Reference library

Article number: 310325

Basic Authorisation for Sitekit CMS APIs & Web-Services

All web-services within the Sitekit CMS API can be secured using Basic Authorization. Enabling this ensures that the API endpoints can only be called from your own Sitekit CMS website.

You can create unlimited username/passwords combination and control precisely which API endpoints each is allowed to access.

Enabling basic authorisation will prevent any API endpoints from being callable from the front-end, client javascript, so do not enable this is you intended to call any API endpoints using ajax.

Enabling Basic Authorisation

To enable basic authorisation, you first need to create a master account. The master user will always have access to every API endpoint. You should never disclose the username/password of the master account to any third parties.

The master account is used by the CMS itself whenever it calls its own web-services via data islands, forms and post pages. You do not need to take account of authorisation yourself when configuring data islands, forms or post pages, as the CMS will handle this automatically.

api keys master

After creating the master account, you will then see a grid allowing you to create additional accounts for standard users. It is these that you would share with any third-parties that you want to allow to use your API endpoints.

api keys user 1

Once your have created your first standard user, you then have options to 'edit' if you want to change their username or password. You can click 'rights' to specify precisely which API endpoints they are allowed or denied from accessing.

api keys user 1 added

The 'rights' screen allows you to specify precisely which endpoints the user is allowed to access. You can use a wildcard '*' to grant them access to everything. The 'class' is the code class-name of the web-service and 'method' is the name of the endpoint in the web-service.

You can use 'allow' or 'deny' to positively allow or deny specific endpoints.

For example, the following screenshot shows how to deny the user from accessing any endpoint except for ExcelSearch in the ExcelConsumer web-service:

api keys user 1 rights example

To find the code class-name for a web-service, view the .asmx endpoint in a web-browser, e.g. <your-domain>/admin/ws/XMLSearch.asmx. The code class-name is displayed in the blue header bar at the top. For example, in the case of the XMLSearch webservice, the name is 'Search'. The available method names for the web-service are listed below with a description of what they do.

api keys user 1 rights ws

To allow your user access to the XmlSearch endpoint in the XMLSearch web-service, you would add the following entry. Note that class and method names are case-sensitive.

api keys user 1 rights example 2

Special Class/Method Names

A few APIs in the CMS use '.aspx' rather than '.asmx' endpoints. The values to use to control allowing or denying these endpoints are as follows:

Service Endpoint Class Method
/admin/post/SearchPosts.aspx PostSearcher MainProcessing
/admin/ws/Feedback.aspx admin_ws_feedback_aspx Page_Load

Authorising API Calls to Other Sitekit Sites

If you have a data island that uses a Sitekit CMS API endpoint that is on another web-site, you can supply the basic authorization value manually via the data island XML sniplet, as follows:

<XMLSOURCE URL="/admin/ws/feedback.aspx" AUTH="Basic YXBpLXVzZXItMTpWZ0R5RXZVbjE1Mw=="></XMLSOURCE>
<XSLSOURCE URL="/admin/ws/feedback.xsl"></XSLSOURCE>


Related questions