Web Script Authentication question

mangar — Mon, 07 Jun 2021 02:04:10 GMT

I am following Jeff Pott's intro to web scripts, and I have a simple Java service that simply logs to the logfile whatever I put in a message parameter. My descriptor looks like this:

<webscript>
    <shortname>Post Logging message</shortname>
    <description>Writes a message to the log.</description>
    <url>/someco/logging/log</url>
    <format default="json">extension</format>
    <authentication runas="admin">guest</authentication>
    <transaction>required</transaction>
</webscript>

Now when I call the endpoint I get a 401 not authorized. If I add an authentication header, it works fine. I was under the impression that the authentication tag in the descriptor allows anonymous guest access. Can someone explain this to me?

Re: Web Script Authentication question

afaust — Wed, 09 Jun 2021 09:11:29 GMT

The value specified in the authentication section states that at least guest-level access is required, but that anonymous guest access still requires explicit login as the guest user. A fully anonymous access would be the `none` authentication.

Note that allowing unauthenticated or guest level access to your logs is a recipe for DDoS attacks. Make sure you properly restrict which clients / hosts can actually call this endpoint via your web proxy / application gateway.

topic Re: Web Script Authentication question in Alfresco Forum

Web Script Authentication question

Re: Web Script Authentication question