107
Views
6
Comments
Solved
Soap web service basic authentication
Question

I have an exposed soap web service that should use basic authentication to validate the caller. I implemented the validation logic as follows:

  1. Get 'Authorization' header value of the request.
  2. Extract user name and password.
  3. Validate them against the stored credentials.

I tried to consume the web service from another OutSystems application and set 'Authentication Type' to 'Basic' and set Username & Password.

The problem is that the authorization header is always empty. Any idea?

Rank: #1276
Solution

So I did some quick testing myself, and it seems that OutSystems behaves as a non-preemptive client. In other words, it will only send the credentials when requested by the server. According to RFC 7617: The 'Basic' HTTP Authentication Scheme section 2:

Upon receipt of a request for a URI within the protection space that
   lacks credentials, the server can reply with a challenge using the
   401 (Unauthorized) status code ([RFC7235], Section 3.1) and the
   WWW-Authenticate header field ([RFC7235], Section 4.1).

So the exposed webservice should check for the Authorization header. When not present it should send a response with an HTTP status code 401 and the WWW-Authenticate header.

After the OutSystems consumer receives this response, it will call the service again, but this time with the credentials in the Authorization header.

Below an example.

Rank: #11956

Hi Basem,

In the consumer webservice did you use the SetWebReferenceCredentials  to set your credentials.

Look at the following example:

https://success.outsystems.com/Documentation/How-to_Guides/Integrations/How_to_call_a_SOAP_web_service_with_authentication

 

Regards,

Sam A.

Rank: #1276

Could you call the service you exposed with OutSystems with a tool like Postman or SoapUI and share a screenshot of the request headers?

Can you also log the HTTP header that OutSystems receives?

This should be working, because I’ve recently implemented the same. I would expect that the header is not send to the server.

Are you using preemptive or non preemptive basic authentication on the client/consumer side?