Action: Require HTTP Basic Authentication
This action uses HTTP Basic authentication to verify the consumer's authentication credentials contained in the request's Authorization header. CloudStreams authorizes the credentials against the list of users registered in the Integration Server on which CloudStreams is running. This type of consumer authentication is referred to as preemptive authentication. If you want to perform preemptive authentication, a policy that includes this action must also include the Identify Consumer action. This action supports WS-SecurityPolicy 1.2.
If the user/password value in the Authorization header cannot be authenticated as a valid Integration Server user (or if the Authorization header is not present in the request), a 500 SOAP fault is returned, and the client is presented with a security challenge. If the client successfully responds to the challenge, the user is authenticated. This type of consumer authentication is referred to as non-preemptive authentication. If the client does not successfully respond to the challenge, a 401 WWW-Authenticate: Basic response is returned and the invocation is not routed to the policy engine. As a result, no events are recorded for that invocation, and its key performance indicator (KPI) data are not included in the performance metrics
If you choose to omit the Require HTTP Basic Authentication action (regardless of whether an Authorization header is present in the request or not), then:
CloudStreams forwards the request to the native service, without attempting to authenticate the request.
The native service returns a 401
WWW-Authenticate: Basic response, which
CloudStreams will forward to the client; the client is presented with a security challenge. If the client successfully responds to the challenge, the user is authenticated.
In the case where a consumer is sending a request with both transport credentials (HTTP basic authentication) and message credentials (WSS username or X.509 token), the message credentials take precedence over the transport credentials when
Integration Server is determining which credentials it should use for the session. For more information, see
Action: Require WSS Username, and
Action: Require X.509 Token. In addition, you must ensure that the service consumer that connects to the virtual service has an
Integration Server user account.
To set the Require HTTP Basic Authentication action parameter
1. In the CloudStreams Governance view, click the policy name.
2. In the policy editor on the right side of the page, double-click Require HTTP Basic Authentication in the Applied Actions list, and set the following action parameter.
Authenticate Credentials
Authorizes consumers against the list of users registered in the Integration Server on which CloudStreams is running. If you select this option, you must also include the Identify Consumer action in the policy.
Related Topics