Inserting content through REST call

33 views
Skip to first unread message

rui.bu...@gmail.com

unread,
Aug 28, 2017, 12:03:59 PM8/28/17
to dotCMS User Group
Hi,
The title is self explanatory.

I have a page containing a widget.
This widget work as a poll, in which case provides feedback if the page was helpful or not with a "Yes" or "No".

After the user chooses an option, "yes" or "no", i want to perform a REST api call and increment the positive or negative feedback, and here comes the tricky part.

From my research, i've notided you allow rest calls in order to insert content, but unfortunetely there isn't a way to do this without exposing the username and password in javascript.

could you guys show me an example, where i'm able to perform a REST api call in order without exposing my credentials ? 

Best Regard,

Nathan Keiter

unread,
Aug 28, 2017, 12:06:33 PM8/28/17
to dot...@googlegroups.com

Is it an option for you to make it anonymous?

 

If permissions are set to anonymous it won’t require a login.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To post to this group, send email to dot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/e8957be8-b650-4c3f-a9ee-ab55dca84d88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Mark Pitely

unread,
Aug 28, 2017, 12:17:17 PM8/28/17
to dot...@googlegroups.com
That is, you set the *content structure* that you want to store your data in to have the CMS_Anonymous privileges, and it works without credentials.
Yes, someone could make code to use the API to talk to your specific content structure, but as long as it is just a simple /yes/no/comment piece you will be fine.

Here is some code that does what you are discussing, essentially, where review is called from a onchange on a select field:

function review(which){   
 
    var formData = new FormData();
 request = new XMLHttpRequest();
request.onreadystatechange = function() {
 
  if (request.readyState == 4){
        if (request.status === 200) {
          console.log("Create Eiffel Connect:");   
          console.log(request.responseText);
            location.href="${VTLSERVLET_URI}?dotcache=refresh";
           
        } else { 
           console.log("Error", request.statusText); 
        } 
 
}
   
 

};

request.open("POST", "/api/content/publish/1", true);  

var reason="good";
if (which==1) reason="needs update";
if (which==2) reason="remove page";
if (which==3) reason="move page";


var d=new Date();
var mon=d.getMonth()+1;
var day=d.getDate();
var atime=d.getFullYear()+"-"+mon+"-"+day+" "+d.getHours()+":"+d.getMinutes()+":"+d.getSeconds();
console.log(atime);
//User, PageUrl,Identifier, Highlight, Comment, Reported, ResolvedBy, Resolved
 var dataObj={
          'stName':'ParisPageValidate',
          'identifier1' : '$dotPageContent.identifier',
          'url' : '$VTLSERVLET_URI',
          'reviewed': atime,
          'state': which,
          'reason': reason,
          'reviewedby': '$reviewemail',
          'contentHost':'SYSTEM_HOST'};    
   
 formData.append('json',JSON.stringify(dataObj));   
 
 request.send(formData);  
  
   

}





Mark Pitely
Marywood University

On Mon, Aug 28, 2017 at 12:06 PM, Nathan Keiter <nke...@gettysburg.edu> wrote:

Is it an option for you to make it anonymous?

 

If permissions are set to anonymous it won’t require a login.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: dot...@googlegroups.com [mailto:dotcms@googlegroups.com] On Behalf Of rui.bu...@gmail.com
Sent: Monday, August 28, 2017 12:04 PM
To: dotCMS User Group
Subject: [dotcms] Inserting content through REST call

 

Hi,

The title is self explanatory.

 

I have a page containing a widget.

This widget work as a poll, in which case provides feedback if the page was helpful or not with a "Yes" or "No".

 

After the user chooses an option, "yes" or "no", i want to perform a REST api call and increment the positive or negative feedback, and here comes the tricky part.

 

From my research, i've notided you allow rest calls in order to insert content, but unfortunetely there isn't a way to do this without exposing the username and password in javascript.

 

could you guys show me an example, where i'm able to perform a REST api call in order without exposing my credentials ? 

 

Best Regard,

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+unsubscribe@googlegroups.com.


To post to this group, send email to dot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/e8957be8-b650-4c3f-a9ee-ab55dca84d88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+unsubscribe@googlegroups.com.

To post to this group, send email to dot...@googlegroups.com.

rui.bu...@gmail.com

unread,
Aug 30, 2017, 7:22:03 AM8/30/17
to dotCMS User Group
Hi, Thank you for such quick replying. 
I've already considered removing the need of authentication like you suggested, but for security reasons, although we are talking about a yes/no/comment type of data, i would like to keep it secure.

You guys have any solution that provide me a way to "hide" my credentials ?

 dotCMS jQuery example exposes user information, which i would like to avoid for the obvious reasons.

