There are two aspects of FME Server Web Services Security: authentication and authorization.
Authentication determines that a user is who they say they are. The web services support two types of authentication: HTTP Basic and Token.
The FME Server services (except the REST API) use basic authentication to limit access. Basic authentication does not encrypt the password sent to the server, as it is sent as plain text. Basic authentication is suitable if the connection between the client and server computers is secure and can be trusted, such as in a local intranet.
If you interact with a URL that requires authentication, the user is prompted for a username and password. If you want to share a link or bookmark a page, you can also include the username/password in the URL so it authenticates automatically. Simply construct a URL similar to this:
http://username:password@www.example.com…
For example:
http://admin:admin@localhost/fmedatadownload/Samples/austinDownload.fmw
Note: This syntax is not supported in Internet Explorer.
All FME Server services except the Data Upload Service support token-based security to manage authentication. The token service allows the developer to generate a token, which then acts as a key for accessing the secure REST interface. The token is a string of encrypted information sent between client and server.
Token security is not as secure as certain other methods such as Integrated Windows authentication, as the security of the system depends on controlling access to the tokens.
You can generate a token manually or using the API.
To generate a token manually, visit http://localhost/fmetoken/.
The token is valid for the duration specified, and can be used whenever accessing the REST API or transformation services.
Often you will need to generate a token via the API. If you do not want to hard-code the token into your code, you can generate a token every time a user logs in to your application. For example:
<html>
<head>
<script type="text/javascript">
/*-- START SAMPLE CODE --*/
function triggerRequestGenerateToken(){
/*
Commonly available on the web, this function was taken from:
http://ajaxpatterns.org/XMLHttpRequest_Call
*/
function createXMLHttpRequest(){
try {
return new XMLHttpRequest();
}
catch (e) {
}
try {
return new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e) {
}
alert("XMLHttpRequest not supported");
return null;
}
/*
Display the result when complete
*/
function onResponse(){
// 4 indicates a result is ready
if (xhReq.readyState != 4)
return;
// Get the response and display it
alert(xhReq.responseText);
return;
}
/*
Create the XMLHttpRequest object
*/
var xhReq = createXMLHttpRequest();
// Request Variables
pHostName = "fmeserver.com";
pUrlBase = "http://" + pHostName + "/fmetoken/generate";
pHttpMethod = "GET";
pUser = "tokenonly";
pPassword = "token";
pExpiration = 7;
pTimeunit = "day";
// Create REST call
pRestCall = pUrlBase +
"?user=" +
pUser +
"&password=" +
pPassword +
"&expiration=" +
pExpiration +
"&timeunit=" +
pTimeunit;
// Send request
xhReq.open(pHttpMethod, pRestCall, true);
xhReq.onreadystatechange = onResponse;
xhReq.send();
}
/*-- END SAMPLE CODE --*/
</script>
</head>
<body>
<FORM name="fmeForm">
<INPUT type="button" value="Generate Token" name="runButton" onClick="triggerRequestGenerateToken()">
</FORM>
</body>
</html>
Also known as Access Control, authorization specifies the activities a user is permitted to undertake. FME Server provides a role-based control framework in which administrators assign users to roles. Each role has its own permissions. Users, roles and permissions are configured on the Security page of the FME Server Web User Interface.
For information on Transformation Services authorization, see Configuring Security.
The username you use to login to the REST API determines the resources you see once authenticated. For example, if you login with a user assigned to a role that only has access to view the Samples repository, then that is all you will see when you access the repositories page of the REST interface.