Search

Concerns:Security for Webservices in Vision Management Site

User: User Management Site

Prerequisites

The data must be uploaded to Futurama Vision in the form of a dataset

Introduction

This document describes how you can apply security to calls to a webservice in Futurama Vision

 
 

Description

 

There are two ways in which webservices are involved with Futurama Vision:

  • - ImportUsers.svc: Importing data into Vision by using the webservice
  • - VisionService.svc: A collection of "VisionReferences" to read and/or store (personal) data in a Futurama application

For both webservices authentication can be configured to secure the use of them. You can choose for Windows or Forms Authentication. We recommend the use of a Windows user, because you do not have to store the password in a configuration file.

Process description

Securing calls to either of the webservices consists of the following five steps:

1. First off, in the web.config of the Vision Management Site you set the configuration setting for Vision Security to requireCredentialsForServices="true”

2. After that, within the Vision Management Site, navigate to the Management - Security page and either define a Forms user or a Windows user for the webservice.

3. Assign the user to a User Group.

4. Define a Functional Group and assign the WebService(s) you want to secure to it

5. Assign the Functional Group to the User Group

Now that you assigned permissions you can make sure that you connect with the correct identity:

  • Windows: the easiest way is to use Windows authentication. The identity that runs the process that calls the webservice will then be passed to Futurama Vision. So if you call Futurama Vision from an instance of Futurama Web that runs in an application pool “FuturamaWebsite” with the identity set to the default ApplicationPoolIdentity, the user that is  passed to Vision is “IIS AppPool\FuturamaWebSite”. When using Windows authentication, make sure you have a wsHttpp binding configured. See here
  • Forms: the other way is to use a user name and password. If you use a Vision Reference you can have it automatically applied for you. Just add a username and password to the configuration of the Vision Connection and the Vision Reference will automatically add an attribute with the credentials. See here
  • if you are not using Vision you can add the authentication as an HTTP header.

Passing a username and password with an header in the soap call

You can pass username and password by adding an Authorization header inside the SOAP message just as in the sample below. Futurama uses HTTP Basic authentication. The authentication token is constructed as follows:

  1. The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.
  2. The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the charset parameter.[7]
  3. The resulting string is encoded using a variant of Base64.
  4. The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string.

Below is a sample of the way the Authorization header looks in a call to a Vision method.

<s:envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
	<s:header>
		<futurama path="\\SERVER\FUTURAMAPATH" xmlns="http://www.actuit.nl/futurama/vision/service/header/1.0" version="18.10.46.0"/>
		<document path="c:\testvisioncall.xml" xmlns="http://www.actuit.nl/futurama/vision/service/header/1.0" version="not defined"/>
		<authorization xmlns="http://www.actuit.nl/futurama/vision/service/header/1.0" token="Basic dGVzdHVzZXJvbnppbjq0ZXN0cHdmb3V0"/>
	</s:header>
	<s:body>
		<request xmlns="http://www.actuit.nl/futurama/vision/service/request/1.0" version="1.0" module="General" method="Ping"/>
	</s:body>
</s:envelope>

You can also add the header as an HTTP header. The header should look like this: Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l. This is for example automatically done for you by SOAP UI, if you select Basic Authentication for the service.

Related Topics

-Import data into Futurama Vision: Describes the ways in which data can be uploaded to the Futurama Vision database.

Feedback

If you have any questions about this subject or if you want to provide us feedback please send us an e-mail.

Updated: 2018-11-06