Solstice supports two methods of authenticating as a webservice client, either with an SSL certificate or by signing your request with a private key.
SSL Certificate Authentication
You may use an SSL client certificate to secure requests. This is NOT necessary if you are using request signing as described below.
The administrator of your Solstice installation needs to provide you with an SSL Certificate signed by an authority the Solstice server trusts. The process of creating this certificate looks something like this: http://hausheer.osola.com/docs/9
You may then load the certificate into your client program, and make requests as normal. Loading a certificate into Firefox, for example,
looks like this.
And an example of securing a request in Perl:
Perl
use strict;
use warnings;
use LWP::UserAgent;
use Crypt::SSLeay;
$ENV{HTTPS_CERT_FILE} = 'example.signed.cert';
$ENV{HTTPS_KEY_FILE} = 'example.key.pem';
my $content = '';
my $host = 'https://solstice.example.washington.edu';
my $url = '/rest/crowds/v1/person/soluser';
my $method = 'GET';
my $ua = LWP::UserAgent->new;
$ua->agent( "Solstice Webservices Client/0.1 " );
my $req = HTTP::Request->new( $method => $host . $url );
$req->content( $content ) if $content;
my $res = $ua->request( $req );
if ( $res->is_success ) {
print $res->content;
} else {
print $res->status_line, "\n";
print $res->content;
}Other SSL certificate examples:
SolAuth Authentication Header
You may authenticate your requests by filling out the HTTP "Authorization" header with a specially constructed signature. This is NOT necessary if you are using an SSL cert, described above.
To start with, the administrator of your Solstice installation needs to provide you with a public ID and a private key. Your public ID is not sensitive information, but you should keep your private key well-protected. It is comparable to a private SSH key for the Solstice web service authentication.
This information is used to create a hash of the key data included in your request. The data that needs to be hashed looks like this:
Private Key\n
HTTP Method\n
URI\n
Date\n
Request Content SHA1 Sum or empty if no content
So, an example of this string for putting a file might be:
asdf7sdfa89sd7fg234g
PUT
/rest/webfiles/foo.png?comment=None
Thu Jun 21 11:44:18 PDT 2007
6efcf51359b3ead694a35d94dc32c7c00f21333e
Once you have the SHA1 sum of this string, it is included in the request as a part of the Authorization header. The format of the AuthorizationSolAuth PublicID:Signature For instance, the above string would sign the following HTTP request:
PUT /rest/webfiles/foo.png?comment=None HTTP/1.1
Date: Thu Jun 21 11:44:18 2007
Authorization: SolAuth PublicID:f99165696fb7e0755917872224b1947fc531c294
This scheme is very similar to Amazon's authentication method.
Here is an example of programmatically creating an authenticated request in Perl:
Perl
use strict;
use warnings;
use Digest::SHA1 qw(sha1_hex);
use LWP::UserAgent;
my $private_key = '12345';
my $public_id = 'mcrawfor';
my $content = '';
my $host = "http://solstice.example.washington.edu";
my $url = "/tools/rest/webq/v1/?foo=blah";
my $method = "GET";
#build auth key
my $date = localtime;
my $content_sha1 = $content ? sha1_hex($content) : '';
my $to_sign = "$private_key\n$method\n$url\n$date\n$content_sha1";
my $auth_key = "SolAuth $public_id:". sha1_hex($to_sign);
my $ua = LWP::UserAgent->new;
$ua->agent("Solstice Webservices Client/0.1 ");
my $req = HTTP::Request->new($method => $host.$url);
$req->content($content) if $content;
$req->header('Content-SHA1', $content_sha1) if $content;
$req->header('Date', $date);
$req->header('Authorization', $auth_key);
my $res = $ua->request($req);
if ($res->is_success) {
print $res->content;
}
else {
print $res->status_line, "\n";
print $res->content;
}Other signing examples: