Inserting content through REST call

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Inserting content through REST call

rui.bullseye
Hi,
The title is self explanatory.

I have a page containing a widget.
This widget work as a poll, in which case provides feedback if the page was helpful or not with a "Yes" or "No".

After the user chooses an option, "yes" or "no", i want to perform a REST api call and increment the positive or negative feedback, and here comes the tricky part.

From my research, i've notided you allow rest calls in order to insert content, but unfortunetely there isn't a way to do this without exposing the username and password in javascript.

could you guys show me an example, where i'm able to perform a REST api call in order without exposing my credentials ? 

Best Regard,

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/e8957be8-b650-4c3f-a9ee-ab55dca84d88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

RE: Inserting content through REST call

Nathan Keiter

Is it an option for you to make it anonymous?

 

If permissions are set to anonymous it won’t require a login.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Monday, August 28, 2017 12:04 PM
To: dotCMS User Group
Subject: [dotcms] Inserting content through REST call

 

Hi,

The title is self explanatory.

 

I have a page containing a widget.

This widget work as a poll, in which case provides feedback if the page was helpful or not with a "Yes" or "No".

 

After the user chooses an option, "yes" or "no", i want to perform a REST api call and increment the positive or negative feedback, and here comes the tricky part.

 

From my research, i've notided you allow rest calls in order to insert content, but unfortunetely there isn't a way to do this without exposing the username and password in javascript.

 

could you guys show me an example, where i'm able to perform a REST api call in order without exposing my credentials ? 

 

Best Regard,

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/e8957be8-b650-4c3f-a9ee-ab55dca84d88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/9612835e4d06485c870462f8fe68fccc%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Mark Pitely
That is, you set the *content structure* that you want to store your data in to have the CMS_Anonymous privileges, and it works without credentials.
Yes, someone could make code to use the API to talk to your specific content structure, but as long as it is just a simple /yes/no/comment piece you will be fine.

Here is some code that does what you are discussing, essentially, where review is called from a onchange on a select field:

function review(which){   
 
    var formData = new FormData();
 request = new XMLHttpRequest();
request.onreadystatechange = function() {
 
  if (request.readyState == 4){
        if (request.status === 200) {
          console.log("Create Eiffel Connect:");   
          console.log(request.responseText);
            location.href="${VTLSERVLET_URI}?dotcache=refresh";
           
        } else { 
           console.log("Error", request.statusText); 
        } 
 
}
   
 

};

request.open("POST", "/api/content/publish/1", true);  

var reason="good";
if (which==1) reason="needs update";
if (which==2) reason="remove page";
if (which==3) reason="move page";


var d=new Date();
var mon=d.getMonth()+1;
var day=d.getDate();
var atime=d.getFullYear()+"-"+mon+"-"+day+" "+d.getHours()+":"+d.getMinutes()+":"+d.getSeconds();
console.log(atime);
//User, PageUrl,Identifier, Highlight, Comment, Reported, ResolvedBy, Resolved
 var dataObj={
          'stName':'ParisPageValidate',
          'identifier1' : '$dotPageContent.identifier',
          'url' : '$VTLSERVLET_URI',
          'reviewed': atime,
          'state': which,
          'reason': reason,
          'reviewedby': '$reviewemail',
          'contentHost':'SYSTEM_HOST'};    
   
 formData.append('json',JSON.stringify(dataObj));   
 
 request.send(formData);  
  
   

}





Mark Pitely
Marywood University

On Mon, Aug 28, 2017 at 12:06 PM, Nathan Keiter <[hidden email]> wrote:

Is it an option for you to make it anonymous?

 

If permissions are set to anonymous it won’t require a login.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: <a href="tel:(717)%20337-6993" value="+17173376993" target="_blank">717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Monday, August 28, 2017 12:04 PM
To: dotCMS User Group
Subject: [dotcms] Inserting content through REST call

 

Hi,

The title is self explanatory.

