Nova postagem

Pesquisar

Artigo
· Fev. 14 5min de leitura

HTTP and HTTPS with REST API

#Concurso #REST API #Segurança #InterSystems IRIS

HTTP and HTTPS with REST API

Hello

The HTTP protocol allows you to obtain resources, such as HTML documents. It is the basis of any data exchange on the Web and a client-server protocol, meaning that requests are initiated by the recipient, usually a Web browser.

REST APIs take advantage of this protocol to exchange messages between client and server. This makes REST APIs fast, lightweight, and flexible. REST APIs use the HTTP verbs GET, POST, PUT, DELETE, and others to indicate the actions they want to perform.

When we make a call to a RESt API, what actually happens is an HTTP call. The API receives this call and according to the requested verb and path, the API performs the desired action. In the case of the Iris implementation we can see this clearly in the URLMap definition area:

XData UrlMap
{
<Routes>
        <Route Url="/cliente" Method="POST" Call="Incluir"  Cors="true"/>
        <Route Url="/cliente/:chave" Method="PUT" Call="Alterar"  Cors="true"/>
        <Route Url="/cliente/:chave" Method="DELETE" Call="Deletar"  Cors="true"/>
        <Route Url="/cliente/:chave" Method="GET" Call="Pesquisar"  Cors="true"/>
        <Route Url="/cliente" Method="GET" Call="Listar"  Cors="true"/>
    </Routes>
}

Notice that we have the path (Url) and the verb (Method) defined for each call (Call). Thus, the code that meets the API knows what it should do.

When we use HTTP, we have to keep in mind that the data we are traveling with is open, that is, it is not protected by any type of encryption or security. Anyone who is able to capture the data packet being trafficked will be able to see what is being transferred between the client and the server.

Let's, for example, look at the call to a REST API that uses Basic Authentication. For this we will use Postman as a client, accessing a REST API in Iris and we will use TCPTrace to forward the data and visualize what has trafficked.

First let's publish our API. Let's use the same API as in article https://community.intersystems.com/post/using-rest-api-flask-and-iam-intersystems-iris-part-1-rest-api

Just follow the guidelines and use the code that the article provides to have our API published.

Now let's turn on TCPTrace. It can be obtained easily on the web. You can also use any other software that forwards TCP/IP packets:

 

Configure TCPTrace to listen on port 8080 and divert to the server that will service the request on port 80, which is the default port of the HTTP protocol:

 

 

Opening Postman we will consume our API, but we will change our call address. We are not going to call the destination server, but the server where TCPTrace is listening for the calls:

See that we performed a GET and received a STATUS code 200 (success). We use authentication to access our API and receive the packet as a response.

Now let's see TCPTrace:

We can check everything that has traveled is visible. The authentication credentials are in the Authorization header  as a Base64 string:

 

 

Everything that has trafficked is accessible and visible to those who collected the data. This can become potentially dangerous when we transfer sensitive data. But how can we solve the case? We can enable HTTPS on our web server, which puts a layer of encryption on our communication.

Enabling HTTPS requires the installation of an SSL certificate on the web server. There are authenticating entities that issue certificates that are valid and recognized on the web, or we can use the so-called self-signed certificates. Self-signed certificates are not automatically recognized, and it is not always a recommended security solution, so always check which type of certificate you should use. In our article we will use a self-signed certificate.

Certificate installation and HTTP activation depends on your web server. Browse the appropriate documentation and see how to create and install the certificate and enable HTTPS.

For this article we are using IIS which has available an option to create a self-signed certificate.

Once HTTPS is active, let's test our web server. It serves HTTPS requests on standard port 443, or by entering the "https" protocol in the URL call.

Let's do a test. Open your browser and access the web server with https:

Notice that the browser has informed you that your connection is not private. This happens because of the self-signed certificate that is not automatically recognized, Click Advanced:

Now the browser has completed the information by stating that the certificate is not trusted. This happens because he has no way to confirm if this certificate belongs to who he says he is because he is self-signed. Click Continue and see the page that was called:

So far so good. We already have our web server responding to HTTPS requests. Now let's go back to Postman and make a call to our API using HTTPS. For this we will change the call in Postman to use https instead of http. In this moment we go straight to the server, and not to TCPTrace. Remember to enter the address of your web server then:

 

Notice that we receive the same response as the one given by HTTP, only we have an information icon next to the HTTP Status. Click on the icon and you will see an information bubble. It informs us of the status of the certificate and some security data.

 

Now let's route our call to traffic through TCPTrace. Let's activate and configure our app:

Note we are now using the HTTPS port 443 to the Destination. Click OK and TCPTrace will start listening for the requests:

Go back to Postman and change the call by saying that you now want to access the TCPTrace address on port 8443 (the one configured to listen for requests). Click Send and see the request responding:

 

Note that nothing has changed from the last call. But now it ran for TCPTrace. Let's see what was logged into the application?

 

We were unable to view any information because the data trafficked was then encrypted. In my TCPTrace options click on View and then on Show NULLS and see what TCPTrace actually collected:

 

 

Thus, without any change in our REST API, we have included an encryption layer in the traffic when using HTTPS, increasing the security of information in our communication.

