summaryrefslogtreecommitdiffstats
path: root/docs/sections/services/dfc/http-notes.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/sections/services/dfc/http-notes.rst')
-rw-r--r--docs/sections/services/dfc/http-notes.rst75
1 files changed, 73 insertions, 2 deletions
diff --git a/docs/sections/services/dfc/http-notes.rst b/docs/sections/services/dfc/http-notes.rst
index bd297b14..c45c7bd8 100644
--- a/docs/sections/services/dfc/http-notes.rst
+++ b/docs/sections/services/dfc/http-notes.rst
@@ -1,8 +1,8 @@
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
-HTTP notes
-==========
+HTTP/HTTPS notes
+================
HTTP Basic Authentication in FileReady messages
"""""""""""""""""""""""""""""""""""""""""""""""
@@ -61,3 +61,74 @@ Example file ready message is as follows:
Note, more than one file from the same location can be added to the "arrayOfNamedHashMap". If so, they are downloaded
from the endpoint through single http connection.
+
+HTTPS connection with DFC
+"""""""""""""""""""""""""
+The file ready message for https server is the same as used in other protocols and http. The only difference is that the scheme is set to
+"https":
+
+.. code-block:: bash
+
+ ...
+ "arrayOfNamedHashMap": [
+ {
+ "name": "C_28532_measData_file.xml",
+ "hashMap": {
+ "location": "https://login:password@server.com:443/file.xml.gz",
+ ...
+
+The processed uri depends on the https connection type that has to be established (client certificate authentication, basic
+authentication, and no authentication).
+
+For client certificate authentication:
+
+.. code-block:: bash
+
+ scheme://host:port/path
+ i.e.
+ https://example.com:443/C20200502.1830+0200-20200502.1845+0200_195500.xml.gz
+
+Authentication is based on the certificate used by the DFC.
+
+For basic authentication:
+
+.. code-block:: bash
+
+ scheme://userinfo@host:port/path
+ i.e.
+ https://demo:demo123456!@example.com:443/C20200502.1830+0200-20200502.1845+0200_195500.xml.gz
+
+Authentication is based on the "userinfo" applied within the link.
+
+If no authentication is required:
+
+.. code-block:: bash
+
+ scheme://host:port/path
+ i.e.
+ https://example.com:443/C20200502.1830+0200-20200502.1845+0200_195500.xml.gz
+
+Note, effective way of authentication depends of uri provided and http server configuration.
+
+If port number was not supplied , port 443 is used by default.
+Every file is sent through separate https connection.
+
+JWT token in HTTP/HTTPS connection
+""""""""""""""""""""""""""""""""""
+
+JWT token is processed, if it is provided as a ``access_token`` in the query part of the **location** entry:
+
+.. code-block:: bash
+
+ scheme://host:port/path?access_token=<token>
+ i.e.
+ https://example.com:443/C20200502.1830+0200-20200502.1845+0200_195500.xml.gz?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkZW1vIiwiaWF0IjoxNTE2MjM5MDIyfQ.MWyG1QSymi-RtG6pkiYrXD93ZY9NJzaPI-wS4MEpUto
+
+JWT tokens are consumed both in HTTP and HTTPS connections. Using JWT token is optional. If it is provided, its
+**validity is not verified**. Token is extracted to the HTTP header as ``Authorization: Bearer <token>`` and is **NOT**
+used in URL in HTTP GET call. Only single JWT token entry in the query is acceptable. If more than one ''access_token''
+entry is found in the query, such situation is reported as error and DFC tries to download file without token. Another
+query parameters are not modified at all and are used in URL in HTTP GET call.
+
+If both JWT token and basic authentication are provided, JWT token has the priority. Such situation is considered
+as fault and is logged on warning level.