REST

  Security

Table of Contents
Security

Application sever embedded in a web app created with Code On Time allows programmatic access to data controllers. By default, all data controller URIs (Uniform Resource Identifiers) are locked down.

For example, if you try navigating to http://demo.codeontime.com/northwind/appservices/MyProducts?SupplierCompanyName=Tokyo%20Traders, then you will see a prompt from the application server to enter a user name and password.

A browser prompt to enter user credentials is displayed in response to an attempt to access a protected URI of the built-in application server

Enter admin/admin123% or user/user123% and you will see the following XML data.

<?xml version="1.0" encoding="utf-8"?>
<MyProducts totalRowCount="3" pageSize="100" pageIndex="0" rowCount="3">
  <items>
    <item ProductName="Mishi Kobe Niku" SupplierID="4" CategoryID="6" 
          QuantityPerUnit="18 - 500 g pkgs." UnitPrice="$97.00" UnitsInStock="29" 
          UnitsOnOrder="0" ReorderLevel="0" Discontinued="True" ProductID="9" 
          SupplierCompanyName="Tokyo Traders" CategoryCategoryName="Meat/Poultry" />
    <item ProductName="Ikura" SupplierID="4" CategoryID="8" 
          QuantityPerUnit="12 - 200 ml jars" UnitPrice="$31.00" UnitsInStock="31" 
          UnitsOnOrder="0" ReorderLevel="0" Discontinued="False" ProductID="10" 
          SupplierCompanyName="Tokyo Traders" CategoryCategoryName="Seafood" />
    <item ProductName="Longlife Tofu" SupplierID="4" CategoryID="7" 
          QuantityPerUnit="5 kg pkg." UnitPrice="$10.00" UnitsInStock="4" 
          UnitsOnOrder="20" ReorderLevel="5" Discontinued="False" ProductID="74" 
          SupplierCompanyName="Tokyo Traders" CategoryCategoryName="Produce" />
  </items>
</MyProducts>

A similar prompt will be displayed if you generate an app with Code On Time and access any data controller. If a user account is validated successfully then an HTTP error 404 is displayed. It indicates that a resource is not found. The application sever refuses to reveal any data.

You must configure access to the URIs for each data controller explicitly to enable request processing by the built-in application server.

Select a data controller in Project Designer and enter configuration parameters in the field “Representational State Transfer (REST) Configuration”.

REST configuration of a data controller must list at least one “Uri” parameter. A minimal configuration with a single “Uri” parameter is shown next:

Uri: .

The parameter is a regular expression evaluated against a web request URL targeting an application server of a web app. The “.” in the configuration will match the URI to any URL that contains at least one character.

A more restrictive configuration will allow listing an entire catalog of products but will now allow any arguments in the URL specified after the “?”.

Uri: appservices/Products$

The following URI configuration will allow a full listing of product catalog or a list of products filtered by SupplierCompanyName field. No other URLs will be allowed in a request.

Uri: Products$

Uri: Products?SupplierCompanyName=.+$

If multiple URIs are specified then a built-in application server will evaluate each of them in the order of definition. The application server will produce a response as soon as the first configuration URI has  a case-insensitive match to a web request URL.

Each “Uri” parameter may be followed with the following optional parameters providing additional restrictions.

Parameter Description
Method A comma separated list of HTTP methods that can be specified by a web request.

GET, POST, PUT, and DELETE methods are supported.
Users A comma-separated list of users allowed to access this URI. Application server will allow only authenticated users to access the URI if the parameter is not defined.

Symbol “?” will allow authenticated and anonymous users.
Symbol “*” will allow authenticated users only.
Roles A comma-separated list of application roles that an authenticated user must have in order to access the URI.
Ssl Indicates that the URI can only be accessed via a secure SSL connection.

The default value is False.
Xml Indicates if an XML response can be returned to a client.

The default value is True.
Json Indicates if a JSON response can be returned to a client.

The default value is True.

This example will allow only a JSON response to HTTP GET requests of any data controller URI by authenticated users in the roles of Administrators or Power Users.

Uri: .
Method: GET
Users: *
Roles: Administrators, Power Users
Xml: False
JSON: True