RAD Server Engine Authorization
Go Up to RAD Server Engine (EMS Server)
RAD Server Engine Authorization allows you to authorize or deny access to a RAD Server Resource or a particular RAD Server Endpoint in an HTTP request.
The authorization depends on the credentials used in the HTTP request to the RAD Server Engine (EMS Server). 
By default, RAD Server Resource and endpoints are public.
There are three different kinds of credentials in RAD Server:
- Master Secret Key. This credential allows an HTTP request to access any RAD Server Endpoint in any RAD Server Resource of your RAD Server Engine (EMS Server).
- Users. This credential identifies a particular RAD Server user. Access to endpoints and resources is limited to those authorized for the user or the group that the user belongs to.
- Application Secret . This credential can access endpoints that are authorized for all HTTP requests.
Contents
RAD Server Authorization Credentials
RAD Server MasterSecret Key Authentication
The RAD Server MasterSecret Key (MasterSecret) authorizes you to have complete access over all RAD Server data that is stored in the RAD Server Database.
Use this RAD Server MasterSecret Key for administrative tasks. You can use the RAD Server MasterSecret Key to have access to all RAD Server Resource in the RAD Server Engine (EMS Server).
Modify the MasterSecret key in the RAD Server Engine configuration file.
RAD Server Application Secret Key Authentication
The RAD Server Application Secret Key (AppSecret) authorizes you to have access to the authorized endpoints from an RAD Server Client Application.
Modify the AppSecret key in the RAD Server Engine configuration file.
RAD Server Access Rules
You can create access rules to configure the authorization to a particular RAD Server Resource or RAD Server Resource Endpoint.
You can set a new access rule for RAD Server Administrative API resources (such as RAD Server Users and RAD Server Groups) or for a custom RAD Server Resource.
You can specify the access rules with settings (as a JSON string) for:
- A resource. The resource settings apply to all endpoints in that RAD Server resource.
- A particular endpoint. The endpoint settings override the settings for the resource.
You can modify the following JSON attributes for a RAD Server Resource or a RAD Server Resource Endpoint:
| JSON attribute | Description | 
|---|---|
| {"public": true} | Authorizes any request. | 
| {"public": false} | An RAD Server client application may be authorized depending on the RAD Server User or the RAD Server Group. | 
| {"users": ["username1", "username2"]} | Authorizes an RAD Server User by the field username. | 
| {"users": ["userid1", "userid2"]}  | Authorizes an RAD Server User by the field userid. | 
| {"users": ["*"]} | Authorizes any RAD Server User. | 
| {"groups": ["groupname1", "groupname2"]}  | authorizes any RAD Server User that belongs to an RAD Server Group. | 
| {"groups": ["*"]}  | authorizes any RAD Server User in any RAD Server Group. | 
The following sample makes all methods in the resource Users private except for the LoginUser and SignupUser RAD Server Endpoints:
 Users={"public": false}
 Users.LoginUser={"public": true}
 Users.SignupUser={"public": true}
The following sample makes all methods in the custom RAD Server Resource Resource1 available to all RAD Server users in the group group1:
 Resource1={"groups": ["group1"]}
Create and modify access rules in the RAD Server Engine configuration file.
In the RAD Server Engine Window log, you can see the created access rules (as a RegACL entry).
RAD Server User Authentication
Use the following header parameters for the different Authentication options:
RAD Server MasterSecret Key Authentication
X-Embarcadero-Master-Secret=<value>
RAD Server Application Secret Key Authentication
X-Embarcadero-App-Secret=<value>
RAD Server User Authentication
X-Embarcadero-Session-Token=<value> X-Embarcadero-App-Secret=<value>
X-Embarcadero-App-Secret is optional. To obtain an X-Embarcadero-Session-Token, a client application should use "users/login" endpoint, as described below:
-  Client makes login request:
 POST http://localhost:8080/users/login HTTP/1.1 {"username":"User1","password":"User1pass"}
-  Server responds:
 HTTP/1.1 201 Created {"username":"User1","_id":"04C3B621-A056-49CF-8C56-D18E8363F58E","_meta":{"creator":"04C3B621-A056-49CF-8C56-D18E8363F58E","created":"2018-05-04T09:05:54.000Z"},"sessionToken":"d7bdc5523d04ecab7a35c1df53a7077d","sessionTokenExpiry":"2023-10-02T11:41:03.281Z"}Note: The session token life time is controlled by the emsserver.ini file parameters: SessionInactivityTimeout and SessionLiveTimeout. For more information see: RAD Server Engine Limits.
-  Client calls endpoint:
 GET http://localhost:8080/test HTTP/1.1 X-Embarcadero-Session-Token: d7bdc5523d04ecab7a35c1df53a7077d 
-  Server responds:
 HTTP/1.1 200 OK "test" 
-  The server log shows that the user is identified in the second request:
 {"Request":{"Resource":"Users","Endpoint":"LoginUser","Method":"POST","User":"(blank)","Time":"04.05.2018 13:12:51","Thread":3568}} {"Request":{"Resource":"test","Endpoint":"Get","Method":"GET","User":"04C3B621-A056-49CF-8C56-D18E8363F58E","Time":"04.05.2018 13:12:55","Thread":3568}}
Controlling Access to RAD Server Resources and Endpoints
The are two ways to control access to resources and endpoints by an RAD Server User or RAD Server Client application.
Modifying the RAD Server Engine Configuration File
The RAD Server Engine configuration file (emsserver.ini file) can be used to configure authorization by resource and endpoint.
Configure the MasterSecret or the AppSecret keys, or create new access rules for the RAD Server Resources and Endpoints
Programmatic Control
You can create a new Extending the RAD Server Engine and add code that prevent accessing to particular RAD Server endpoints. In your code, you can check if the request is from a particular RAD Server user or from a RAD Server user in a particular RAD Server group.
If the RAD Server user identified in the request is not allowed to access the endpoint, the custom resource should raise an exception (to indicate that the request is unauthorized).
