I'm trying to get my head around permissions and security in /base. I've got a site where the iOS app developer needs to get data from Umbraco from *some sort of webservice* as JSON. This "service" needs to have some kind of authentication to it since the company don't want other people to access the service directly.
Seeing that it's possible to set up permissions in /base, this seems like a clean way to set it up. I've set up my extension method like this:
But I'm not sure how this permission check if performed. Does the user have to perform a regular login (ASP.NET Membership provider login using the Login control) on a page before attempting to call the method?
If so, I need to create the permission check/auth in some other way since I just want the iOS developer to provide the method with a username and a password using /base method parameters (is this safe at all, by the way?)
Permissions are based upon the currently logged-in member ie Member.GetCurrentMember().
If no member is logged in, then permission is denied. Else, the following rules apply:
- if the user is in one of the allowGroup groups, then permission is granted - else if the user is of one of the allowType types, then permission is granted - else if the user is on of the allowMember users, then permission is granted - else permission is denied
So yes a reglar membership provider login is required...
That being said, regular membership login that happens on http (not https) will expose the logon & password anyway, and any other solution that is not https will have the same issue, so why don't you just pass a "key" parameter to the method and let it validate that key?
Understanding /base permissions
Hi all,
I'm trying to get my head around permissions and security in /base. I've got a site where the iOS app developer needs to get data from Umbraco from *some sort of webservice* as JSON. This "service" needs to have some kind of authentication to it since the company don't want other people to access the service directly.
Seeing that it's possible to set up permissions in /base, this seems like a clean way to set it up. I've set up my extension method like this:
[RestExtensionMethod(allowAll = false, allowGroup = "Webservice brugere", allowMember = "", allowType = "Webservice bruger", returnXml = false)] public static string Hello() { return "Hello World"; }But I'm not sure how this permission check if performed. Does the user have to perform a regular login (ASP.NET Membership provider login using the Login control) on a page before attempting to call the method?
If so, I need to create the permission check/auth in some other way since I just want the iOS developer to provide the method with a username and a password using /base method parameters (is this safe at all, by the way?)
Any help/hint is greatly appreciated! :-)
Thanks in advance.
- Bo
Permissions are based upon the currently logged-in member ie Member.GetCurrentMember().
If no member is logged in, then permission is denied. Else, the following rules apply:
- if the user is in one of the allowGroup groups, then permission is granted
- else if the user is of one of the allowType types, then permission is granted
- else if the user is on of the allowMember users, then permission is granted
- else permission is denied
So yes a reglar membership provider login is required...
That being said, regular membership login that happens on http (not https) will expose the logon & password anyway, and any other solution that is not https will have the same issue, so why don't you just pass a "key" parameter to the method and let it validate that key?
Hi Stephen,
Thanks a lot for your replies :-)
I simply went and made two parameters for my base method: username and password, then try to authenticate by:
So my base url would look like this:
Works like it should. 100% secure? Not so sure ;-) But it's not life-critical information, so for now, it's o.k'ish.
All the best,
Bo
is working on a reply...