 

I have a page containing a widget.

This widget work as a poll, in which case provides feedback if the page was helpful or not with a "Yes" or "No".

 

After the user chooses an option, "yes" or "no", i want to perform a REST api call and increment the positive or negative feedback, and here comes the tricky part.

 

From my research, i've notided you allow rest calls in order to insert content, but unfortunetely there isn't a way to do this without exposing the username and password in javascript.

 

could you guys show me an example, where i'm able to perform a REST api call in order without exposing my credentials ? 

 

Best Regard,

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/e8957be8-b650-4c3f-a9ee-ab55dca84d88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/9612835e4d06485c870462f8fe68fccc%40exch13c.ms.gettysburg.edu.

For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CAFeiKqOa-qPQDpZM16QAfYTmrT0HobaeUgx1xTkUme2jj4rs7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

rui.bullseye
In reply to this post by rui.bullseye
Hi, Thank you for such quick replying. 
I've already considered removing the need of authentication like you suggested, but for security reasons, although we are talking about a yes/no/comment type of data, i would like to keep it secure.

You guys have any solution that provide me a way to "hide" my credentials ?

 dotCMS jQuery example exposes user information, which i would like to avoid for the obvious reasons.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b34e56d0-ba75-4b19-8bc9-a8b00a753f7f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Nathan Keiter

Can you pre-encrypt your auth header value?

 

Use an auth header to authenticate. Perhaps build it in a viewtool to hide username and password.

 

Also, if you have a tool like Chrome advanced rest client and the credentials are always the same, you could use that to generate the auth header for those credentials and then paste it into your code.

 

Another option would be to do the API call in Java. Build a “page between” that calls a viewtool to do the API call and then outputs the result.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Wednesday, August 30, 2017 7:22 AM
To: dotCMS User Group
Subject: [dotcms] Re: Inserting content through REST call

 

Hi, Thank you for such quick replying. 

I've already considered removing the need of authentication like you suggested, but for security reasons, although we are talking about a yes/no/comment type of data, i would like to keep it secure.

 

You guys have any solution that provide me a way to "hide" my credentials ?

 

 dotCMS jQuery example exposes user information, which i would like to avoid for the obvious reasons.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b34e56d0-ba75-4b19-8bc9-a8b00a753f7f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/aef760d7f1524864bd065710f959c568%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Nathan Keiter

One more option: create your own rest endpoint that extends the functionality of theirs.  But in yours, create a user object in Java for some predetermined user and use that user as the author.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Nathan Keiter
Sent: Wednesday, August 30, 2017 8:56 AM
To: [hidden email]
Subject: RE: [dotcms] Re: Inserting content through REST call

 

Can you pre-encrypt your auth header value?

 

Use an auth header to authenticate. Perhaps build it in a viewtool to hide username and password.

 

Also, if you have a tool like Chrome advanced rest client and the credentials are always the same, you could use that to generate the auth header for those credentials and then paste it into your code.

 

Another option would be to do the API call in Java. Build a “page between” that calls a viewtool to do the API call and then outputs the result.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [[hidden email]] On Behalf Of [hidden email]
Sent: Wednesday, August 30, 2017 7:22 AM
To: dotCMS User Group
Subject: [dotcms] Re: Inserting content through REST call

 

Hi, Thank you for such quick replying. 

I've already considered removing the need of authentication like you suggested, but for security reasons, although we are talking about a yes/no/comment type of data, i would like to keep it secure.

 

You guys have any solution that provide me a way to "hide" my credentials ?

 

 dotCMS jQuery example exposes user information, which i would like to avoid for the obvious reasons.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b34e56d0-ba75-4b19-8bc9-a8b00a753f7f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/aef760d7f1524864bd065710f959c568%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/fb34966c186041bd85ded1c0f345136f%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

rui.bullseye
In reply to this post by rui.bullseye
Nathan, 
I was hoping to have a solution based on javascript, or velocity, without the need to develop viewtools or Rest api "proxies".

