I'm trying to post a login json so I can create/update nodes. I don't require any advanced authentication. I just testing the concept.

My understanding is:
1) That I need to use the restws_auth_basic module. Is that true or could I just send the user/password json to the drupal site url?

2) I'm using the restws_auth_basic module. I keep getting a 403 failure; and, I cant't figure out the json requirements. I get the same results in PHP and using the HttpRequester FF plugin. I have done the following as per instructions:

a) I enabled the restws_auth_basic module and set the settings.php to

$conf['restws_basic_auth_user_regex'] = '/^webrstest.*/';

I have written no hook functions nor do I require any (I'm just accessing posted articles).

b) I created the restwstest account with a password of 'test' and gave permissions to the restws and node functions I was using.

c) My login json is:

d) Content type is application/json

e) url is http://localhost:8082/user/login (I also tried http://localhost:8082/user/login.json, leon)

What am I doing wrong? Additionally, is there anywhere I can go to GET examples? For instance, to update a node I do a get and alter one of the fields and then a PUT back the entire node. Is that true with restws?



Anonymous’s picture


The authentication works that way :
1: login /password should be send to the restws_basic_auth url : http://yourdrupal.com/restws/session/token.
They should be placed in the header (not in the content) using Basic access authentication.
Authorization should contain a stroing composed by (without quotes) : "Basic " followed by a Base64 encoding of "login:passwd".

For example :

-- header--
GET http://yourdrupal.com/restws/session/token
Content-Type :	text/plain
Authorization : Basic qsdjhqsdjqsnbd:sjqdbqs=
-- content --
no content

2: The response returns a token that should be used for any further request, within the "X-CSRF-Token" header.

For example :

-- header--
PUT http://yourdrupal.com/node/<nodeid>
Content-Type :	text/plain
X-CSRF-Token: EvCdeRfltYdQTTJxBgGbNIK5d4DwxqCvDD5YqhPZaT4
Content-Type: application/json; charset=UTF-8
-- content --
{"title":"my new title"}

I use firefox Poster plug-in to test it, but I think there should be better tools for that...

KiTOxN’s picture

You must send cookie in headers to do a CRUD action.
After submiting user and pass to http://example.com/restws/session/token you must get cookie from returned data headers.

I wrote a simple login function in python, hope it works for you.

def login(u,p):
    url = 'http://<drupal-with-restws>/restws/session/token'
    r = urllib2.Request(url,'',{'Authorization':'Basic '+base64.b64encode(u+':'+p)})
    f = urllib2.urlopen(r)
    cookie = f.headers.dict['set-cookie']
    csrf = f.read()
    return csrf,cookie

and another function to request a node :

def requestNode(nid,session,cookie):
    url = 'http://<drupal-with-restws>/node/' + nid + '.json'
    r = urllib2.Request(url,'',{'Content-Type':'text/plain','X-CSRF-TOKEN':session,'Cookie':cookie})
    r.get_method = lambda: 'GET'
    f = urllib2.urlopen(r)
    js = json.loads(f.read())
    return js

Hope it helps you.
sorry for my poor english

mtift’s picture

Here is a (procedural) way of grabbing the data using PHP:


// Login to the site
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'http://<drupal-with-restws>/restws/session/token');
curl_setopt($curl, CURLOPT_USERPWD, "restws_user:password");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HEADER, 1);

// Parse the header to get the token and cookie
$result = curl_exec($curl);
$token = substr($result, (strlen($result) - 43));
preg_match('/^Set-Cookie:\s*([^;]*)/mi', $result, $m);
$cookie = $m[1];

// Pull all nodes in json format
curl_setopt($curl, CURLOPT_URL, 'http://<drupal-with-restws>/node.json?type=article');
$headers[] = 'Content-type: application/json';
$headers[] = "X-CSRF-Token: $token";
$headers[] = "Cookie: $cookie";
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$json = curl_exec($curl);

greggles’s picture

Status: Active » Fixed

Lots of good advice in this issue so far.

Nobody else has mentioned this so far, but I think that the username restwstest will not match the regular expression pattern: '/^webrstest.*/' which would prevent the user from being logged in.

