K2 API - services K2

Introduction

Server of web services K2 (API) is a web application which runs on the web server Microsoft Internet Information Services (IIS). Through the application server K2, it makes the data of the K2 information system accessible and allows running of scripts and reports.

Web services are based on the REST technique, ie. communication is under way via HTTP protocol and via standard methods GET (reading data), POST (create data), PUT (modification of existing data).

One can read the data or send the data either in XML or JSON format.

After entering the URL root address API into the browser, it is possible to browse the basic description of the services and resources/operations using dynamic help.

pic_3917

Picture: Dynamic help of API

Note: If this page is displayed, it means, that the first communication API with the application server was successfully completed. If an error page IIS is displayed instead of it, then it means, that the communication was failed and probably the error is in API configuration or the application server does not run.

Installation and basic settings

Prerequisites

In K2 AP at least one thread (Number of shared users) must be available under the K2 license, and in The K2 license and the corresponding number of anonymous users with a login composed of the same prefix and at the end supplemented by a serial number (eg "AN1" - "AN5"). These users must have the same rights and the same password.
The installed and running application server with the checked "Configure application server for web services server" option during installation. If this option was not checked during installation, it is possible to add the following parameters in theK2.INI configuration file for an existing AS installation (example for 5 threads and users named AN1 - AN5):

AS3USER='AN'
AS3PASSWORD='ANPassword'
AS3USERS=5
AS3IO=2000034152

The server on which the K2 API will be installed must be available IIS s installed ASP.NET and WCF support. When installing IIS, the following components must be selected:
- Roles: Default + Application Development (.NET 4.5, ASP.NET 4.5), Administrative Tools (including IIS 6 compatibility); Don't check: Publishing WebDAV
- Functions: Activation Service (Process Model), WCF Services (HTTP Activation), .NET 4.5, ASP.NET 4.5

In In case of HTTPS installation correctly set certificate in IIS
In Incase of publication API for internet access, allowed used HTTP / HTTPS ports (80/443 by default)

Recommended deployment for accessing API from the Internet:

The K2 application server should always be installed on a server accessible only on the internal network. It is recommended to install the K2 API and any other web applications on a separate server, which is accessible from Internet and has limited access to the internal network allowing only communication with K2 AS.

K2 installation

This is done using the K2 Installer. The K2 API installation program checks the availability of the basic required components before starting the installation, eventually warns of missing components and the installation is stopped.

You need to enter some information during the installation:

Target directory - any directory can be selected, it does not have to be in the IIS root directory
IIS Server Name - enter the name that will be used to access theSWS server. For test installations it is also possible to enter "localhost" - under this name API will be available only on the given server.
Web Site (IIS) - choose, onto which Web Site you want to install API. By default, only "Default Web Site" is available on IIS.
Application name on IIS - part of the URL address to API after the server name. If the name of the server is "mujserver.cz" and user specifies "restservice" as the name of the application, then the basic URL for accessing K2 API will be http://myserver.com/restservice
The name or IP address of the computer where the K2 AS is running
K2 AS instance name - specified when installing K2 AS

The most common problems with API installation and configuration

Wrong server name or IP address with AS or incorrect AS instance name - check and possibly edit manually in K2 API configuration file - web.config file in the K2 API installation directory. Check that nothing is blocking network communication between the API server and the AS server
AS is not configured for API - add configuration see the Prerequisites section above
Anonymous users are missing or prohibited - see. the Prerequisites section above
In There is no number of shared users in the K2 licence or this number is exceeded - update the K2 licence
Missing IIS components - check IIS components, see the Prerequisites section above

In most cases logging API or AS will help. Enabling K2 API logging is done in web.config configuration file, LogPath parameters (path to log file), LogLevel (types of messages to be logged, at least Info is recommended for debugging), LogRequests (allows you to monitor the processing of individual requests to the K2 API in case of concurrence of several requests at once).

Structure of URL address

Using the URL address we determine a means (mostly data, a record), we want to work or operation you run.

