EMS Server Authorization

From Appmethod Topics
Jump to: navigation, search

Go Up to EMS Server

EMS Server Authorization allows you to authorize or deny access to a EMS Resource or a particular EMS Endpoint in an HTTP request. The authorization depends on the credentials used in the HTTP request to the EMS Server.

By default, EMS Resource and endpoints are public.

There are three different kinds of credentials in EMS:

  • Master Secret Key. This credential allows an HTTP request to access any EMS Endpoint in any EMS Resource of your EMS Server.
  • Users. This credential identifies a particular EMS user. Access to endpoints and resources is limited to those authorized for the user or the group that the user belongs to.
  • Application Secret . This credential can access endpoints that are authorized for all HTTP requests.

EMS Authorization Credentials

EMS MasterSecret Key Authentication

The EMS MasterSecret Key (MasterSecret) authorizes you to have complete access over all EMS data that is stored in the EMS Database.

Use this EMS MasterSecret Key for administrative tasks. You can use the EMS MasterSecret Key to have access to all EMS Resource in the EMS Server.

Modify the MasterSecret key in the EMS Server configuration file.

EMS Application Secret Key Authentication

The EMS Application Secret Key (AppSecret) authorizes you to have access to the authorized endpoints from an EMS Client Application.

Modify the AppSecret key in the EMS Server configuration file.

EMS Access Rules

You can create access rules to configure the authorization to a particular EMS Resource or EMS Resource Endpoint.

You can set a new access rule for EMS Administrative API resources (such as EMS Users and EMS Groups) or for a custom EMS Resource.

Note: If the EMS Server uses MasterSecret authentication to control access to the EMS Resource, the access rules set in the EMS configuration file are ignored.

You can specify the access rules with settings (as a JSON string) for:

  • A resource. The resource settings apply to all endpoints in that EMS resource.
  • A particular endpoint. The endpoint settings override the settings for the resource.

You can modify the following JSON attributes for an EMS Resource or an EMS Resource Endpoint:

JSON attribute Description
{"public": true} Authorizes any request.
{"public": false} An EMS client application may be authorized depending on the EMS User or the EMS Group.
{"users": ["username1", "username2"]} Authorizes an EMS User by the field username.
{"users": ["userid1", "userid2"]} Authorizes an EMS User by the field userid.
{"users": ["*"]} Authorizes any EMS User.
{"groups": ["groupname1", "groupname2"]} authorizes any EMS User that belongs to an EMS Group.
{"groups": ["*"]} authorizes any EMS User in any EMS Group.

The following sample makes all methods in the resource Users private except for the LoginUser and SignupUser EMS Endpoints:

 Users={"public": false}
 Users.LoginUser={"public": true}
 Users.SignupUser={"public": true}

The following sample makes all methods in the custom EMS Resource Resource1 available to all EMS users in the group group1:

 Resource1={"groups": ["group1"]}

Create and modify access rules in the EMS Server configuration file.

In the EMS Server Window log, you can see the created access rules (as a RegACL entry).

EMSServerLog RegACL.png

Controlling Access to EMS Resources and Endpoints

The are two ways to control access to resources and endpoints by an EMS User or EMS Client application.

Modifying the EMS Server Configuration File

The EMS Server configuration file (emsserver.ini file) can be used to configure authorization by resource and endpoint.

Configure the MasterSecret or the AppSecret keys, or create new access rules for the EMS Resources and Endpoints

Note: If you modify these values in the emsserver.ini file, you need to stop the EMS Server to reload the configuration parameters. You must terminate and restart EMSDevServer.exe to reload the emsserver.ini file.

Programmatic Control

You can create a new custom EMS resources and add code that prevent accessing to particular EMS endpoints. In your code, you can check if the request is from a particular EMS user or from a EMS user in a particular EMS group.

If the EMS user identified in the request is not allowed to access the endpoint, the custom resource should raise an exception (to indicate that the request is unauthorized).

See Also