See you next time!

Discussão (0)1
Entre ou crie uma conta para continuar
Pergunta
· Fev. 14

Disable Shared Memory in JDBC Driver URL

#InterSystems IRIS

Hey guys! I'm working on a Java application that connects to Iris via JDBC. I need to disable SharedMemory via connection URL. I would like to know how I can check if the parameter was turned on or off within Iris when connecting to Java. Thanks for your help!

5 Comments
Discussão (5)2
Entre ou crie uma conta para continuar
Pergunta
· Fev. 14

Error message “Invalid CSRF token”

#OAuth2 #InterSystems IRIS for Health

Hello, community!

I am working on implementing OAuth 2.0 authentication in InterSystems IRIS and need to correctly define a CSRF token that will be validated by OAuth.Response. However, I am having trouble finding a clear method to configure the CSRF token correctly.

So far, I have tried:

  • Setting the CSRF token in the request header.
  • Inserting the CSRF token via InsertCookie.

Despite these attempts, I haven’t been successful. On the OAuth.Response page, the CSRF token is empty, and I get the error message “Invalid CSRF token” because the csrfToken is empty.

If csrfToken '= state { $$$ThrowStatus($$$ERROR($$$OAuth2ResponseError, "Invalid CSRF token")) }

Has anyone faced a similar issue or could suggest the best approach to configure the CSRF token for validation by OAuth.Response?

Any guidance or insights would be greatly appreciated!

Thank you in advance for your help!

Discussão (0)1
Entre ou crie uma conta para continuar
Artigo
· Fev. 14 3min de leitura

How to shoot a good video for the article contest bonus - Part 1 The script

#Dicas e truques #Tutorial #Outro

Hi Community,

As you may know, this year's Spanish Technical Articles contest will be in May. I am going to make a series of articles to support you in the creation of your articles, giving tips and tricks. Perhaps they will be useful for the contest you have active in this community as well.

As you may know, one of the bonuses or extra points you can receive is to add a video tutorial to your article. You may not even know how to approach this issue, no problem! I'm here to give you some tips that you can apply not only to the creation of these videos, but to any other.

A GOOD SCRIPT

I'm sure you know someone who says: ‘I record myself and tell you what comes out’. It's fantastic, some people have a gift for talking and an incredibly structured head. For the rest of us mortals, and for those who don't want to spend hours in editing trying to make sense of the piece, it's essential to make a good script.

What makes a good script? A clear idea of what you want to tell. 

It is the basis on which you are going to work. Spending time making a good script will save you time. It will also make you think about whether what you want to tell makes sense, or solve possible problems that could be overlooked. How to write a good script?

BEING ORIGINAL STARTS WITH THE SCRIPT

Perhaps one of the keys is to look for an original touch. Use comparisons, for example: make references to films, books, popular culture. 

Another interesting point is to give it a special format, and this starts with the script. Tell your video in a special way. For example: instead of just telling your tutorial on camera, imitate the stand up format, with jokes, a brick background, etc. Just an idea!

A question that might help you is: How can I tell this in a way that hasn't been told before? 

STRUCTURE, STRUCTURE, STRUCTURE

The good thing is that in a tutorial outline, it's easy to follow this. Every audiovisual piece has three parts: beginning, development and conclusion. 

  • Respect the structure and try to be eye-catching from the start. Start by posing the problem with a question at the beginning. Example: Have you had problems with your IRIS instance after installing it on Linux? I'll tell you how to solve it with Filecheck! I borrow it from @LuisAngel.PérezRamos' article
  • In the development you will highlight the point by point. Here it is best to be concrete and from the script to be very concise. If your tutorial is good, it will be seen more than once by the same person, and they will surely appreciate it if you go to the point in this part.
  • Conclusion: a good conclusion has to respond to the beginning. You have to be able to read the beginning and the conclusion and think: clearly the latter solves the former.

Respect the structure and all will be well.

PRACTICAL TIPS FOR WRITING A SCRIPT

  1. Read it to someone else: before immersing yourself in the recording, read your script to someone else. It will help you to find problems of meaning, fluency and, above all, you can ask this person if they understand what you want to communicate. 
  2. Write down in one sentence what you want to say: it is your objective, it is what you are going to deal with in the script. It will help you to think: does what I'm saying really add something to this video or am I going off the deep end?
  3. Keep it short: you know, sometimes it's better to get to the point.
  4. Think about what image elements can help in each part and write them down: it will help you not to forget to record anything. How do you imagine each part? Can you support something with stock footage? Obviously many of the images will be following the step-by-step.
  5. A tip for being original: since there are so many entries, try to make your script/video something original. If I make a video that is imitating the stand up format, everyone will think ‘oh yeah, I remember that one, that's the stand up guy’. It will make you different and maybe even memorable. But be careful, don't get sidetracked, remember that the goal is to make a good tutorial that supports the article.

I hope this is of some use to you, it's a humble contribution. I've written for different formats, video, novel, screen and I think that sometimes three or four tips can help a lot. I know there are real experts here who don't need help, but if it encourages you to go for the video bonus, my job is done. 

