Providing credentials in HTTP requests

Use a security profile to configure HTTPRequest and SOAPRequest nodes to authenticate with a remote server.

About this task

Basic authentication is a common extension in the HTTP protocol that allows a client to provide identity information to a remote web server in the form of a username and password that are sent in the HTTP header data. Security profiles in IBM® Integration Bus provide a way for message flow designers to provide these credentials without building the HTTP headers in a Compute node.

The identity that is to be propagated in the HTTP request can be provided in any of the following ways:
  • If identity propagation is enabled for the selected security profile, the HTTPRequest and SOAPRequest nodes automatically pick up username and password credentials, if present, from the Properties tree. This setting is enabled for the predefined Default Propagation security profile. For more information, see Configuring a message flow for identity propagation.
  • If your integration node runs on Windows, you can choose to use additional protocols to pass identity information with the HTTP request, which avoids passing the username and password in the clear text format. The identity that is used is obtained from the Properties tree in the same way as basic authentication. These protocols include NT LAN Manager (NTLM), Kerberos, and Simple and Protected Negotiation (SPNEGO), collectively known as Integrated Windows Authentication (IWA), and are controlled at the integration server level. For more information, see Providing credentials for outbound requests by using IWA.
  • You can configure a static username and password identity to be used, by specifying the credentials on the mqsisetdbparms command. For more information, see Providing the identity to propagate.
Note: By default, the credentials are placed in the HTTP request only in response to a 401 challenge response from the server. The response includes a list of authentication mechanisms that are supported by the remote server that is providing the requested service. The integration server selects the highest level authentication protocol from this list of authentication mechanisms based on the set of protocols that it supports. Nodes then use this protocol for the connection. You can configure the supported protocol by using the allowedAuthTypes property of the ComIbmSocketConnectionManager object. You can configure the nodes to send pre-emptively by setting the preemptiveAuthType property. For examples of how to set these properties, see Providing credentials for outbound requests by using IWA.

To enable basic authentication, select an appropriate security profile for the output node or the message flow in the BAR file editor. The credentials are picked up from the following Properties tree locations if set:

Properties.IdentityMappedType
Properties.IdentityMappedToken
Properties.IdentityMappedPassword

If the mapped identity fields are not set, the credentials are picked up from the following Properties tree locations:

Properties.IdentitySourceType
Properties.IdentitySourceToken
Properties.IdentitySourcePassword

For basic authentication both a username and password are required, therefore the appropriate Type field must be set to the string usernameAndPassword. For example:

SET OutputRoot.Properties.IdentitySourceType='usernameAndPassword';
SET OutputRoot.Properties.IdentitySourceToken = 'myUser';
SET OutputRoot.Properties.IdentitySourcePassword = 'myPassw0rd';
SET OutputRoot.Properties.IdentitySourceIssuedBy = 'myDomain';

These fields are interpreted by a subsequent HTTPRequest or SOAPRequest node and converted into a basic authentication HTTP header.

You can also propagate credentials from an input message by setting a security profile, which includes propagation on an input node, and then using the input node properties Identity token type, Identity Token location, and Identity password location. These three properties take an XPath expression that specifies the location in the input message to retrieve the appropriate token or password from. When configured correctly, these properties place the identity information in the Properties.IdentitySourceType, Properties.IdentitySourceToken, and Properties.IdentitySourcePassword fields. HTTPRequest or SOAPRequest nodes then use these values directly, with an appropriate security policy.

You can override the configuration of the security profile by selecting the build option Override configurable property values in the BAR file editor.