I'm trying to utilize the Amazon Product Advertising API. They provided me with a .wsdl file which I consumed and generated wrapper classes for via Visual Studio 2008's "Add Service Reference" option. This wrapper class works just fine as is and I've been successfully sending requests and receiving responses from Amazon.
However, they are now requiring that all partners start authenticating their requests. They have provided me with two .pem files (one which they call my X.509 certificate file, and one which they call my private key file). I'm not entirely sure what to do with these files. Amazon states the following:
Each SOAP request must be signed with the private key associated with the X.509 certificate. To create the signature, you sign the Timestamp element, and if you're using WS-Addressing, we recommend you also sign the Action header element. In addition, you can optionally sign the Body and the To header element
I realize that much more information may need to be provided here, so please let me know if I need to provide further detail in order to get an answer to this question.
Checkout this article --> http://www.byteblocks.com/post/2009/06/15/Secure-Amazon-Web-Service-Request.aspx
Looks like it should help you out.
Other links that might help:
1) http://developer.amazonwebservices.com/connect/thread.jspa?messageID=132705
Related
I am using the Paw app for testing API calls to many different endpoints. We have our own admin web app where we can lookup endpoints that I want to test. Now I am copying the URL and pasting it into Paw and then copying the username or API key separately.
It would be awesome if I could add a custom "Open in Paw" link, that prefills the endpoint and auth details. Paw itself uses a "paw://" link for their new serial number registration.
Is it possible to use that schema to do this?
I could not found any documentation on this.
It is possible to use paw:// schema for the custom link.
It should start with either paw://current.document/open? or paw://new.document/open?
Then you can choose to open text or URL and give it a url-encoded value like text=curl%20-X%20%22GET%22%20%22https:%2F%2Fecho.paw.cloud%2F%22%20%5C%09-H%20%22Cookie:%20sessionid%3Dvr3qftico4qeri1l21mayf40axdyidlt%22
Then choose one of our importers from https://paw.cloud/extensions?extension_type=importer for importing the format of your text/url-resource and include the identifier in the link &importer=com.luckymarmot.PawExtensions.cURLImporter
So the full link can look like this paw://current.document/open?text=curl%20-X%20%22GET%22%20%22https:%2F%2Fecho.paw.cloud%2F%22%20%5C%09-H%20%22Cookie:%20sessionid%3Dvr3qftico4qeri1l21mayf40axdyidlt%22&importer=com.luckymarmot.PawExtensions.cURLImporter
I am working with a historic API which grants access via a key/secret combo, which the original API designer specified should be passed as the user name & password in an HTTP Basic auth header, e.g.:
curl -u api_key:api_secret http://api.example.com/....
Now that our API client base is going to be growing, we're looking to using 3scale to handle both authentication, rate limiting and other functions. As per 3scale's instructions and advice, we'll be using an Nginx proxy in front of our API server, which authenticates against 3scale's services to handle all the access control systems.
We'll be exporting our existing clients' keys and secrets into 3scale and keeping the two systems in sync. We need our existing app to continue to receive the key & secret in the existing manner, as some of the returned data is client-specific. However, I need to find a way of converting that HTTP basic auth request, which 3scale doesn't natively support as an authentication method, into rewritten custom headers which they do.
I've been able to set up the proxy using the Nginx and Lua configs that 3scale configures for you. This allows the -u key:secret to be passed through to our server, and correctly processed. At the moment, though, I need to additionally add the same authentication information either as query params or custom headers, so that 3scale can manage the access.
I want my Nginx proxy to handle that for me, so that users provide one set of auth details, in the pre-existing manner, and 3scale can also pick it up.
In a language I know, e.g., Ruby, I can decode the HTTP_AUTHORIZATION header, pick out the Base64-encoded portion, and decode it to find the key & secret components that have been supplied. But I'm an Nginx newbie, and don't know how to achieve the same within Nginx (I also don't know if 3scale's supplied Lua script can/will be part of a solution)...
Reusing the HTTP Authorization header for the 3scale keys can be supported with a small tweak in your Nginx configuration files. As you were rightly pointing out, the Lua script that you download is the place to do this.
However, I would suggest a slightly different approach regarding the keys that you import to 3scale. Instead of using the app_id/app_key authentication pattern, you could use the user_key mode (which is a single key). Then what you would import to 3scale for each application would be the base64 string of api_key+api_secret combined.
This way the changes you will need to do to the configuration files will be fewer and simpler.
The steps you will need to follow are:
in your 3scale admin portal, set the authentication mode to API key (https://support.3scale.net/howtos/api-configuration/authentication-patterns)
go to the proxy configuration screen (where you set your API backend, mappings and where you download the Nginx files).
under "Authentication Settings", set the location of the credentials to HTTP headers.
download the Nginx config files and open the Lua script
find the following line (should be towards the end of the file):
local parameters = get_auth_params("headers", string.split(ngx.var.request, " ")[1] )
replace it with:
local parameters = get_auth_params("basicauth", string.split(ngx.var.request, " ")[1] )
finally, within the same file, replace the entire function named "get_auth_params" for the one in this gist: https://gist.github.com/vdel26/9050170
I hope this approach suits your needs. You can also contact at support#3scale.net if you need more help.
