Authentication via curl

In DM4 it was possible to use the JSESSIONID string and put it to use with curl like this:

curl -X POST --cookie "JSESSIONID=${sessionid}"

This would make http requests authenticated.

How is this being done for DMX?

It is supposed to work in DMX the same as in DM4.

Example: delete a topic:

$ curl -i -X DELETE --cookie JSESSIONID=ajsgj7qc3y11kz8mbm4qm05e localhost:8080/core/topic/3973
HTTP/1.1 200 OK
Date: Fri, 12 Feb 2021 23:59:59 GMT
Content-Type: application/json
Transfer-Encoding: chunked


The session ID can be taken e.g. from the browser, while logged in to the Webclient:

If it doesn’t work its possibly due to an session ID of an unauthorized user.

Note there is one difference between DM4 and DMX. In DM4 a session is created only for logged in users, and is invalidated on logout. In contrast in DMX a session is created even for anonymous users. On login (Authorization header) or logout the user keeps the session. The session is not invalidated on logout. So in DMX a session may be associated either to anonymous, or to a logged in user, and that state can change.

To debug authorization issues you can activate a fine logger in (server restart required):


ok, I will check whether I used the unauthorized user by accident.

ok, problem solved. the session id is really created earlier and it is important to check whether the user is really logged in.