Waiting for engine...
Skip to main content

Security token

The API links calling the upload pop up tool can be protected from being manually copied and used by a different user under the existing SessionID.

Token based security is used to protect a call to upload tool.

Token is encrypted by an application calling MFT FS API using a secret key shared with MFT FS.

The token it passed to the MFT FS server and is decrypted using the shared key.

Security token structure for upload tool is represented in JSON with following fields:

{  
“Version”,  
“FolderID”, 
“Email”,
“AllowedIP”, 
“TimeStamp”, 
“Session”
}

Where the parameters are:

  • Version: Version of token object. Supported value: 1.
  • FolderID: ID of folder that is used for files or folders uploading by upload tool, returned by one of folder management API calls.
  • Email: Email of a user to record in the audit records with operation. Could be different from a user account which opened a MFT FS server.
  • AllowedIP: IP address allowed to perform the upload, will be checked by MFT FS server. If the IP address of connecting browser does not match AllowedIP, operation is blocked.
  • TimeStamp: Time of token creation, used for token validation to protect against token replay. MFT FS server will check that token is not beyond expiration time interval defined in MFT FS server. 
note

Date must be in the format MM/DD/YYY H:MM PM.

  • Session: Unique identifier of the MFT FS user session received as result of Open() or OpenImmutable() call. Will be used for access control and logging purposes.

Sample Token:

{
  "Version": "1",
  "FolderID": "1056",
  "Email": "external-download-test@thru.com",
  "AllowedIP": "64.95.64.190",
  "TimeStamp": "10/04/2013 11:05:11",
  "Session": "a2a1163e-555a-469d-bfb4-4da33980409b"
}

The following methods and options should be used by calling application to encrypt the token:

  • Encryption algorithm: Advanced Encryption Standard (AES-256) symmetric algorithm.
  • Encryptor specified key: Shared key in base64string format
  • Initialization vector (IV): Shared key in base64string format

Security token for URL should use base64string format.

Sample of token encryption parameters:

  • Encryptor specified key: AFA3wdfEuCrdFw8QaHFzN6LRXaBoCTHxcWnqNImp7g3=
  • Initialization vector (IV): JHnmhMkTjkl8fHqYx/l7bA==
  • Encrypted token in base64string format: jGldNNh7rMjT/fLL27vyQDPXUl/UjBKKfgrzLAxmopIxotP/T20Mz5J180jhG3Soqkz8bB1AV6rz3NMcyYtmm3mdo+CLeD0FDfgJZ6cw1Iqs9V+R79KsJ1mzfUKGrgQmrOq1NlosLcBtzmoVLK4+Cqkt+bkNBdYoYw8DITFkHd/VsEHCnk5pjPd89mDATyjTu4xMCXFVH20lP7tTOU75k61LLSj3×6bHzCuorKcUzp7nuvxv e0se9cOdFQ3TA6XH78IMGmdoOz9JgDPIThjeO==