Is it possible to run a insert query from the backend with lucene query or something similar ? That way i could develop a Widget that would call the insert .

Thank you so much for all your help so far Nathan. 


--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b1abf5cd-a24e-4375-a7c2-0a16a5a57d3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Nathan Keiter

I would say use an auth header then.

 

That would give access while obscuring the actual username and password values.

 

https://dotcms.com/docs/latest/save-content-using-rest-api#authentication

 

https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo?hl=en-US

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Wednesday, August 30, 2017 9:09 AM
To: dotCMS User Group
Subject: [dotcms] Re: Inserting content through REST call

 

Nathan, 

I was hoping to have a solution based on javascript, or velocity, without the need to develop viewtools or Rest api "proxies".

 

Is it possible to run a insert query from the backend with lucene query or something similar ? That way i could develop a Widget that would call the insert .

 

Thank you so much for all your help so far Nathan. 

 

 

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b1abf5cd-a24e-4375-a7c2-0a16a5a57d3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/490ad89c158e4121985d7d16b43a8422%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Nathan Keiter

Demo: Get encoded Auth header value from Google Advanced REST Client app.

 

 

 

 

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Nathan Keiter
Sent: Wednesday, August 30, 2017 9:12 AM
To: [hidden email]
Subject: RE: [dotcms] Re: Inserting content through REST call

 

I would say use an auth header then.

 

That would give access while obscuring the actual username and password values.

 

https://dotcms.com/docs/latest/save-content-using-rest-api#authentication

 

https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo?hl=en-US

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [[hidden email]] On Behalf Of [hidden email]
Sent: Wednesday, August 30, 2017 9:09 AM
To: dotCMS User Group
Subject: [dotcms] Re: Inserting content through REST call

 

Nathan, 

I was hoping to have a solution based on javascript, or velocity, without the need to develop viewtools or Rest api "proxies".

 

Is it possible to run a insert query from the backend with lucene query or something similar ? That way i could develop a Widget that would call the insert .

 

Thank you so much for all your help so far Nathan. 

 

 

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/b1abf5cd-a24e-4375-a7c2-0a16a5a57d3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/490ad89c158e4121985d7d16b43a8422%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/2b59dd3783444bbea1522f422b5746e5%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

rui.bullseye
In reply to this post by rui.bullseye
Nathan,
The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.


--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Jason Tesser-2
You should  be running SSL which addresses the concern 

On Wed, Aug 30, 2017 at 10:09 AM <[hidden email]> wrote:
Nathan,
The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.


--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CALDe1GP3p70EkA%2BOw5sAQkxWr%2BM8Muig3ZiuQvOr0W23%2BvQEWg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Nathan Keiter
In reply to this post by rui.bullseye

Does it matter?

 

I mean create a dummy user “Johny Content Rater” with username and password. Grant a role to be able to add this content type and nothing else.

 

That way it’s not a real users’ credentials.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Wednesday, August 30, 2017 10:10 AM
To: dotCMS User Group
Subject: [dotcms] Re: Inserting content through REST call

 

Nathan,

The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.

 

 

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/0556fbafb94145319ebeb36673cd5d95%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Nathan Keiter
In reply to this post by Jason Tesser-2

I think he’s worried about someone doing a “view source” on the page.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jason Tesser
Sent: Wednesday, August 30, 2017 10:14 AM
To: dotCMS User Group
Subject: Re: [dotcms] Re: Inserting content through REST call

 

You should  be running SSL which addresses the concern 

 

On Wed, Aug 30, 2017 at 10:09 AM <[hidden email]> wrote:

Nathan,

The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.

