Securing a REST API by using HTTP Basic Authentication

Authenticate HTTP clients that want to call a REST API by enabling HTTP Basic Authentication.

Before you begin

You must create a REST API in the IBM® Integration Toolkit, see Creating a REST API.

About this task

You can authenticate HTTP clients that want to call a REST API by enabling HTTP Basic Authentication. IBM Integration Bus supports several authentication providers that can be used for this purpose, including Lightweight Directory Access Protocol (LDAP), any WS-Trust V1.3 compliant Security Token Service (STS), and Tivoli® Federated Identity Manager.

Procedure

To enable HTTP Basic Authentication for a REST API by using Lightweight Directory Access Protocol (LDAP), any WS-Trust V1.3 compliant Security Token Service (STS), or Tivoli Federated Identity Manager, complete the following steps:

Create a security profile that you can use for authentication, see Creating a security profile for LDAP, Creating a security profile for WS-Trust V1.3 (TFIM V6.2) and Creating a security profile for TFIM V6.1.
Configure the security profile that you created in the previous step on the REST API:
1. In the BAR file editor, open the BAR file that contains the REST API.
2. Click the Manage tab.
3. Locate the automatically generated message flow in the REST API.
  The automatically generated message flow is named gen/<name_of_REST API>, where <name_of_REST API> is the name of the REST API.
4. In the Properties view for the automatically generated message flow, in the Security Profile Name field, specify the name of the security profile that you created in the previous step. Save the BAR file.
Deploy the BAR file to an integration server.
HTTP clients that want to call the REST API must provide a user name and password. If authentication information is not supplied by the HTTP client, or authentication fails, an HTTP 401 Unauthorized status code is returned to the client.

Results

You have secured a REST API by using HTTP Basic Authentication.

What to do next

You must package and deploy your REST API to an integration server, see Packaging and deploying a REST API.

You can also complete the following optional tasks:

Secure your REST API by using HTTPS, see Securing a REST API by using HTTPS.
If your REST API is going to be used by client-side code that is running in a web browser, you might have to configure Cross-Origin Resource Sharing, see Permitting web browsers to access a REST API by using Cross-Origin Resource Sharing.