Security | Surgent Networks Developer Website

Every call made to the SlingShot Web Service API must contain a security token as a header parameter (‘X-Security-Token’).

What you need

You need a Web Service UID and a shared secret key to create a valid security token. Contact Surgent Networks to get yours.

Token

The security token expected is of the form [Web Service UID]:[Encrypted Token]

The Web Service UID serves to establish the identity of the caller
The Encrypted token serves to verify the callers claimed identity

Create an Encrypted token by building the following String and encrypting it using the AES protocol (refer to the following Java example):

[Unique Token Id]:[Timestamp]:[Web Service UID]

A unique Token ID is any unique String you chose. This ensures that every token is used only once.
Timestamp is the current time in milliseconds. This ensures that a token is only valid for a limited time (60 minutes for test environment)
The Web Service UID is used to verify an unencrypted ID

Following is an example Security Token:

ba230daf-124b-4c16-b002-8d85fa78301e:bUjmK9Qapul-RZEDOBqScPxupsBhLhiBHqaJzCIud8i8lmVJxFlF-Maf3gRSIKGuEB-U7HNyuzzcJ-RKL75cvD9NW8_3vloZV0ARPICsra8yRkjoQaT-66uxxp8jAHr7

How to get your Token?

There are three different ways to get your security Token:

1. Authentication Service

For testing purposes we created a Web Service that will generate a token for you based on your SlingShot Web Service ID and Secret Key. Go here for details.

2. Client Token Generator

For your convenience, Surgent Networks distributes the “Token Generator,” a Java library you can use in your code or execute on the command line to generate tokens for communication with the SlingShot Web Service API.

Command Line

Switch to the folder where the Token Generator .jar is located and execute:

java -jar TokenGenerator-1.0-SNAPSHOT-jar-with-dependencies.jar [wsuid] [secretkey]

Java Code

Add the Token Generator Library to your Java Project and call the public static methods:

TokenGenerator.getFullToken(guid, key) or
TokenGenerator.generateToken(guid, key)

The second method will only create an Encrypted Token. The first method creates a full security token.

3. Java Sample Code

 String sCompositeValue = tokenUid + ":" + System.currentTimeMillis() + ":" + wsUid;
SecretKeySpec key = new SecretKeySpec(Base64.decodeBase64(key.getBytes()), "AES");
String encryptedToken = null;
try
{
final Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, key);
final byte[] encrypted = cipher.doFinal( sCompositeValue.getBytes() );
encryptedToken =  new String( Base64.encodeBase64( encrypted, false, true ) );
}
catch( ... e )
{
...
}