 

 

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CALDe1GP3p70EkA%2BOw5sAQkxWr%2BM8Muig3ZiuQvOr0W23%2BvQEWg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/d19074d151674efa9c31ccdfbf08df8b%40exch13c.ms.gettysburg.edu.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

Mark Pitely
Anyway you do it, a skilled person should be able to reconstruct the process, since you are relying on javascript to do the work.
The truth is the API is there anyway, there's always going to be that hole. I agree that it would be terrible to put out your credentials in plaintext, but that's what CMS_Anonymous content is for.
You could use some sort of external store (MySQL) to write to if you like that does nothing but keep that count if you want to be ridiculously secure, but that won't change the essential insecurity of a java-based API running your system in the first place.

Mark Pitely
Marywood University

On Wed, Aug 30, 2017 at 10:16 AM, Nathan Keiter <[hidden email]> wrote:

I think he’s worried about someone doing a “view source” on the page.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: <a href="tel:(717)%20337-6993" value="+17173376993" target="_blank">717.337.6993

https://www.gettysburg.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jason Tesser
Sent: Wednesday, August 30, 2017 10:14 AM
To: dotCMS User Group
Subject: Re: [dotcms] Re: Inserting content through REST call

 

You should  be running SSL which addresses the concern 

 

On Wed, Aug 30, 2017 at 10:09 AM <[hidden email]> wrote:

Nathan,

The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.

 

 

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CALDe1GP3p70EkA%2BOw5sAQkxWr%2BM8Muig3ZiuQvOr0W23%2BvQEWg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/d19074d151674efa9c31ccdfbf08df8b%40exch13c.ms.gettysburg.edu.

For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CAFeiKqOSQaRcBgQh7ydASAH%2BxnzpsmO6neL5C1B205eVhbvazQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Inserting content through REST call

jonathan.sanchez
Hi all,

The basic authentication is just doing base64 or something like that, there is not any encryption in there even if it is not readable for human, so you still sharing your credentials. However there might be a few choices for you, all of them with Pos/Cons

1) you can use JWT
https://dotcms.com/docs/latest/authentication-using-jwt

curl -H "Content-Type: application/json" -X POST -d '{ "user":"[hidden email]", "password":"admin", "expirationDays": "10" }' http://localhost:8080/api/v1/authentication/api-token

This will be return something like:
{
    "entity": {
        "token": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJpWEtweXU2QmtzcWI0MHZNa3VSUVF3PT0iLCJpYXQiOjE1MDQxMDcwNjUsInN1YiI6IntcInVzZXJJZFwiOlwiaVhLcHl1NkJrc3FiNDB2TWt1UlFRd1xcdTAwM2RcXHUwMDNkXCIsXCJsYXN0TW9kaWZpZWRcIjoxNDg0MjU1MDc4MDAwLFwiY29tcGFueUlkXCI6XCJkb3RjbXMub3JnXCJ9IiwiaXNzIjoiaVhLcHl1NkJrc3FiNDB2TWt1UlFRdz09IiwiZXhwIjoxNTA0OTcxMDY1fQ.f7MZkn-TwzDGN58XCIHn4lJC8irFhiHDw1wJwrj7Os4"
    },
    "errors": [],
    "i18nMessagesMap": {},
  

The token value might be use in your header such as 
Authorization: Bearer <token>

In our example:

Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJpWEtweXU2QmtzcWI0MHZNa3VSUVF3PT0iLCJpYXQiOjE1MDQxMDcwNjUsInN1YiI6IntcInVzZXJJZFwiOlwiaVhLcHl1NkJrc3FiNDB2TWt1UlFRd1xcdTAwM2RcXHUwMDNkXCIsXCJsYXN0TW9kaWZpZWRcIjoxNDg0MjU1MDc4MDAwLFwiY29tcGFueUlkXCI6XCJkb3RjbXMub3JnXCJ9IiwiaXNzIjoiaVhLcHl1NkJrc3FiNDB2TWt1UlFRdz09IiwiZXhwIjoxNTA0OTcxMDY1fQ.f7MZkn-TwzDGN58XCIHn4lJC8irFhiHDw1wJwrj7Os4

Two things to keep in mind, the token will be valid by 10 days (you can change that when you create it)
It still being a security issue since the token could be use to call api, but your user and password at least are safe and you can limited the user permission on dotCMS.

