requires a Session cookie to be sent with eac= h request.

If this authentication method is used with a web browser, this session c= ookie is automatically available as soon as your visitor logs in. Add it as= a cookie to your REST requests, and the user will be authenticated.

Setting it up

Not needed as of 2015.01 release as default is now Session.

To enable session based authentication, you need to edit ezpu= blish/config/security.yml, and comment out / remove the= configuration block about Basic Auth (shown in the following section).

Important

As of 5.3 / 2014.04, you also need to add the following configuration in= your ezpublish/config/security.yml:

=20 
--- a/ezpublish/config/security.yml
+++ b/ezpublish/config/security.yml
@@ -33,6 +33,7 @@ security:
         ezpublish_front:
             pattern: ^/
             anonymous: ~
+            ezpublish_rest_session: ~
             form_login:
                 require_previous_session: false
             logout: ~
=20

 

Logging in

It is also possible to create a session for the visitor if he isn't logg= ed in yet. This is done by sending a POST request to /user/sessions. Log= ging out is done using a = DELETE request on the same resource.

More information

Session based authentication = chapter of the REST specifications

HTTP Basic authent= ication

To enable HTTP Basic authentication, you need to edit ezpubli= sh/config/security.yml, and add/uncomment the following= block. Note that this is enabled by default.

ezpublish.yml
=20 
        ezpublish_rest:
            pattern: ^/api/ezp/v2
            stateless: true
            ezpublish_http_basic:
                realm: eZ Publish REST API
=20

Basic authentication requires the username and password to be sent= (username:password), based 64 encoded, with each = request, as explained in RFC 2617.

Most HTTP client libraries as well as REST libraries do support this met= hod one way or another.

Raw HTTP request with basic authentication
=20 
GET / HTTP/1.1
Host: api.example.com
Accept: application/vnd.ez.api.Root+json
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=3D=3D
=20
------=_Part_2647_1076016505.1485845890575--