I have an exposed soap web service that should use basic authentication to validate the caller. I implemented the validation logic as follows:
I tried to consume the web service from another OutSystems application and set 'Authentication Type' to 'Basic' and set Username & Password.
The problem is that the authorization header is always empty. Any idea?
So I did some quick testing myself, and it seems that OutSystems behaves as a non-preemptive client. In other words, it will only send the credentials when requested by the server. According to RFC 7617: The 'Basic' HTTP Authentication Scheme section 2:
Upon receipt of a request for a URI within the protection space that lacks credentials, the server can reply with a challenge using the 401 (Unauthorized) status code ([RFC7235], Section 3.1) and the WWW-Authenticate header field ([RFC7235], Section 4.1).
So the exposed webservice should check for the Authorization header. When not present it should send a response with an HTTP status code 401 and the WWW-Authenticate header.
After the OutSystems consumer receives this response, it will call the service again, but this time with the credentials in the Authorization header.
Below an example.
Hi Basem,
In the consumer webservice did you use the SetWebReferenceCredentials to set your credentials.
Look at the following example:
https://success.outsystems.com/Documentation/How-to_Guides/Integrations/How_to_call_a_SOAP_web_service_with_authentication
Regards,
Sam A.
Samuel Anjos wrote:
No I didn't use SetWebReferenceCredentials because it is deprecated in OutSystems 11 according to the following link:
https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/EnhancedWebReferences_API
Could you call the service you exposed with OutSystems with a tool like Postman or SoapUI and share a screenshot of the request headers?
Can you also log the HTTP header that OutSystems receives?
This should be working, because I’ve recently implemented the same. I would expect that the header is not send to the server.
Are you using preemptive or non preemptive basic authentication on the client/consumer side?
Kilian Croese wrote:
You are totally right and that is exactly my question. The authorization header is not sent from the consumer application even when setting the credential as in the attached screenshot.
When I added the Authorization header manually it works fine but when using the built-in authentication as in the above picture the header is not added at all.
And regarding preemptive I don't know how to use it in OutSystems. According to my knowledge, the preemptive is used from the consumer side. But is there a way to make the exposed soap web service ask for basic authentication?
Again that's how I have already implemented the web service.
Anyway thanks for the detailed clarification.