Authenticating external requests to bpm'online services
Glossary Item Box
Introduction
A critical part of most web applications is identifying the users and managing their access to the application’s resources. Authentication is the process of confirming the user’s identity. To pass the authentication, the user must prove that the login attempt is made by this particular user. Usually, the identity proof consists of the user’s credentials: login and password.
All external requests to web services must be authenticated. Bpm’online supports the following authentication methods:
- Anonymous authentication.
- Basic authentication.
- Authentication via Cookies (the “Form-based authentication”).
Advantages and disadvantages of different methods of authentication are available in table 1.
Table 1. Authentication type comparison
Authentication type | Advantages | Disadvantages | Usage |
---|---|---|---|
Anonymous |
Best performance. Does not require user account management. |
Does not identify individual users. | Access to bpm’online public functions, such as the login page, logo, certain web services. |
Basic |
Widely used. Works with proxy servers. Identifies individual users. |
Not secure without SSL/TLS. | Only access to EntityDataService.svc (OData). |
Forms (Cookies) |
Additional attributes for user credentials. Identifies individual users. |
Not secure without SSL/TLS. | Most of bpm’online resources and web services. |
Details on each method are available below.
Anonymous authentication
Anonymous authentication provides user access to the publicly available functions of the web application without the need to enter login credentials. From the technical perspective, the authentication is not performed, since the user does not have to provide username and password. Instead, IIS provides Windows previously saved authentication data for a special user.
Anonymous authentication is performed on the IIS level and is enabled by default. When the anonymous authentication is used, IIS does not require any other authentication schemes, provided the corresponding NTFS access permissions were granted for the resource.
Advantages
- Provides the best performance.
- Does not require user account management.
Disadvantages
- Does not identify users individually.
Usage
In bpm’online, anonymous authentication is used for accessing resources that are provided to all users, without authentication. Such resources include the login page, website logo, several web services (for example, AuthService.svc, UserService.svc, etc.).
Basic authentication
Basic authentication is a part of HTTP specification. This is a standard authentication method via HTTP headings. User credentials (username and password) in Base64 are added to the heading of the request to the service. Basic authentication is also performed on the IIS level.
ATTENTION
Basic authentication is not a secure authentication method, since the data are transfered openly. Use this authentication method only when interacting with the system via SSL (HTTPS) protocol.
To ensure security during the data transfer, authenticate external requests to bpm’online via AuthService.svc.
ATTENTION
To use Basic authentication in an application integrated with bpm’online, disable protection from CSRF attacks.
Advantages
- This authentication method is part of HTTP 1.0 specification and is widely used.
- Can perform authentication through proxy servers.
- Identifies users individually.
Disadvantages
- Not secure without SSL/TLS.
Usage
ATTENTION
Using Basic authentication, you can authenticate users only in the EntityDataService.svc, which can integrate with bpm’online via the OData protocol. It is recommended to use AuthService.svc and corresponding Cookies for other external requests.
Form-based authentication (Cookies)
ASP.NET has additional authentication methods that are performed only after IIS authentication (usually, anonymous).
One of the additional authentication methods implemented in ASP.NET is Form-based authentication (also known as Cookie-based authentication).
The Form-based authentication provider enables receiving user account data sent via POST request (for example, using an HTML or AJAX form). The user provides username and password for authentication directly to the web application. After successful authentication, the application provides the user special cookies that the user must add to the subsequent requests. If the request to a protected resource does not contain cookies, the application redirects the user to the login page. For more on the Form-based authentication, please see a separate article.
Bpm’online’s Form-based authentication uses the AuthService.svc web service.
Advantages
- In addition to login and password, Form-based authentication enables using other attributes of user accounts, such as email address.
- Identifies users individually.
Disadvantages
- Can be subject to attacks using cookie lifespan, unless SSL/TLS is used.
Usage
This authentication method is used for accessing most of bpm’online resources and pages.
ATTENTION
Starting with version 7.10, bpm’online has a mechanism for protection from CSRF attacks. To enable the protection, make additional changes to the integration processes that use DataService or OData (see "Protection from CSRF attacks during integration with bpm'online").