Marking this fixed as there has been no followup from the original poster and there is some good advice on how to work with the module.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

aalamaki’s picture


I've been struggling with trying to get the code from #3 to with the 7.x-2.0-alpha5 version of the module with no luck. Problem is when printing out the $result from just above the $token definition in the code, I get "HTTP/1.0 401 Unauthorized" etc. What I have done so far:

- enabled the restws and the basic auth module, didn't setup anything in settings.php
- created a user "aalamaki" and gave the necessary administrator role to access the restws
- trying to run the code on localhost from the command line on linux, the Drupal is running on the same server

Been trying this on two different servers now with no luck, could someone try to point me in the correct direction, is there something else required? Any help would be greatly appreciated... :)

giorgio79’s picture

Title: Cannot determine what is the required minimal authentication » Cannot determine what is the required minimal authentication
Version: 7.x-2.0-alpha5 » 7.x-2.0-alpha4

Here is a working php curl login

Worked for me for Rest WS

$process = curl_init("http://mysite.com/services/session/token");
curl_setopt($process, CURLOPT_HTTPHEADER, array('Content-Type: application/xml', $additionalHeaders));
curl_setopt($process, CURLOPT_HEADER, 1);
curl_setopt($process, CURLOPT_USERPWD, "restwsusername:pass");
curl_setopt($process, CURLOPT_TIMEOUT, 30);
curl_setopt($process, CURLOPT_POST, 1);
curl_setopt($process, CURLOPT_RETURNTRANSFER, TRUE);
$return = curl_exec($process);

PS :


SMRussell’s picture

Title: Cannot determine what is the required minimal authentication » Cannot determine what is the required minimal authentication
Version: 7.x-2.0-alpha4 » 7.x-2.0-alpha5

Hi all

I've just spent a few hours trying to work out how authentication works in RESTWS. The comments above are each only part of the story. Here's how I think it works. Correct me if I'm wrong.

Basically, you have two choices:

1. You can make REST calls (from within a browser with jQuery, for example) so long as you are logged in; that is, you have a valid session cookie. To prevent CSRF attacks, you will first need to go through the process in #1 above to get a token for a X-CSRF-Token header. You include this header in future requests, and your browser will provide the session cookie. (In case you're wondering, you need to provide the Authorization header to prove you're entitled to get the token.)

2. You use a Basic Authorization header on all REST calls. You don't need a session cookie. The format for the Authorization header is as specified in #1 above; ie

Authorization: Basic qsdjhqsdjqsnbdsjqdbqs=

The parameter is a base-64 encoding of the string "username:password".

BUT ... to use this option, you need to

a. Enable the "Basic authentication login" module (it's in the "Others" category)

b. Use a user account that starts with the required prefix; the default is "restws", as shown in #7 above. See the discussion in #1946108: Document the motivation for restws_basic_auth_user_regex for the motivation for this feature. Make sure you assign the appropriate permissions to your restws user account. (I put mine into an admin role I already had on my site. You might want to be more selective.)

Thanks to klausi for his help in figuring this out, and for the project. I think it's a very interesting addition to Drupal.

jasonlttl’s picture

Issue summary: View changes

I tried all the examples here with no success (possibly my bad) but was able to piece together a working example from #8 and prior posts. Below are the assumptions and some simple sample code:

  • basic authentication module is on
  • username begins with restws (or you change the regex described above)
  • user has permission to the resources in question (restws creates api permissions)
$site = 'https://somewhere.edu';
$user = 'restws.whatever';
$pass = 'your-password';

$ws = new DrupalRestWs($site, $user, $pass);
print_r($ws->get('node', 'json'));

class DrupalRestWS {

  public function __construct($base, $user, $pass) {
    $this->base = $base;
    $this->user = $user;
    $this->pass = $pass;

  function get($resource, $format) {
    $ch = curl_init($this->base . '/' . $resource . '.' . $format);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-type: application/json'));
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_USERPWD, base64_encode($this->user . ':' . $this->pass));
    curl_setopt($ch, CURLOPT_TIMEOUT, 30);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    $response = curl_exec($ch);
    $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
    $header = substr($response, 0, $header_size);
    $json = substr($response, $header_size);
    return json_decode($json);

As an aside, there's a few projects on github that may also be helpful if you search for restws and drupal.