Message-ID: <1669638416.4280.1485862224983.JavaMail.confluence@ip-10-127-227-164> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_4279_751212011.1485862224983" ------=_Part_4279_751212011.1485862224983 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html REST API Authentication

REST API Authentication

At the time of the 5.0 release, two authentication methods were = supported: session, and basic. Session based authentication is meant to be used for AJAX operations. It will let you re-use the visit= or's session to execute operations with their permissions. Basic au= thentication will be useful when writing cross-server procedures, = when one server executes operations on one/several eZ Publish instances (re= mote publishing, maintenance, etc).

Changelog

Version  
5.0 Session and Basic support

 

Session based

This authentication method requires a Session cookie to be sent with the= request. If this authentication method is used through a web browser,= this session cookie is available as soon as your visitor logs in. Add it a= s a request cookie to your REST requests, and the user will be authenticate= d.

Setting it up

To enable session based authentication, you need to edit ezpu= blish/config/security.yml, and comment / remove the con= figuration block about REST

ezpublish.yml
=20 
        ezpublish_rest:
            pattern: ^/api/ezp/v2
            stateless: true
            ezpublish_http_basic:
                realm: eZ Publish REST API
=20

Logging in

It is also possible to create a session for the visitor if he isn't logg= ed in yet. This is done by sending a POST request to /user/sessions. Log= ging out is done using a = DELETE request on the same resource.

More details about this can be found in the reference documentation= .

Example

Session authentication with siteaccess header
=20 
GET /api/ezp/v2/user/roles HTTP/1.1
Host: api.example.com
Accept: application/vnd.ez.api.RoleList+json
Cookie: eZSESSID22af645d1859cb5ca6da0c484f1f37ea=3Dca8123ccb543834fecd48f28=
2a40156e
=20

is_logged_in cookie

Session auth currently requires the is_logged_in cookie to = be provided with every authenticated request. This cookie will be sent in r= eply to a successful session authentication.

Session authentication with siteaccess header
=20 
GET /api/ezp/v2/user/roles HTTP/1.1
Host: api.example.com
Accept: application/vnd.ez.api.RoleList+json
Cookie: eZSESSID22af645d1859cb5ca6da0c484f1f37ea=3Dca8123ccb543834fecd48f28=
2a40156e; is_logged_in=3Dtrue
=20

More information

Session based authentication = chapter of the REST specifications

Basic HTTP authent= ication

Basic authentication requires the password to be sent, based 64 encoded,= with the request, as explained in RFC 2617.

Most HTTP client libraries as well as REST libraries, should support thi= s method one way or another.

Raw HTTP request with basic authentication
=20 
GET / HTTP/1.1
Host: api.example.com
Accept: application/vnd.ez.api.Root+json
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=3D=3D
=20
------=_Part_4279_751212011.1485862224983--