Skip to main content
Version: 10.0

Authorization

webPDF provides security for the use of server and web service APIs through authorization.

Authorization is provided by either a local authorization or a remote authorization, such as an external OAuth2 provider. The settings for this are defined in the server configuration.

The settings are made via the Admin Portal and allow the specific activation and deactivation of the SOAP or REST interface, as well as the authentication used and the use of anonymous login. These settings can be configured separately for SOAP and REST.

caution

You should always use the web services in conjunction with the server's TLS configuration, otherwise the user data (authentication data name and password) may be transmitted in plain text.

SOAP API

In the default installation, no authorization is required on the SOAP interface and anonymous access is allowed. The web service endpoints can therefore be used directly without authorization and login.

The SOAP interface can be completely deactivated via the configuration if it is not used. It is also possible to disable anonymous use of the interface. In this case, a corresponding authorization must be passed with each web service call via the SOAP interface.

This SOAP authorization can either be done via the local authorization or be an authorization that has been done via an external OAuth2 provider. In the first case, local authentication (login) is performed using the configured user source and local authorization. It is passed directly when the SOAP web service is invoked. In the second case, authentication is performed via the configured and external OAuth2 provider. The access token of the OAuth2 provider issued in this way is passed to the SOAP web service and used as authorization.

REST API

In the default installation, authorization is always required on the REST interface, i.e. each call to a web service must include an access token. The access token is provided via local authorization and a corresponding authentication or must be provided via an external OAuth2 provider. With local authorization, anonymous logon (authentication) is also possible, provided this has not been disabled via the configuration.

Local authorization uses the user source during authentication to check the user credentials consisting of user name and password and issue a corresponding access token.

Additionally, the REST API can also be disabled in its entirety via configuration.

Local authorization

Local authorization provides authentication in the local server via username and password. For this purpose, the configured user source is used to verify the user's credentials. Anonymous login is also performed using this authorization. If local authorization is disabled, then authorization can only be done via an external OAuth2 provider.

The local authorization provides the access token (and refresh token, if applicable). The access token is then passed when calling the SOAP and REST API web services.

The access token for authorization is provided by the Authentication REST API:

API {REST}: /authentication/user/login