Quercus Live Link Developer’s Guide<>

Live Link security

Authorization keys

You can configure Live Link to require an authorization key for each request. This option should be used if you wish to prevent unauthorized individuals gaining access to exposed data.

Authorization requires the following steps:

1set the QLL.AUTH_KEY_TYPE parameter to require authorization and to set the authorization type required

2ensure that applications which use Live Links can generate the correct hash and retrieve the appropriate authorization key

3ensure that the Live Link requests contains an auth parameter set to the appropriate value, e.g. a hash or authorization key

Requiring authorization

Authorization is required when parameter QLL.AUTH_KEY_TYPE is set to either KEY or MD5 or SHA1. The parameter value can be changed through the Control Centre Set-up > Parameters option:

When authorization is required but the authorization key is missing in the request (URL) or is incorrect HTTP 403 “Not Authorized” is returned back.

Setting the authorization key if QLL.AUTH_KEY_TYPE is set to KEY

If QLL.AUTH_KEY_TYPE is set to KEY the authorization key is simply the QLL.AUTH_KEY_SECRET parameter value.

Example

Assuming that the QLL.AUTH_KEY_SECRET value is set to fab123, you simply append to the key to the end of the request:

https://demo.campusit.net/pls/demo/solar.qll_web.student?id=113158&serviceCode=RESERVE_PLACE&auth=fab123

Setting the authorization key if QLL.AUTH_KEY_TYPE is set to MD5 or SHA1

If the QLL.AUTH_KEY_TYPE is set to MD5 or SHA1 you must append the appropriate hash as the authorization parameter.

The hash is created from a string concatenated from all parameters separated by colons and terminated by the QLL.AUTH_KEY_SECRET value.

You must include a colon for each possible parameter, even if the parameter is not present. Calls in the student service category must contain six colons; calls in the common and staff category must contain four colons.

The examples below show how two sample queries would be constructed if the authorization key was set to fab123 and the hash type to MD5.

Example 1

https://demo.campusit.net/pls/demo/solar.qll_web.student?id=113158&serviceCode=RESERVE_PLACE

would require the MD5 hash of:

:113158:RESERVE_PLACE::::fab123

This is 52766ca84c5a6aef2797e3972cd993c4 (see, for example, md5hashgenerator.com), so the query required would be:

https://demo.campusit.net/pls/demo/solar.qll_web.student?id=113158&serviceCode=RESERVE_PLACE&auth=52766ca84c5a6aef2797e3972cd993c4

Example 2

https://demo.campusit.net/pls/demo/solar.qll_web.common?serviceCode=ONLINE_APP

would require the appropriate hash of:

ONLINE_APP::::fab123

This is ee5cde23524e74696c9297b991537575 so the query required would be:

https://demo.campusit.net/pls/demo/solar.qll_web.common?serviceCode=ONLINE_APP&auth=ee5cde23524e74696c9297b991537575

Sending the authorization parameter

To send the authorization parameter append it as an auth parameter to the Live Link query:

https://demo.campusit.net/pls/demo/solar.qll_web.common?serviceCode=ONLINE_APP&auth=ee5cde23524e74696c9297b991537575

Checking if authorization is enabled

The result returned from the following URL:

https://demo.campusit.net/pls/demo/solar.qll_web.ping

returns the current authorization type in the Authorization field (MD5 in the example below).