Nathan Keiter

unread,
Aug 30, 2017, 8:56:14 AM8/30/17
to dot...@googlegroups.com

Can you pre-encrypt your auth header value?

 

Use an auth header to authenticate. Perhaps build it in a viewtool to hide username and password.

 

Also, if you have a tool like Chrome advanced rest client and the credentials are always the same, you could use that to generate the auth header for those credentials and then paste it into your code.

 

Another option would be to do the API call in Java. Build a “page between” that calls a viewtool to do the API call and then outputs the result.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 


Sent: Wednesday, August 30, 2017 7:22 AM
To: dotCMS User Group

--

http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.


To post to this group, send email to dot...@googlegroups.com.

Nathan Keiter

unread,
Aug 30, 2017, 9:00:41 AM8/30/17
to dot...@googlegroups.com

One more option: create your own rest endpoint that extends the functionality of theirs.  But in yours, create a user object in Java for some predetermined user and use that user as the author.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

rui.bu...@gmail.com

unread,
Aug 30, 2017, 9:09:09 AM8/30/17
to dotCMS User Group
Nathan, 
I was hoping to have a solution based on javascript, or velocity, without the need to develop viewtools or Rest api "proxies".

Is it possible to run a insert query from the backend with lucene query or something similar ? That way i could develop a Widget that would call the insert .

Thank you so much for all your help so far Nathan. 


Nathan Keiter

unread,
Aug 30, 2017, 9:12:13 AM8/30/17
to dot...@googlegroups.com

I would say use an auth header then.

 

That would give access while obscuring the actual username and password values.

 

https://dotcms.com/docs/latest/save-content-using-rest-api#authentication

 

https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo?hl=en-US

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: dot...@googlegroups.com [mailto:dot...@googlegroups.com] On Behalf Of rui.bu...@gmail.com
Sent: Wednesday, August 30, 2017 9:09 AM
To: dotCMS User Group
Subject: [dotcms] Re: Inserting content through REST call

 

Nathan, 

--

http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To post to this group, send email to dot...@googlegroups.com.

Nathan Keiter

unread,
Aug 30, 2017, 9:18:34 AM8/30/17
to dot...@googlegroups.com

Demo: Get encoded Auth header value from Google Advanced REST Client app.

 

 

 

 

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: dot...@googlegroups.com [mailto:dot...@googlegroups.com] On Behalf Of Nathan Keiter


Sent: Wednesday, August 30, 2017 9:12 AM
To: dot...@googlegroups.com

rui.bu...@gmail.com

unread,
Aug 30, 2017, 10:09:35 AM8/30/17
to dotCMS User Group
Nathan,
The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.


Jason Tesser

unread,
Aug 30, 2017, 10:14:03 AM8/30/17
to dotCMS User Group
You should  be running SSL which addresses the concern 

On Wed, Aug 30, 2017 at 10:09 AM <rui.bu...@gmail.com> wrote:
Nathan,
The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.


--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To post to this group, send email to dot...@googlegroups.com.

Nathan Keiter

unread,
Aug 30, 2017, 10:15:16 AM8/30/17
to dot...@googlegroups.com

Does it matter?

 

I mean create a dummy user “Johny Content Rater” with username and password. Grant a role to be able to add this content type and nothing else.

 

That way it’s not a real users’ credentials.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: dot...@googlegroups.com [mailto:dot...@googlegroups.com] On Behalf Of rui.bu...@gmail.com
Sent: Wednesday, August 30, 2017 10:10 AM
To: dotCMS User Group
Subject: [dotcms] Re: Inserting content through REST call

 

Nathan,

The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.

 

 

--

Nathan Keiter

unread,
Aug 30, 2017, 10:16:09 AM8/30/17
to dot...@googlegroups.com

I think he’s worried about someone doing a “view source” on the page.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: dot...@googlegroups.com [mailto:dot...@googlegroups.com] On Behalf Of Jason Tesser


Sent: Wednesday, August 30, 2017 10:14 AM
To: dotCMS User Group

Mark Pitely

unread,
Aug 30, 2017, 11:00:35 AM8/30/17
to dot...@googlegroups.com
Anyway you do it, a skilled person should be able to reconstruct the process, since you are relying on javascript to do the work.
The truth is the API is there anyway, there's always going to be that hole. I agree that it would be terrible to put out your credentials in plaintext, but that's what CMS_Anonymous content is for.
You could use some sort of external store (MySQL) to write to if you like that does nothing but keep that count if you want to be ridiculously secure, but that won't change the essential insecurity of a java-based API running your system in the first place.

