Once the DAISY Pipeline has been installed, it can be configured to accept only authenticated responses via the Java property
org.daisy.pipeline.ws.authentication. With this property set to
true, client applications must submit authenticated requests.
Upon being accepted as a Pipeline application, each client receives an authentication ID and a secret string, which they must keep secret. The process for submitting an authenticated request is as follows:
Here, we will assume the authentication ID is “myclient” and the secret is “mysecret”.
authid: The client identifier is issued when the client signs up to be a Pipeline client app. There is one identifier/secret pair issued per application. Example:
time: The timestamp must be UTC and must be formatted in ISO 8601. Example:
nonce: A nonce is a number used once. The client should generate a unique nonce for every request. Example:
Then the client takes this URI string and generates an HMAC SHA1 hash using their secret. The hash function looks roughly like this:
hashString = createHash("http://example.org/ws/scripts?authid=myclient&time=2012-02-09T02:23:40Z&nonce=533473712461604713238933268313", "mysecret") print hashString gq/lpIuWqEDjhWviAjyccNTzdZk=
Now escape the hash string so it can be passed as part of a URI:
Finally, append the escaped hash string to the URI. It must be the last query parameter.
This is the URI to submit to the Web Service. If
myclient has a
permission level to do what they want, then their request will be
accepted. Currently, only admin requests require a client to have a
special permission level (
ADMIN instead of the default