Using [SupportedModules("XXX")] with 2sxc

Dec 14, 2015 at 3:44 PM
If we setup a WebAPI using DNNs Service Framework and then call it from a JavaScript (AngluarJS) application in a 2sxc view and want to use [SupportedModules("XXX")], what should filter for since our AngularJS app won't be a real DNN module?

On a normal DNN module it would be something like:
[SupportedModules("NameOfMyModule")]
[DnnModuleAuthorize(AccessLevel = SecurityAccessLevel.View)]
but that probably won't work with 2sxc? Should we use something like [SupportedModules("App")] since that is the name of the DNN module (at least I think it is)?
Coordinator
Dec 15, 2015 at 10:57 AM
2sxc re-configures the angular $http to include the dnn security headers. So the standard attributes you show should work.
Coordinator
Dec 15, 2015 at 10:58 AM
The supported module should be "2sxc" or "2sxc-app" - you can look at API examples in https://github.com/2sic/2sxc/blob/master/SexyContent/ViewAPI/ModuleController.cs#L19
Dec 16, 2015 at 12:25 PM
2sicDev wrote:
The supported module should be "2sxc" or "2sxc-app" - you can look at API examples in https://github.com/2sic/2sxc/blob/master/SexyContent/ViewAPI/ModuleController.cs#L19
Thanks.

But won't this be problematic if you have several applications built in 2sxc and what then to have different permissions? Like if you have a "Frontoffice" module for customers and a "BackOffice" module for backoffice personel and only want to make a WebAPI function available to one of them. Both would then be running as [SupportedModules("2sxc,2sxc-app")], right?
Coordinator
Dec 21, 2015 at 8:44 AM
That's not a problem because you shouldn't control security over that attribute. Use the
[DnnModuleAuthorize(AccessLevel = SecurityAccessLevel.View)]
on each method with the appropriate security access level. That's the way you should do it.
Dec 21, 2015 at 9:51 AM
2sicDev wrote:
That's not a problem because you shouldn't control security over that attribute. Use the
[DnnModuleAuthorize(AccessLevel = SecurityAccessLevel.View)]
on each method with the appropriate security access level. That's the way you should do it.
But doesn't these two methods require each other? I was under the impression that you had to use the SupportedModules in order for the other to work. At least we never got it to work without it but the whole Service Framework seems a bit shaky in current version and with poor documentation. Anyway, we decided to use StaticRoles attribute for authorization instead which is more in line with our requirements, a feature which isn't mentioned at all on any of the documentation pages (really blog pages).
Coordinator
Dec 21, 2015 at 10:56 AM
We've been using all this very intensively for years now, and since 2sxc 8 it's basically our backbone and we haven't had any issues. They are completely different security mechanisms - and there's also the SecurityToken. Each solves a different problem and you can apply them to a class or to a method as you need.

Note that if all you want is read/write of content-types, then you can skip the custom API and just use the default REST api because you can configure the security there too.
Dec 21, 2015 at 12:56 PM
2sicDev wrote:
We've been using all this very intensively for years now, and since 2sxc 8 it's basically our backbone and we haven't had any issues. They are completely different security mechanisms - and there's also the SecurityToken. Each solves a different problem and you can apply them to a class or to a method as you need.

Note that if all you want is read/write of content-types, then you can skip the custom API and just use the default REST api because you can configure the security there too.
Thanks for providing good feedback.

The problem with the Service Framework as I see it is that it is poorly documented and thus requires a bit of trial and error to get acquainted with. Not sure if Evoq differs in this regard though.

Not sure what you refer to as "custom API"?
Coordinator
Dec 23, 2015 at 11:50 AM
2sxc has two ways of API - one is the javascript REST API which doesn't need any server code - see http://2sxc.org/en/Docs-Manuals/Feature/feature/4735

The other is a custom web-api which you code - which is what you seem to have been looking into http://2sxc.org/en/Docs-Manuals/Feature/feature/3361