URL basic format:

<address of a server>/{xml/}<service name>/<means or operation>{?optional parameters}

<address of a server> it is the root address of API. For example http://mujserver.cz/restservice
{Xml} – optional switch. If it is stated in URL, we require an output in XML format, if it is not stated, we require JSON format
<service name> - specification of the concrete API service, which we want to use
<means or operation> - determining the concrete requirement
{?optional parameters} – possible parameters specific for the given requirement

Web services

Data - A service which serves to work with data objects (data modules).

Meta – A service which enables to get a description of the data object structure.

Formation - It enables to run the scripts and reports.

FormationDefinition – It enables to get the definition of the scripts and reports.

Eshop – it groups special resources and operations for K2 e-shop.

Notification - Support for notifications.

Data service

It serves to work with data (data objects) saved in K2.

The list of the data object records

GET /Data/{classname}?<optional parameters>

The requirement serves to read a list of data objects of {classname} type. A list is paginated, all records are not read at once. Unless otherwise specified by using optional parameters, the first 30 records with values of default columns and all components of primary key are returned.

Parameters:

{classname} – name of the data object class (e.g. TD_Part), or alias (an alternative name, e.g. Part)
Fields – a list of the names of data fields the values of which should be returned, separated by comma. You can also enter a path to the fields through a link or enter the name of the child module followed by the name of a field from the child data object (individual field names of the path are separated by dot).
orderBy - a list, of the names of data fields, according to which we want to sort the data, separated by comma. For a descending order it is necessary to take a sign - (minus) in front of the field name.
pageSize – the required number of records on one page (how many records will be max. returned in one answer). When entering the value -1, the pagination will be banned and all records will be returned at once.
page - a variable controls the shift to the other pages - possible values are last, prev, next, first
pageState – internal variable which identifies the current page. A value of this variable (resp. the whole URL address) is always returned in an answer of the server.
orOperator - it determines a logical conjunction between the individual conditions in conditions
conditions – used for filtering data (ie compilation of selections of data module).

Individual conditions have this form:
field;[!]LT|LE|GT|GE|EQ|NE[@];"value"|value
field;[!]EMPTY
field;[!]LIKE[*][^][#];"value"|value
field;[!]IN;"value1"|value1[;"value2"|value2]...
field;[!]BETWEEN;"valueFrom"|valueFrom;"valueTo"|valueTo
field - the name or path to a data field
! - the negation of conditions
@ - a name or a path to the other data field, the value of which should be used for a comparison, is expected instead of a constant in the parameter
value - value of operand
"value" - value of an operand, if there it is necessary to use a delimiter character (comma or semicolon) in it
The possible operators:
- LT - smaller
- LE - smaller or equal
- GT - greater
- GE - greater or equal
- EQ - equal
- NE - not equal
- EMPTY - a value of a field is empty (not entered)
- IN - in a set
- BETWEEN - between
- LIKE - Comparison of text strings (condition "contains", "at beginning", etc.)
- • the character * behind the LIKE operator means permission of wildcards in a value. There can be any character(s) on the place of the character * in a value. Unless stated LIKE*, character * in the value is taken as part of a truly value.
- • the character ^ behind the LIKE operator activates the case sensitive option.
- • the character # behind the LIKE operator means the change of the conditions to "at beginning" mode. When evaluation the conditions, a wildcard is automaticaly added before the entered value.

Note: One can use ProgName or AliasName (usually ProgName translated to English language) as a field name in all parameters. AliasName is always returned in an answer of API.

Structure of the answer:

<PagedList>
<Items> // List of the class data objects{classname}
</Items>
<FirstPageURL /> // URL address of the first page
<NextPageURL /> // URL address of the next page
<PrevPageURL /> // URL address of the previous page
<LastPageURL /> // URL address of the last page
<RequestedFields /> // names of the returned data fields (e.g. default columns)
</PagedList>

Examples:

http://localhost/WS136/xml/Data/Part - it returns the first 30 partners with the default columns, ordered according to a primary key.

http://localhost/WS136/xml/Data/Part?fields=Name,ID_NO,Group.Abbr,EAddress.FullEAddress&orderBy=Name&pageSize=10 – it returns the first 10 partners listed by name with the following fields: name, ID-No, group abbreviation, to each partner all items e-mail addresses (field value FullEAddress).

http://localhost/WS136/xml/Data/Part?conditions=PartnerId;GT;10,Abbr1;LIKE*;Shell* - it returns max. the first 30 partners, whose partner´s number is greater than 10 and an abbreviation begins with "Shell".

