How to set username and password before redirecting to a RESTful webservice

Report · Sep 19, 2011

I am a .Net developer who has developed a webservice used by my ColdFusion colleagues. They are using ColdFusion 9 but I'm not sure if they have incorporated any of the newer features of ColdFusion in their apps. Here is a snippet of how they have been invoking the webmethods:

<cfscript>
                     ws = CreateObject("webservice", "#qTrim.webServiceName#");
                     ws.setUsername("#qTrim.trimAcct#");
                     ws.setPassword("#qTrim.trimpwd#");
                     wsString=ws.UploadFileCF("#qTrim.webserviceurl#","#objBinaryData#", "#qFiles.Filename#", "Document", "#MetaData#");
            </cfscript>

As I understand things, the .setUsername and .setPassword correspond to the Windows credentials the CF Admin set when the URL of the .Net webservice was "registered" and given its "name" (for the CreateObject statement above). I have 4 webmethods that are all invoked in this manner and this SOAP protocol works adequately for us. Please note that this ColdFusion web app authenticates anonymous remote internet users by prompting for a username and password and compares them to an application database (i.e. Microsoft calls this "forms authentication"). Because only a few Windows domain accounts are authorized to call this .Net webservice, the above code always uses the same username/password constants and it all works.

My question involves the newest webmethod added to the .Net webservice. It requires that callers must invoke it as a RESTful service which means it must be invoked by its URL. Here is a snippet of C# code that invokes it from an ASP.NET webclient:


            string r = txtRecordNumber.Text;
            string baseurl = "http://localhost/sdkTrimFileServiceASMX/FileService.asmx/DownloadFileCF?";
            StringBuilder url = new StringBuilder(baseurl);
            url.Append("trimURL="); url.Append(txtFakeURLParm.Text);
            url.Append("&");
            url.Append("TrimRecordNumber="); url.Append(txtRecordNumber.Text);
            Response.Redirect(url.ToString());

I assume a ColdFusion script could easily build a full URL as above with appended querystring parameters and redirect. Is there some way for the CF code redirecting to a RESTful webservice (by way of its URL) to set the Username and Password to this Windows account mentioned above? When the DownloadFileCF webmethod is hit it must be with the credentials of this special Windows domain account. Can that be set by ColdFusion someway to mimic the result of the SOAP technique (the first snippet above).

I hope my question is clear and someone can help me make suggestions to my ColdFusion colleagues. Thanks.

Report · Sep 20, 2011

Is the authentication of the REST service URL handled by basic HTTP authentication where a username and password are passed in the HTTP header of the GET request?

Report · Sep 20, 2011

No. The URL for the REST service is simply a "part of" (i.e. one webmethod) of a webservice hosted in a virtual directory that is setup for Windows authentication only. I'm wondering if there is any way to "establish" a different Windows identity prior to the proposed Redirect (i.e. similar to the way .setUsername and .setPassword are "changing identity" prior to a standard SOAP type call to one of my webmethods).

Report · Sep 20, 2011

Can you clarify what you mean by "establish a different Windows identity"? Usually passing identity to a web site or service means adding something to the request's HTTP headers. This could be a cookie in the case of .NET forms authentication or the "Authorization" header in the case of basic authentication.

The SOAP web service invocation code you posted does use basic authentication, according to the CF docs "ColdFusion inserts the user name/password string in the authorization request header as a base64 binary encoded string, with a colon separating the user name and password. This method of passing the user name/password is compatible with the HTTP basic authentication mechanism used by web servers."

http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec13a13-7fe0.html

If you need to mimic the SOAP techinque you should have basic authentication enabled for your REST service endpoints.

If your authentication method is different then CF developers will need to add the appropriate HTTP headers to their service calls. Note that calling a REST service from CF would probably be accomplished using the CFHTTP tag if the service is designed to be consumed by the CF server.