Concerns:Security for Webservices in Vision Management Site
User: User Management Site
Prerequisites
The data must be uploaded to Futurama Vision in the form of a dataset
Introduction
This document describes how you can apply security to calls to a webservice in Futurama Vision
Description
There are two ways in which webservices are involved with Futurama Vision:
- - ImportUsers.svc: Importing data into Vision by using the webservice
- - VisionService.svc: A collection of "VisionReferences" to read and/or store (personal) data in a Futurama application
For both webservices authentication can be configured to secure the use of them. You can choose for Windows or Forms Authentication. We recommend the use of a Windows user, because you do not have to store the password in a configuration file.
Process description
Securing calls to either of the webservices consists of the following five steps:
1. First off, in the web.config of the Vision Management Site you set the configuration setting for Vision Security to requireCredentialsForServices="true”
2. After that, within the Vision Management Site, navigate to the Management - Security page and either define a Forms user or a Windows user for the webservice.
3. Assign the user to a User Group.
4. Define a Functional Group and assign the WebService(s) you want to secure to it
5. Assign the Functional Group to the User Group
Now that you assigned permissions you can make sure that you connect with the correct identity:
- Windows: the easiest way is to use Windows authentication. The identity that runs the process that calls the webservice will then be passed to Futurama Vision. So if you call Futurama Vision from an instance of Futurama Web that runs in an application pool “FuturamaWebsite” with the identity set to the default ApplicationPoolIdentity, the user that is passed to Vision is “IIS AppPool\FuturamaWebSite”. When using Windows authentication, make sure you have a wsHttpp binding configured. See here
- Forms: the other way is to use a user name and password. If you use a Vision Reference you can have it automatically applied for you. Just add a username and password to the configuration of the Vision Connection and the Vision Reference will automatically add an attribute with the credentials. See here
- if you are not using Vision you can add the authentication as an HTTP header.
You can pass username and password by adding an Authorization header inside the SOAP message just as in the sample below. Futurama uses HTTP Basic authentication. The authentication token is constructed as follows:
Below is a sample of the way the Authorization header looks in a call to a Vision method.
<s:envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:header>
<futurama path="\\SERVER\FUTURAMAPATH" xmlns="http://www.actuit.nl/futurama/vision/service/header/1.0" version="18.10.46.0"/>
<document path="c:\testvisioncall.xml" xmlns="http://www.actuit.nl/futurama/vision/service/header/1.0" version="not defined"/>
<authorization xmlns="http://www.actuit.nl/futurama/vision/service/header/1.0" token="Basic dGVzdHVzZXJvbnppbjq0ZXN0cHdmb3V0"/>
</s:header>
<s:body>
<request xmlns="http://www.actuit.nl/futurama/vision/service/request/1.0" version="1.0" module="General" method="Ping"/>
</s:body>
</s:envelope>
You can also add the header as an HTTP header. The header should look like this: Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l. This is for example automatically done for you by SOAP UI, if you select Basic Authentication for the service.
Related Topics
-Import data into Futurama Vision: Describes the ways in which data can be uploaded to the Futurama Vision database.
Feedback
If you have any questions about this subject or if you want to provide us feedback please send us an e-mail.