POST /Data/GetList/{classname}

It is an alternative of the previous calling. In the body of the POST request is expected DataParameterFields object with the same parameters as possible to enter in the URL address GET request. This calling solves the limitations of the maximum length of the URL in the case of complex queries.

Structure of the request body:

Detail of the specific data object

GET /Data/{classname}/{*PrimaryKeys}/?<optional parameters>

It serves to read a detail of the one concrete record specified by using a primary key.

Parameters:

{classname} - name of the data object class (e.g. TD_Part), or the short name (Part)
{*PrimaryKeys} - parts of primary key separated by the sign /. For two-part primary key e.g. /Data/{classname}/first part/second part
Fields – a list of the names of data fields the values of which should be returned, separated by comma. You can also enter a path to the fields through a link or enter the name of the child module followed by the name of a field from the child data object (individual field names of the path are separated by dot).

Structure of the response:

<DataObjectWrapper>
<DOClassName /> // classname of a returned data object
<FieldValues> // collection with values of data fields
<NameValue> // one data field
<Name></Name> // name of data field (alias)
<Value></Value> // value of a data field or a linked data object <NoPermission /> // flag that the user does not have the right to the field value
</NameValue>
...
</FieldValues>
<ItemURL /> // URL address of the detail of this data object</DataObjectWrapper>
</ DataObjectWrapper>

Note: NoPermission flag appears set to true only if the field value can not be obtained due to the evaluation of the rights to reading the field. In this case, no field value is sent - the Value property.

Example:

http://localhost/WS136/xml/Data/Part/15 - it returns a detail of a record of the partner number 15 with data fields by the default columns.

Creating the new record

POST /Data/{classname}?<optional parameters>

Sending of the data object, which should be created and saved into the K2 database. Detail of the saved record is returned in the response.

Parameters:

{classname} - name of the data object class (e.g. TD_Part), or the short name (Part)
Fields – a list of the names of data fields the values of which should be returned, separated by comma. You can also enter a path to the fields through a link or enter the name of the child module followed by the name of a field from the child data object (individual field names of the path are separated by dot).

Structure of the request body:

object DataObjectWrapper with entered values of data fields

Structure of the response:

It is identical as with reading the detail of the particular record by using the GET method

Change of the existing record

PUT /Data/{classname}/{*PrimaryKeys}/?<optional parameters>

Sending the modified data object back to the K2 database. Detail of the saved record is returned in the response.

The process of modification of an existing record takes place so that we normally first read the data object through the API, edit the values of its fields and through this request we send it back to save it. It is important always to load and pass the value of the "TimeStamp" data field back (or more precisely of all system fields - more in the description of the detailed structure of data object of the Meta service). If the value of the TimeStamp field (or more precisely values of the system fields) will not be sent back, the operation fail. Purpose of the check of the TimeStamp field is to prevent collisions when the record is edited by more users at the same time (i.e. if the object was edited by another user between the events of loading and saving).

When editing dependant items, a particular item can be labeled "Deleted". After sending to API, this item will be deleted within saving changes in the header and items. An edited or deleted item must have stated all components of its primary key in the request.

Parameters:

{classname} - name of the data object class (e.g. TD_Part), or the short name (Part)
{*PrimaryKeys} - parts of primary key separated by the sign /. For two-part primary key e.g. /Data/{classname}/first part/second part
fields - comma-separated list of the names of data fields the values of which should be returned. You can also enter a path to the fields through a link or enter the name of the child module followed by the name of a field from the child data object (individual field names of the path are separated by dot).

