Since 5.0, two authentication methods are supported: session, and basic.

Session based authentication is meant to be used for AJAX operations. It will let you re-use the visitor's session to execute operations with their permissions.

Basic authentication is often used when writing cross-server procedures, when one remote application executes operations on one/several eZ Publish instances (remote publishing, maintenance, etc).

The default authentication method in 5.x is Basic authentication. As of release 2015.01, Session has been changed to be default.

Session based authentication

This authentication method requires a Session cookie to be sent with each request.

If this authentication method is used with a web browser, this session cookie is automatically available as soon as your visitor logs in. Add it as a cookie to your REST requests, and the user will be authenticated.

Setting it up

Not needed as of 2015.01 release as default is now Session.

To enable session based authentication, you need to edit ezpublish/config/security.yml, and comment out / remove the configuration block about Basic Auth (shown in the following section).

As of 5.3 / 2014.04, you also need to add the following configuration in your ezpublish/config/security.yml:

--- a/ezpublish/config/security.yml
+++ b/ezpublish/config/security.yml
@@ -33,6 +33,7 @@ security:
             pattern: ^/
             anonymous: ~
+            ezpublish_rest_session: ~
                 require_previous_session: false
             logout: ~


Logging in

It is also possible to create a session for the visitor if he isn't logged in yet. This is done by sending a POST request to /user/sessions. Logging out is done using a DELETE request on the same resource.

Session based authentication chapter of the REST specifications

HTTP Basic authentication

To enable HTTP Basic authentication, you need to edit ezpublish/config/security.yml, and add/uncomment the following block. Note that this is enabled by default.

            pattern: ^/api/ezp/v2
            stateless: true
                realm: eZ Publish REST API

Basic authentication requires the username and password to be sent (username:password), based 64 encoded, with each request, as explained in RFC 2617.

Most HTTP client libraries as well as REST libraries do support this method one way or another.

GET / HTTP/1.1
Accept: application/vnd.ez.api.Root+json
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==