Authentication via curl

In DM4 it was possible to use the JSESSIONID string and put it to use with curl like this:

curl -X POST --cookie "JSESSIONID=${sessionid}"

This would make http requests authenticated.

How is this being done for DMX?

It is supposed to work in DMX the same as in DM4.

Example: delete a topic:

$ curl -i -X DELETE --cookie JSESSIONID=ajsgj7qc3y11kz8mbm4qm05e localhost:8080/core/topic/3973
HTTP/1.1 200 OK
Date: Fri, 12 Feb 2021 23:59:59 GMT
Content-Type: application/json
Transfer-Encoding: chunked
...

{"directives":[{"type":"DELETE_ASSOCIATION","arg":{"id":3975,"uri":"","typeUri":"dmx.core.instantiation","value":"","children":{},"player1":{"topicId":6,"roleTypeUri":"dmx.core.type"},"player2":{"assocId":3974,"roleTypeUri":"dmx.core.instance"}}},
...

The session ID can be taken e.g. from the browser, while logged in to the Webclient:
image

If it doesn’t work its possibly due to an session ID of an unauthorized user.

Note there is one difference between DM4 and DMX. In DM4 a session is created only for logged in users, and is invalidated on logout. In contrast in DMX a session is created even for anonymous users. On login (Authorization header) or logout the user keeps the session. The session is not invalidated on logout. So in DMX a session may be associated either to anonymous, or to a logged in user, and that state can change.

To debug authorization issues you can activate a fine logger in logging.properties (server restart required):

systems.dmx.accesscontrol.AccessControlPlugin.level=FINE

ok, I will check whether I used the unauthorized user by accident.

ok, problem solved. the session id is really created earlier and it is important to check whether the user is really logged in.

thanks!