Structure of the request body:

object DataObjectWrapper with entered values of data fields

Example when deleting item:

<DataObjectWrapper xmlns="K2.Data" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<DOClassName>Part</DOClassName>
<FieldValues>
…
<NameValue>
<Name>ListBusinessChild</Name>
<Value i:type="ChildDataObjectWrapper">
<Items>
<Item>
<DOClassName>MBusiness</DOClassName>
<Deleted>true</Deleted>
<FieldValues>
<NameValue>
<Name>RID</Name>
<Value i:type="a:long" xmlns:a="http://www.w3.org/2001/XMLSchema">8495445311489</Value>
</NameValue>
</FieldValues>
</ Item>
</Items>
Value
</NameValue>
</FieldValues>
</ DataObjectWrapper>

Structure of the response:

It is identical as with reading the detail of the particular record by using the GET method

META service

It serves for getting a structure of the data objects

The list of the available data objects published for the API

GET /Meta

Structure of the response:

<DataObjectMetaData> // information about one data object class
<Caption /> // displayed name
<ClassName /> // classname – class name used in URL
<IsHeader /> // flag, if it is a header type of an object
<V3ClassName /> // internal class name of the data object (class DM)
</DataObjectMetaData>
...
<ArrayOfDataObjectMetaData>

The detailed structure of the specific data module

GET /Meta/{classname}

Structure of the response:

<DataObjectMetaData>
<Caption /> // displayed name
<ChildList /> // list of the itemized data object fields
<ClassName /> // classname – class name used in URL
<FieldList /> // list of scalar fields of the data object
<IsHeader /> // flag, if it is a header type of an object
<LinkList /> // list of data object link fields
<PrimaryKeyFieldList /> // field list of primary key
<SystemFields /> //field list, which is necessary to transmit to change existing data object
<V3ClassName /> // internal class name of the data object (class DM)
</DataObjectMetaData>

Elements of lists ChildList, FieldList, LinkList, PrimaryKeyFieldList and SystemFields are objects FieldMetaData:

<FieldMetaData>
<Caption /> // Header field
<Description /> // Description field
<Name /> // Field name
<FieldName /> // Field name for URL and designation in data
<V3FieldName /> // The appropriate field name in K2 (ProgName)
<ValueType /> // Type of field values, it can be: Date, Time, DateTime, Bitmap, Numeric
<IsRequired /> // Required fields to store
<IsReadOnly /> //The field is read only
<LinkClassName /> // Name (classname) of data object type coupling field
<LinkV3ClassName/> // The appropriate data module name of coupling field
<ChildClassName /> // Name (classname) of the item data object type
<ChildV3ClassName/> // The appropriate data module name of items
<KeyIndex /> // Order number field in primary key
<ItemURL /> // A reference to the definition of the corresponding type of data object, used for item and coupling field
</FieldMetaData>

Note: SystemFields collection is available from the K2.point version. It is necessary to load all fields stated in this collection and send them in a requirement to save the changes back when editing. API does not allow you to save the record without them.

Formation service

It serves for getting a list of the available scripts and reports and for their running.

All scripts and reports used across API must be modified to run on an application server K2 and marked as AS3Compatible. They also have to be placed in the database (Scripts, reports module), they can not be in the file system. They can also be assigned to a specific data module, over which it makes sense to run them.

The list of the available scripts and reports

GET /Formation?<optional parameters>

Parameters:

ClassName – without this parameter, a list of all scripts and reports is returned. If the parameter is specified, it returns only scripts and reports associated with that type of data object and scripts without that assignment.

Structure of the response:

<ArrayOfFormationId>
<FormationId> // descriptive object of the script
<DefinitionURL /> // URL address for a detail of a script/report definition
<FormationID /> // Name of a script/report file
<ItemURL /> // URL for running the script / report
<Name / > // Name of the script/report
</FormationId>
...
</ ArrayOfFormationId>

Running script or report without specifying data

In this type of startup script does not pass AktDM on, script with him can not work. If the script is returned to standard output parameters (those whose values were changed at runtime script) or PDF file when you run the report.

GET /Formation/{folder}/{name}/{ext}?<script parameters>

Parameters:

{folder} – directory name (Special/Standard)
{name} – name of a script/report file
{ext} – suffix (pas for scripts, am for reports)
<Script parameters> - in URL you can enter the parameters of the script in the shape parameter=value.
returnOutFileData – optional parameter for running reports and scripts returning file. If it is set on "true", binary data of a file will be returned directly in BulkData answer instead of the URL address to download the file.

