5 Replies Latest reply: Jan 29, 2013 8:03 AM by pradeepmandalik RSS

    Anonymous Access to a web service

    Emile Senga

      I am implementing a number of web-services, but need some to be accessible anonymously. Right now all services request a username and password prior to fulfilling a call. I saw a @AlwaysAllowAnonymous annotation for some actions, but would like to know what the equivalent is for web services (whether defined in spring or elsewhere).

       

      Any help is appreciated.

       

      Emile.

        • Re: Anonymous Access to a web service
          Ryan Rutan

          I honestly dont know the answer to this one.   Let me see if I can find out from someone.

          • Re: Anonymous Access to a web service
            Phillip Dorrell

            I believe you could do this by modifying the filter chain for your custom web services. You can build an anonymous/pseudo-anonymous authentication object in the new filterr and set it in the session. Be sure that it gets invoked before the basic httpauthentication filter.

            • Re: Anonymous Access to a web service
              Brian Nettles

              I actually have been working a lot with the REST call web services lately.

               

              Your GET calls can always be anoymous except when accessing protected resources.  Just drop it in the browser and you will see.

               

              https://myjiveinstance.com/rpc/rest/userService/usersByID/2007

               

              pldorrell is correct in that you can override the filters.  The JiveBasicProcessingFilter is used with the REST calls but not the SOAP calls. (I have not figured out the filtering for SOAP).  My guess is that if you use this approach and automatically authenticate a guest account, you will still get blocked when space permissions are more restrictive than allowing guests to access the resource.

               

              Unless there is a real reason you cannot do it, I would just grab a generic user account and include thier credentials in the header of the REST call.  There is a lot of damage that can be inflicted on your site if you give the anonymous user full power in the REST arena and if I am incorrect on the one previous paragraph.

               

              I just wrote this blog post last night which may be of help to you.

              http://trisummit.net/2012/02/06/using-rest-on-jive-sbs/

                • Re: Anonymous Access to a web service
                  Emile Senga

                  Hi Brian,

                   

                  Sorry for the silence, been a little busy.

                   

                  My goal is to make only a limited number of methods in a particular service (or the entire service itself) accessible anonymously. I am not sure creating an anonymous account helps because the SBS asks for authentication before hitting the method (whether I copy and past the link to the browser or use a REST Client).

                   

                  I've been working on a solution that uses Filters to allow anonymous users through to very specific URLs, e.g. /__services/_myservice/**. I am struggling a little with it, but I think this is the right approach. If you have any experience with this, or have a better solution, please do let me know.

                   

                  Emile.