Security for the Diglib REST API is handled with a signed Authorisation header in the request.
The header is on the form:
In Diglib’s admin interface, you can check what your ApplicationKey and SharedSecret are. The shared secret is used for HMACMD5 hashing when you generate the signature part.
Timestamp: Milliseconds since 01.01.1970 in UTC time.
Code example how the timestamp may be constructed in C#
DateTime t = DateTime.UtcNow;
DateTime REFERENCE_TIME = new DateTime( 1970,01,01,00,00,00,01, cultureInfo.Calendar );
TimeSpan dt = t - REFERENCE_TIME;
long totalSeconds = (long)dt.TotalSeconds;
Code example how the timestamp may be constructed in Java
Calendar c = Calendar.getInstance();
long l = c.getTimeInMillis();
Signature: Generated by concatenating ApplicationKey + Timestamp, and doing an HMAC MD5 hash on the concatenated string with the shared secret as salt. The signature must be converted to a BASE64 encoded string when sending.
Code example of how to generate the signature:
The examples are based on that you have the shared secret as String secret, and String toBeHashed as the concatenation of ApplicationKey+Timestamp (without the # signs).
SecretKeySpec pkey = new SecretKeySpec(secret.getBytes("UTF-8"), "HmacMD5");
// Get instance of Mac object implementing HMAC-MD5, and
// initialize it with the above secret key
Mac mac = Mac.getInstance("HmacMD5");
byte result = mac.doFinal(toBeHashed.getBytes("UTF-8"));
return new BASE64Encoder().encode(result);
And in C#:
byte saltValueBytes = Encoding.UTF8.GetBytes(secret);
HMACMD5 myHash = new HMACMD5(saltValueBytes);
Failure to include the authorization header in a REST request will result in a 403 forbidden HTTP response. This is done in order to secure your data in a simple manner.