2)
You can create a proxy that wraps the request, for instance you can create a nodejs server that took the request and resend with credentials to dotCMS (but it will require more infrastructure) or you can create an open endpoint in dotCMS that calls ContentResource (in the same instance, but it will represent some overload in the request), etc.

3) 
You can create a filter that intercept the call and adds the credentials for an specific call/url (minimum overload, but you need to write a plugin to add the filter).

4) 
You can extends the ContentResource in something like MyContentResource and expose a public method that calls the subsequently logic; in that method you can add the logic to artificially send the credentials to the endpoint, etc (you might need to override the class with a plugin).

My 2 cents,
J

On Wednesday, August 30, 2017 at 9:00:35 AM UTC-6, Mark Pitely wrote:
Anyway you do it, a skilled person should be able to reconstruct the process, since you are relying on javascript to do the work.
The truth is the API is there anyway, there's always going to be that hole. I agree that it would be terrible to put out your credentials in plaintext, but that's what CMS_Anonymous content is for.
You could use some sort of external store (MySQL) to write to if you like that does nothing but keep that count if you want to be ridiculously secure, but that won't change the essential insecurity of a java-based API running your system in the first place.

Mark Pitely
Marywood University

On Wed, Aug 30, 2017 at 10:16 AM, Nathan Keiter <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">nke...@...> wrote:

I think he’s worried about someone doing a “view source” on the page.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

<a href="https://www.gettysburg.edu/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.gettysburg.edu%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG7XlfToBr_IA0adrY4nu9tVtLS_w&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.gettysburg.edu%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG7XlfToBr_IA0adrY4nu9tVtLS_w&#39;;return true;">https://www.gettysburg.edu

 

From: <a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dot...@... [mailto:<a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dot...@googlegroups.com] On Behalf Of Jason Tesser
Sent: Wednesday, August 30, 2017 10:14 AM
To: dotCMS User Group
Subject: Re: [dotcms] Re: Inserting content through REST call

 

You should  be running SSL which addresses the concern 

 

On Wed, Aug 30, 2017 at 10:09 AM <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">rui.bu...@...> wrote:

Nathan,

The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.

 

 

--
<a href="http://dotcms.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;">http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dotcms+un...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;"> do...@....
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;"> https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;"> https://groups.google.com/d/optout.

--
<a href="http://dotcms.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;">http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dotcms+un...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dot...@....
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/dotcms/CALDe1GP3p70EkA%2BOw5sAQkxWr%2BM8Muig3ZiuQvOr0W23%2BvQEWg%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/dotcms/CALDe1GP3p70EkA%2BOw5sAQkxWr%2BM8Muig3ZiuQvOr0W23%2BvQEWg%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/dotcms/CALDe1GP3p70EkA%2BOw5sAQkxWr%2BM8Muig3ZiuQvOr0W23%2BvQEWg%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;"> https://groups.google.com/d/msgid/dotcms/CALDe1GP3p70EkA%2BOw5sAQkxWr%2BM8Muig3ZiuQvOr0W23%2BvQEWg%40mail.gmail.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
<a href="http://dotcms.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;">http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dotcms+un...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="z30sdddbAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dot...@....
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/dotcms/d19074d151674efa9c31ccdfbf08df8b%40exch13c.ms.gettysburg.edu?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/dotcms/d19074d151674efa9c31ccdfbf08df8b%40exch13c.ms.gettysburg.edu?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/dotcms/d19074d151674efa9c31ccdfbf08df8b%40exch13c.ms.gettysburg.edu?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/dotcms/d19074d151674efa9c31ccdfbf08df8b%40exch13c.ms.gettysburg.edu.

For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/f3092618-5628-44fe-b38f-455aab5c8d83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.