I want to retrieve content of sample.html inside catalog folder in alfresco using restful.
From alfresco document i got the following rest url to retrieve content of a document. But i dont know exactly what is property, stor_type, store_id,id and attach.
GET /alfresco/service/api/node/content{property}/{store_type}/{store_id}/{id}?a={attach?}
It would be grateful if someone explains me the above rest url properties and provide me a example.
The CMIS Web Scripts Reference and the Repository RESTful API Reference give a little more information (but no examples).
property is the property of the node to follow in order to obtain the content - this will default to cm:content so can generally be omitted
store_type will normally be "workspace" for live application data - see this forum discussion on store types etc
store_id will be "SpacesStore" for normal files - see this forum discussion on other stores
id is the unique identifier for the node (within a given store), e.g. 986b162e-0867-4a7b-9f4f-0e3837cdc97b
attach - if true, force download of content as attachment (defaults to false) - I think this is to trigger "Save as..." in a browser rather than directly streaming the content?
Example GET URL (untested - and of course you'd need to use a valid host, port and id)
http://my.example.com:8080/alfresco/service/api/node/content/workspace/SpacesStore/986b162e-0867-4a7b-9f4f-0e3837cdc97b
Together, the store_type, store_id and id form a NodeRef which uniquely identifies a node, e.g.
workspace://SpacesStore/f1a5e908-80cb-4c6e-b919-cc80fe53b835
There are a couple of examples (though not of this exact API call) on Jeff Potts' tutorial on Curl and web scripts.
If you want to download a file by name and path (without already knowing the node ID) then you will need to use another API, as the one you are using requires you to know the node ID.
This page mentions a direct download URL that accepts a path and filename, e.g.
/alfresco/download/direct?path=/Company%20Home/My%20Home%20Space/myimage.jpg
Depending on access controls, you may need to add the login ticket parameter to this URL, e.g. &alf_ticket=1234567890, where 1234567890 is the security ticket provided by the login URL.
Note: although I refer to the CMIS Web Scripts Reference above, see also this posting and Jira ticket that state that CMIS web script URLs are deprecated, i.e. ( /alfresco/service/cmis and /alfresco/cmis)
I've watched and viewed lots of pages on securing asp.net web api's - including: http://weblogs.asp.net/jgalloway/archive/2012/03/23/asp-net-web-api-screencast-series-part-6-authorization.aspx and http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx - however, I've not yet seen a KISS type example.
If I have a web api, which returns a list of cars for example - and I am working with a 3rd party (ie. not my own website or server/domain) who wants to query (get) and insert (post) lists of cars by a type, into my database, how so I authenticate them (via https)?
Do they simply add (into their JSON GET/Post) something like:
[
{"username":"someusername","password":"somepassword",
{
"carTypeID":12345,
"carTypeID":9876}
"carTypeID":2468}
}
}
]
I can then grab the username and password, and check against my membership database in .net, and "IfUserAuthenticated" go on to process the rest of the JSON?
Or is there a better way of doing this? I've heard of adding details to headers etc - but I'm not sure if that's for a reason, or over complicating it. I've also heard of setting tokens which are sent back to the 3rd party - if that's the best method, what instructions do I give them got building their side of the app that will use my API?
Thanks for any advice/pointers,
Mark
If you want to keep it simple you can use Basic authentication. Over SSL it's quite secure. It simply involves adding a header to the request:
Authorization: Basic <username:password encoded as base64>
You can find a way to implement it here.
You can use HTTP Basic authenticaiton along with SSL. Its very simple to implement using message handlers and is supported out of the box on many platforms.
See my blog for an example (it is very easy to integrate with membership provider of your choice)
http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/
I've written something similar for the Web API:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/
It's in use at a few places now and we've been using it since about 2 month in production. Seems to work fine.
Does HTTP PUT have advantages over HTTP POST, particularly for File Uploads? Data transfer should be highly secure. Your ideas / guidance on this will be of great help.
PUT is designed for file uploads moreso than POST which requires doing a multipart upload, but then it comes down to what your server can do as to which is more convenient for you to implement.
Whichever HTTP method you use, you'll be transmitting data in the clear unless you secure the connection using SSL.
I think the choice of PUT vs. POST should be more based on the rule:
PUT to a URL should be used to update or create the resource that can be located at that URL.
POST to a URL should be used to update or create a resource which is located at some other ("subordinate") URL, or is not locatable via http.
Any choices regarding security should work equally with both PUT and POST. https is a good start, if you are building a REST API then keys, authorisation, authentication and message signing are worth investigating.
Does HTTP PUT have advantages over HTTP POST, particularly for File Uploads?
You can use standard tools for sending the data (i.e. ones that don't have to be aware of your custom scheme for describing where the file should be uploaded to or how to represent that file). For example, OpenOffice.org includes WebDAV support.
Data transfer should be highly secure
The method you use has nothing to do with that. For security use SSL in combination with some form of authentication and authorization.