Structure of the response:

<FormationOutput>
<URL /> // URL address of the output file
<Parameters> // values of output parameters
<Parameter>
<Name /> // Parameter name
<Value /> // Parameter value
</Parameter>
...
</Parameters>
</Parameters> <BulkData /> // output binary data
</FormationOutput>

Example:

http://localhost/WS136/xml/Formation/Standard/WkfWSProcDef/PAS?DefTypeAbbr=TEST – it runs the script ::\\DBNAME\Standard\WkfWSProcDef.PAS and sets the DefTypeAbbr parameter on "TEST" value to it.

Running the script when specifying the data

Unlike the previous one it enables to send the definition of the data, for which the report or script should be run, before starting it and it also enables to send the parameter values. Other behavior remains the same.

POST /Formation/{folder}/{name}/{ext}

Structure of the request body:

<FormationInput>
<Conditions /> // conditions of the selection (format as in URL address)
<CurrentPrimaryKey> // definition of the primary key of the record to run
<Segment>
<Name /> // data field name
< Value /> // data value
</ Segment>
</CurrentPrimaryKey>
<DOClassName /> // classname of a returned data object
<ORConditions /> // true - between conditions it is OR, false - AND
<Parameters> // values of the script parameters
<Parameter>
<Name /> // Parameter name
<Value /> // Parameter value
</Parameter>
</Parameters>
<PrimaryKeys> // list of primary keys of execution records
<PrimaryKey>
<Segment>
<Name />
<Value />
</ Segment>
</ PrimaryKey>
</PrimaryKeys>
<ReturnUrl /> // true - return the URL address of the output file (eg PDF with report output)
</ FormationInput>

Running the script with HTML result

It enables to run the script, which generates HTML page, and display this page in a browser.

GET /Formation/html/{folder}/{name}/pas

A comprehensive example of this Web service call shows the standard script Example 127 - generate HTML for the Web services K2.

Running the script or report and download output file

It allows to run the report or the script, that creates a file, and then download this file. Once the URL has been entered into the browser, the browser dialog to save/open the file will be displayed. In the case of a script, it is also possible to set the name of the downloaded file by using the SetOutFileName script procedure.

GET/POST /Formation/download/{folder}/{name}/{ext}

Eventual script parameters can be entered in the URL address (case of the GET method) or in the body of the POST request.

Example of a running script:

TestDownload program
info
Title = 'TestDownload';
As3Compatible = true;
end;
Modules
DM: TD_Job;
var
Exec: TAmExecutorNonVisual;
begin
DM.CreateDm;
DM.SetState(tfNormal, DM.PrimaryKey, False);
Exec := TAmExecutorNonVisual.Create;
try
Exec.AktDm := DM;
Exec.OpenCachedReport('TaskList.AM');
Exec.Execute;
Exec.ToExport('', 0, 9999, extyXLS, exdeToFile, prinPath + '\TasksList.xls');
SetOutFileName(prinPath + '\TasksList.xls');
finally
Exec.Free;
end;
end.

Treatment errors when working with web services

Errors that occur during deserialization body demands before calling the Web Service code treats .NET and returns a status BadRequest without give out further details of the error. This error is returned in html format.

Error, which occurred in the API code, eventually on the application server, is returned as a text answer in the format: [ErrorKind]ErrorText.

ErrorKind – The list that specifies the type of error:

AS3Message - it can occur when processing a report or a script
AS3Warning - it can occur when processing a report or a script
AS3Error- error occurs while the request by the application server is processed
AS3Terminated - it is a fatal error of application server, the relation under which the request was processed was terminated due to the termination of the application server or a network error between the application server and the database server.
RequestError – the error when API request is processed. The most frequently wrongly specified request (status BadRequest). Unauthorized status means a user authentication error.
CommunicationError – error in communication between API and application server.
UnknownError – unidentified error

ErrorText - detailed description of the error.

