Soap web service basic authentication
Question

I have an exposed soap web service that should use basic authentication to validate the caller. I implemented the validation logic as follows:

  1. Get 'Authorization' header value of the request.
  2. Extract user name and password.
  3. Validate them against the stored credentials.

I tried to consume the web service from another OutSystems application and set 'Authentication Type' to 'Basic' and set Username & Password.

The problem is that the authorization header is always empty. Any idea?

So I did some quick testing myself, and it seems that OutSystems behaves as a non-preemptive client. In other words, it will only send the credentials when requested by the server. According to RFC 7617: The 'Basic' HTTP Authentication Scheme section 2:

Upon receipt of a request for a URI within the protection space that
   lacks credentials, the server can reply with a challenge using the
   401 (Unauthorized) status code ([RFC7235], Section 3.1) and the
   WWW-Authenticate header field ([RFC7235], Section 4.1).

So the exposed webservice should check for the Authorization header. When not present it should send a response with an HTTP status code 401 and the WWW-Authenticate header.

After the OutSystems consumer receives this response, it will call the service again, but this time with the credentials in the Authorization header.

Below an example.

Hi Basem,

In the consumer webservice did you use the SetWebReferenceCredentials  to set your credentials.

Look at the following example:

https://success.outsystems.com/Documentation/How-to_Guides/Integrations/How_to_call_a_SOAP_web_service_with_authentication

 

Regards,

Sam A.

Samuel Anjos wrote:

Hi Basem,

In the consumer webservice did you use the SetWebReferenceCredentials  to set your credentials.

Look at the following example:

https://success.outsystems.com/Documentation/How-to_Guides/Integrations/How_to_call_a_SOAP_web_service_with_authentication

 

Regards,

Sam A.

 

No I didn't use SetWebReferenceCredentials because it is deprecated in OutSystems 11 according to the following link:

https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/EnhancedWebReferences_API

Could you call the service you exposed with OutSystems with a tool like Postman or SoapUI and share a screenshot of the request headers?

Can you also log the HTTP header that OutSystems receives?

This should be working, because I’ve recently implemented the same. I would expect that the header is not send to the server.

Are you using preemptive or non preemptive basic authentication on the client/consumer side? 

Kilian Croese wrote:

Could you call the service you exposed with OutSystems with a tool like Postman or SoapUI and share a screenshot of the request headers?

Can you also log the HTTP header that OutSystems receives?

This should be working, because I’ve recently implemented the same. I would expect that the header is not send to the server.

Are you using preemptive or non preemptive basic authentication on the client/consumer side? 

 

You are totally right and that is exactly my question. The authorization header is not sent from the consumer application even when setting the credential as in the attached screenshot.


When I added the Authorization header manually it works fine but when using the built-in authentication as in the above picture the header is not added at all.

And regarding preemptive I don't know how to use it in OutSystems. According to my knowledge, the preemptive is used from the consumer side. But is there a way to make the exposed soap web service ask for basic authentication?

So I did some quick testing myself, and it seems that OutSystems behaves as a non-preemptive client. In other words, it will only send the credentials when requested by the server. According to RFC 7617: The 'Basic' HTTP Authentication Scheme section 2:

Upon receipt of a request for a URI within the protection space that
   lacks credentials, the server can reply with a challenge using the
   401 (Unauthorized) status code ([RFC7235], Section 3.1) and the
   WWW-Authenticate header field ([RFC7235], Section 4.1).

So the exposed webservice should check for the Authorization header. When not present it should send a response with an HTTP status code 401 and the WWW-Authenticate header.

After the OutSystems consumer receives this response, it will call the service again, but this time with the credentials in the Authorization header.

Below an example.

Kilian Croese wrote:

So I did some quick testing myself, and it seems that OutSystems behaves as a non-preemptive client. In other words, it will only send the credentials when requested by the server. According to RFC 7617: The 'Basic' HTTP Authentication Scheme section 2:

Upon receipt of a request for a URI within the protection space that
   lacks credentials, the server can reply with a challenge using the
   401 (Unauthorized) status code ([RFC7235], Section 3.1) and the
   WWW-Authenticate header field ([RFC7235], Section 4.1).

So the exposed webservice should check for the Authorization header. When not present it should send a response with an HTTP status code 401 and the WWW-Authenticate header.

After the OutSystems consumer receives this response, it will call the service again, but this time with the credentials in the Authorization header.

Below an example.

Again that's how I have already implemented the web service.

Anyway thanks for the detailed clarification.

 

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.