In DM4 it was possible to use the JSESSIONID string and put it to use with curl like this:
curl -X POST --cookie "JSESSIONID=${sessionid}"
This would make http requests authenticated.
How is this being done for DMX?
It is supposed to work in DMX the same as in DM4.
Example: delete a topic:
$ curl -i -X DELETE --cookie JSESSIONID=ajsgj7qc3y11kz8mbm4qm05e localhost:8080/core/topic/3973
HTTP/1.1 200 OK
Date: Fri, 12 Feb 2021 23:59:59 GMT
Content-Type: application/json
Transfer-Encoding: chunked
...
{"directives":[{"type":"DELETE_ASSOCIATION","arg":{"id":3975,"uri":"","typeUri":"dmx.core.instantiation","value":"","children":{},"player1":{"topicId":6,"roleTypeUri":"dmx.core.type"},"player2":{"assocId":3974,"roleTypeUri":"dmx.core.instance"}}},
...
The session ID can be taken e.g. from the browser, while logged in to the Webclient:
If it doesn’t work its possibly due to an session ID of an unauthorized user.
Note there is one difference between DM4 and DMX. In DM4 a session is created only for logged in users, and is invalidated on logout. In contrast in DMX a session is created even for anonymous users. On login (Authorization header) or logout the user keeps the session. The session is not invalidated on logout. So in DMX a session may be associated either to anonymous, or to a logged in user, and that state can change.
To debug authorization issues you can activate a fine logger in logging.properties (server restart required):
systems.dmx.accesscontrol.AccessControlPlugin.level=FINE
ok, I will check whether I used the unauthorized user by accident.
ok, problem solved. the session id is really created earlier and it is important to check whether the user is really logged in.
thanks!