Example of calling of the special script

Example of the script

program PrikladWS(
ParamText {$DESC 'Input text parameter'}: string = '';';
ParamCislo {$DESC 'Input number parameter'}: integer = 0;
Outpu {$DESC 'Output parameter'}: string = ''
);

info
Title = 'Example WS'
AS3Compatible = true;
end;

Modules
TD_Part;

begin
begin Output:= 'Values were passed: ParamText=' + ParamText + ', ParamNumber=' + IntToStr(ParamNumber) + ', Output=' + Output;

if (AktDM is TD_Part) then begin
Output:= Output + ', AktDM=' + Trim(TD_Part(AktDM).Abbr1);
end;

WriteLn(DateTimeToStr(Now) + ': ' + Output);

end.

Script has to be saved in the database (the Script and reports book) as ExampleWS.pas. AS3Compatible has to be set on true in the info section. By the setting this parameter, a script writer confirms, that he verified the translatability and executable of the script on AS (ie.he removed all the script visual parts and script can run in a multithreaded environment AS).

This script inserts a text with the input values of all script parameters into the output parameter Output, and if the script is run over the partners data module, it adds an abbreviation of the current partner. The current date and time and the same text write on a standard output of a script (in a directory of the current K2 user, a text file K2Export.txt with this text will be created).

Example of calling by using the GET request

Only the values of the parameters of the scripts are passed on, ActDm is not set in a script

URL:

http://localhost/WS136/xml/Formation/Special/PrikladWS/pas?ParamText=aaa&ParamCislo=123

The resulting answer:

<FormationOutput xmlns="K2.Data" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Parameters>
<Parameter>
<Description/>
<Name>Output</Name>
<Value i:type="a:long" xmlns:a="http://www.w3.org/2001/XMLSchema">8495445311489</Value> ParamText=aaa, ParamCislo=123, Vystup=</Value>
</Parameter>
</Parameters>
</FormationOutput>

Example of calling by using the POST request

Settings ActDm on Partner with the number 5 and settings the parameters values.

URL:

http://localhost/WS136/xml/Formation/Special/PrikladWS/pas

HTTP header:

Content-Type: application/xml; charset=utf-8Content-Length:
Content-Length: 472

Body of a requirement:

<FormationInput xmlns="K2.Data" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:t="http://www.w3.org/2001/XMLSchema">
<CurrentPrimaryKey>
<Segment>
<Name>CisPart</Name>
<Value i:type="t:integer">5</Value>
</ Segment>
</CurrentPrimaryKey>
<DataObjectName>TD_Part</DataObjectName>
<Parameters>
<Parameter>
<Name>ParamText</Name>
<Value i:type="t:string">Entered text</Value>
</Parameter>
<Parameter>
<Name>ParamNum</Name>
<Value i:type="t:integer">12345</Value>
</Parameter>
</Parameters>
</ FormationInput>

Note: "Content-Type" has to be stated in the header, ie what data we send to API, and further, in the body, there the data type has to be specified for a value for all Name-Value pairs, so that API knows, on which data type it should convert the text from XML document, when deserialization.

The resulting answer:

<FormationOutput xmlns="K2.Data" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Parameters>
<Parameter>
<Description/>
<Name>Output</Name>
<Value i:type="a:long" xmlns:a="http://www.w3.org/2001/XMLSchema">8495445311489</Value> ParamText=Entered text, ParamNumber=12345, Output=, AktDM=DEMO TRADE</Value> </Parameter> </Parameters></FormationOutput>
</Parameter>
</Parameters>
</FormationOutput>

Authentication of K2 API requests

K2 server for web services can work in so called anonymous mode only for debugging the calling of services. In the production environment the authentication is always required. After installation API is standardly in thismode. Switching into anonymous mode is executed in the configuration file web.config in the installationdirectory of API by setting the parameter Anonymous = true.

For transmission and verification of the identity, it is necessary to set the standard HTTP Authorization header to {Username}:{HMACHash} in every request that is sent to API. {Username} is the user's username and {HMACHash } is a text string created by using HMAC MD5 algorithm. The key to hash is the user's password and the hashed message is the full URL address in the uncoded form (that is, without URL encoding of special characters) converted to uppercase. The resulting HMAC hash will be converted to the text by using base64 encoding.

You can alternatively pass on the hash directly in URL address by using "x-auth" parameter. In this case the whole URL of the request is built up, &x-auth= is attached to the end and the whole text shall beforwarded to the hash function. The result of the hash function is attached to the end of this text again.

Examples

Example of algorithm in Java language

public static String calcHMAC(String src, String password)
{
SecretKeySpec sk = new SecretKeySpec(password.getBytes(), "HmacMD5");
Mac mac = Mac.getInstance("HmacMD5");
mac.init(sk);
byte[] result = mac.doFinal(URLDecoder.decode(src, "UTF8").toUpperCase().getBytes());
return Base64.encodeToString(result, Base64.NO_WRAP);
}

Example of algorithm in C# language

public static String calcHMAC(String src, String password)
{
byte[] secretBytes = Encoding.UTF8.GetBytes(password);
HMACMD5 hmac = new HMACMD5(secretBytes);
byte[] dataBytes = Encoding.UTF8.GetBytes(Uri.UnescapeDataString(src).ToUpper());
byte[] computedHash = hmac.ComputeHash(dataBytes);
return Convert.ToBase64String(computedHash);
}

Example of algorithm in Go nguage

func getAuthHeader(source_url string, username string, password string) string { // 1. initialize hmac encoder, key is password hmacEncoder := hmac.New(md5.New, []byte(password))

// 2. url decode & convert to uppercase urlDecoded, _ := url.QueryUnescape(source_url) upperFullURL := strings.ToUpper(urlDecoded)

// 3. hmac encode hmac encoder hmacEncoder.Write([]byte(upperFullURL)) hmacHash:= base64.StdEncoding.EncodeToString(hmacEncoder.Sum(nil))

return username + ":" + hmacHash

}

Example in K2 script

function CalcHMAC(ASrc, APassword: string): string;
begin
if not CreateHMacMD5HashBase64(AnsiUpperCase(HTTPDecode(ASrc)), APassword, Result) then
Result:= ' ';
end;

Example of algorithm in K2 script for entering hash directly in URL

function AppendAuthorizationHeader(aURL: string; aUsername: string; aPassword: string): string;
var
lHash: string;
begin
Result := aUrl;
if (Pos('?', aURL)=0) then
aURL := aURL + '?x-auth='
else
aURL := aURL + '&x-auth=';

if CreateHMacMD5HashBase64(AnsiUpperCase(aURL), aPassword, lHash) then

Result:= aURL + HTTPEncode(aUsername + ':' + lHash);

end;

Advanced API configuration

All configuration of SWS is done using the common IIS configuration file - web.config. In addition to the specific K2 API settings (e.g. information about the application server, logging settings), additional settings of IIS and WCF services are included.

Set the request size limit, or the maximum length of the URL address

In the case of sending large data using POST or PUT request to API, you may encounter the limit to the maximum request size that is applied by the default IIS settings. This limitation is manifested so that the API starts respond with error messages with the code 4xx, such as 400 Not found or 413 Entity too large. API from the version K2 move.02 contains the default settings of the maximum size of the received data to 50MB. This setting can be changed in the configuration file at the following locations:

httpRuntime.maxRequestLength in the section system.web - general setting of maximum http request size. The value is reported in kB.
requestLimits.maxAllowedContentLength in the section system.webServer/security/requestFiltering - setting of the IIS module "Request Filtering". With this parameter, it is possible to set the maximum size of the request body. The value is reported in kB.
Value is reported in bytes.Element <requestLimits> also has other attributes, e.g. maxQueryString or maxUrl, that can affect the maximum length of the parameters in the URL address, resp. the full URL address.
binding.maxReceivedMessageSize - the size of the received message for a specific "binding" service.
The value is again reported in bytes.The <binding> element occurs multiple times in the configuration file (for HTTP and HTTPS communication), and it is usually necessary to set it in all places.
Element <readerQuotas> for binding - can be used when sending overly complicated data (e.g. many nested XML/JSON levels, long text values of XML elements)

"Binding" configuration

The standard configuration file lists the following bindings for all API modes:

UnsecureBinding - binding for REST API via unsecured http protocol. If not specified, the http protocol will not be supported.
ssl - binding for REST API via secure https protocol. If not specified, the https protocol will not be supported.
wsUnsecure, wsssl - for SOAP v1.2 interface of Formation service
basicUnsecure, basicssl - for SOAP v1.1 interface of Formation service