2 Comments
Discussão (2)1
Entre ou crie uma conta para continuar
Artigo
· Fev. 14 3min de leitura

Cómo grabar un buen vídeo para el concurso de artículos - Parte 1 El guion

#Tutorial #Outro

Hola Comunidad

Como sabréis, el concurso de Artículos Técnicos en Español de este año será en mayo. Voy a hacer una serie de artículos para apoyaros en la creación de los vuestros, dando consejos y trucos.

Como quizás sepáis, entre los bonus o puntuación extra que podéis recibir, está añadir un vídeo tutorial a vuestro artículo. Es posible que no sepáis ni cómo abordar este asunto ¡No hay problema! Os vengo a dar algunos consejos que podéis aplicar no sólo a la creación de estos vídeos, si no a cualquier otro.

UN BUEN GUION

Seguro que conocéis a alguien que dice: "Yo me grabo del tirón y voy contando lo que me va saliendo". Es fantástico, hay personas que tienen un don para hablar y una cabeza increíblemente estructurada. Para los demás mortales, y para aquellos que no quieran pasarse horas en montaje intentando que la pieza tenga sentido, es imprescindible hacer un buen guion.

¿Qué tiene un buen guion? Una idea clara de lo que queréis contar. 

Es la base sobre la que vais a trabajar. Dedicar tiempo a hacer un buen guion os ahorrará tiempo. También os hará plantearos si lo que queréis contar tiene sentido, o resolver posibles problemas que podrían pasarse por alto. ¿Cómo escribir un buen guion?

SER ORIGINALES EMPIEZA EN EL GUION

Quizás una de las claves es buscar un toque original. Utilizad comparaciones, por ejemplo: haced referencias al cine, libros, cultura popular. 

Otro punto interesante es darle un formato especial, y esto empieza en el guion ¿A qué me refiero con un formato especial? A contar vuestro vídeo de una manera especial. Por ejemplo: en lugar de contar vuestro tutorial sin más a cámara, imitad el formato stand up, con chistes, un fondo de ladrillo, etc. ¡Sólo es una idea!

Una pregunta que os puede ayudar es: ¿Cómo puedo contar esto de una manera que no se haya contado antes? 

ESTRUCTURA, ESTRUCTURA, ESTRUCTURA

Lo bueno es que en un esquema de tutorial, es fácil seguir esto. Toda pieza audiovisual tiene tres partes: inicio, desarrollo y conclusión. 

  • Respetad la estructura y intentad ser llamativos desde el inicio. Plantead el problema al inicio con una pregunta. Ejemplo: ¿Habéis tenido problemas con vuestra instancia de IRIS después de instalarla en Linux? ¡Os cuento cómo solucionarlo con Filecheck! Me lo tomo prestado del artículo de @Luis Angel Pérez Ramos 
  • En el desarrollo destacaréis el punto por punto. Aquí lo mejor es ser concreto y desde el guion ser muy conciso. Si vuestro tutorial es bueno, será visto más de una vez por la misma persona, y seguro que agradece que vayáis al grano en esta parte.
  • Conclusión: una buena conclusión tiene que responder al inicio. Tienes que poder leer el inicio y la conclusión y pensar: claramente lo segundo resuelve lo primero.

Respetad la estructura y todo irá bien.

CONSEJOS PRÁCTICOS PARA ESCRIBIR UN GUION

  1. Leédselo a otra persona: antes de sumergiros en la grabación, leedle a otra persona vuestro guión. Os ayudará a encontrar problemas de sentido, de fluidez y sobre todo, podréis preguntarle a esta persona si se entiende lo que queréis comunicar. 
  2. Escribe en una frase lo que quieres contar: es tu objetivo, es lo que vas a tratar en el guion. Te ayudará a pensar ¿esto que estoy contando realmente aporta algo a este vídeo o me estoy yendo por las ramas?
  3. Sé breve: ya sabéis, a veces es mejor ir al grano.
  4. Piensa en qué elementos de imagen pueden ayudar en cada parte y anótalo: te ayudará a no olvidarte de grabar nada ¿Cómo te imaginas cada parte? ¿Puedes apoyar algo con material de archivo? Obviamente muchas de las imágenes serán siguiendo el paso a paso.
  5. Un consejo para ser originales: dado que hay muchas candidaturas, intentad que vuestro guion/vídeo tenga algo original. Si yo hago un vídeo que está imitando al formato stand up, todos pensarán "ah sí, me acuerdo de ese, es el del stand up". Os hará diferentes y quizás, memorables. Pero ojo, no os desviéis, recordad que el objetivo es hacer un buen tutorial que apoye el artículo.

Ojalá esto os sirva de algo, es una humilde aportación. He escrito para diferentes formatos, vídeo, novela, pantalla y creo que a veces tres o cuatro consejos pueden ayudar mucho. Sé que aquí hay verdaderos expertos que no necesitan ayuda, pero si os anima a ir a por el bonus de vídeo, mi trabajo está hecho. 

3 Comments
Discussão (3)2
Entre ou crie uma conta para continuar