Authentication
HTTP basic authentication support is provided by comparing the request authentication contents against an authentication password file supplied during configuration. We recommend that you only use this if you also have TLS enabled. For more complex use cases, webMethods Integration Server should be used.
If you are using HTTP basic authentication, you must provide a valid authentication password file using the allowedUsersFile configuration option.
This password file expected by the HTTP server for HTTP basic authentication is compatible with the output of Apache's htpasswd -B. There is also a bundled application called httpserver_passman which can create and update password files. You can find the executable for this tool in the bin folder of your Apama installation. The syntax for this is:
httpserver_passman password_file [options] username [password]
If you only provide a username and no password, then the password is prompted for interactively. This adds the specified user with the given password, or replaces the password if the user already exists in the password file.
The options are:
Option | Description |
-h | --help | Displays usage information. |
-c | --createNew | Creates a new file and overwrites anything currently there. |
-D | --delete | Deletes the given user, rather than updating or adding the user. |
-- | Does not treat subsequent arguments as options. Thus, it is possible to enter a username that starts with one or two minus signs. |
If HTTP basic authentication is enabled, then the authorization header is removed from metadata.http.headers, but in this case the user name is still available in metadata.http.user. If authorization is none, then the authorization type is passed through verbatim.
Note: Enabling authentication significantly reduces the maximum achievable throughput on a single connection since HTTP_BASIC requires verifying credentials on every request. It is not suitable for high-throughput applications.