Mark Pitely
Marywood University

On Wed, Aug 30, 2017 at 10:16 AM, Nathan Keiter <nke...@gettysburg.edu> wrote:

I think he’s worried about someone doing a “view source” on the page.

 

Nathan I. Keiter | Lead Network Applications Programmer | Benefits Advisory Council Member | I.D.E.A Council Member
Gettysburg College | Information Technology | DataSystems
Campus Box 2453 | 300 North Washington Street | Gettysburg, PA 17325
Phone: 717.337.6993

https://www.gettysburg.edu

 

From: dot...@googlegroups.com [mailto:dotcms@googlegroups.com] On Behalf Of Jason Tesser
Sent: Wednesday, August 30, 2017 10:14 AM
To: dotCMS User Group
Subject: Re: [dotcms] Re: Inserting content through REST call

 

You should  be running SSL which addresses the concern 

 

On Wed, Aug 30, 2017 at 10:09 AM <rui.bu...@gmail.com> wrote:

Nathan,

The last approach you mentioned takes me to my first problem, since authentication is encoded with base64, its easy for someone to inspect the code and check credentials :/.

 

 

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+unsubscribe@googlegroups.com.


To post to this group, send email to dot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/c38f717d-7938-4cca-b2c2-3a689d4abd02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+unsubscribe@googlegroups.com.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+unsubscribe@googlegroups.com.

To post to this group, send email to dot...@googlegroups.com.

jonathan...@dotcms.com

unread,
Aug 30, 2017, 12:28:30 PM8/30/17
to dotCMS User Group
Hi all,

The basic authentication is just doing base64 or something like that, there is not any encryption in there even if it is not readable for human, so you still sharing your credentials. However there might be a few choices for you, all of them with Pos/Cons

1) you can use JWT

curl -H "Content-Type: application/json" -X POST -d '{ "user":"ad...@dotcms.com", "password":"admin", "expirationDays": "10" }' http://localhost:8080/api/v1/authentication/api-token

This will be return something like:
{
    "entity": {
        "token": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJpWEtweXU2QmtzcWI0MHZNa3VSUVF3PT0iLCJpYXQiOjE1MDQxMDcwNjUsInN1YiI6IntcInVzZXJJZFwiOlwiaVhLcHl1NkJrc3FiNDB2TWt1UlFRd1xcdTAwM2RcXHUwMDNkXCIsXCJsYXN0TW9kaWZpZWRcIjoxNDg0MjU1MDc4MDAwLFwiY29tcGFueUlkXCI6XCJkb3RjbXMub3JnXCJ9IiwiaXNzIjoiaVhLcHl1NkJrc3FiNDB2TWt1UlFRdz09IiwiZXhwIjoxNTA0OTcxMDY1fQ.f7MZkn-TwzDGN58XCIHn4lJC8irFhiHDw1wJwrj7Os4"
    },
    "errors": [],
    "i18nMessagesMap": {},
  

The token value might be use in your header such as 
Authorization: Bearer <token>

In our example:

Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJpWEtweXU2QmtzcWI0MHZNa3VSUVF3PT0iLCJpYXQiOjE1MDQxMDcwNjUsInN1YiI6IntcInVzZXJJZFwiOlwiaVhLcHl1NkJrc3FiNDB2TWt1UlFRd1xcdTAwM2RcXHUwMDNkXCIsXCJsYXN0TW9kaWZpZWRcIjoxNDg0MjU1MDc4MDAwLFwiY29tcGFueUlkXCI6XCJkb3RjbXMub3JnXCJ9IiwiaXNzIjoiaVhLcHl1NkJrc3FiNDB2TWt1UlFRdz09IiwiZXhwIjoxNTA0OTcxMDY1fQ.f7MZkn-TwzDGN58XCIHn4lJC8irFhiHDw1wJwrj7Os4

Two things to keep in mind, the token will be valid by 10 days (you can change that when you create it)
It still being a security issue since the token could be use to call api, but your user and password at least are safe and you can limited the user permission on dotCMS.

2)
You can create a proxy that wraps the request, for instance you can create a nodejs server that took the request and resend with credentials to dotCMS (but it will require more infrastructure) or you can create an open endpoint in dotCMS that calls ContentResource (in the same instance, but it will represent some overload in the request), etc.

3) 
You can create a filter that intercept the call and adds the credentials for an specific call/url (minimum overload, but you need to write a plugin to add the filter).

4) 
You can extends the ContentResource in something like MyContentResource and expose a public method that calls the subsequently logic; in that method you can add the logic to artificially send the credentials to the endpoint, etc (you might need to override the class with a plugin).

My 2 cents,
J

To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To post to this group, send email to do...@googlegroups.com.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.

To post to this group, send email to dot...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages