Evaluate HTTP Basic Authentication Action

Evaluate HTTP Basic Authentication Action

1. INTRODUCTION

2. PRE-REQUISITE

3. Summary

4. CONFIGURATIONS

    4.1. Create a Consumer Application with Identification token

    4.2. Create a virtual alias with Evaluate HTTP basic authentication action

    4.3. Configure Evaluate HTTP basic authentication policy in CentraSite

5. DEPLOY AND VALIDATE THE DEPLOYMENT

6. EXECUTION AND VERIFICATION OF VIRTUAL SERVICE RUNTIME INVOCATION

7. TROUBLESHOOTING WITH EVALUATE HTTP BASIC AUTHENTICATION ACTION


1. INTRODUCTION

This tutorial will explain the configuration and usage of the runtime action "Evaluate HTTP Basic Authentication Action" using CentraSite and webMethods Mediator.

NOTE

Icon

When the client needs to send the server authentication credentials it may use the Authorization header.

The Authorization header is constructed as follows:

  • Username and password are combined into a string "username:password"
  • The resulting string is then encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char per line.
  • The authorization method and a space i.e. "Basic " is then put before the encoded string.

 

The Evaluate HTTP Basic Authentication runtime policy enforcement will help in the following 

  • Identify the consumer application HTTP Basic Authentication making the request for the virtual service if identify attribute is turned ON
  • Validate against a set of global or pre-registered consumer applications with the HTTP Basic Authentication in wM Mediator

2. PRE-REQUISITE

  • Knowledge in basics of wM Mediator runtime, CentraSite and HTTP basic authentication (BA).
  • wM Mediator target should be created in CentraSite
  • CentraSite configuration should be done in wM Mediator to verify the result

3. Summary

Steps involved when using of Evaluate HTTP Basic Authentication (BA) action in CentraSite and wM Mediator

  1. Create a Consumer Application (eg. MyBasicAuthConsumers) with one or more Identification token(s) and deploy it to wM Mediator. 
  2. Create a virtual alias(eg. VS_EchoWS_BasicAuth) in BusinessUI.
  3. Configure virtual alias with Evaluate HTTP Basic Authentication action for policy enforcement.
  4. Deploy the virtual alias(eg. VS_EchoWS_BasicAuth) to wM Mediator.
  5. Invoke the virtual service deployed in wM Mediator using SOAP Client (eg. SOAPUI).

4. CONFIGURATIONS

4.1. Create a Consumer Application with Identification token

  1. Login to CentraSite Control UI and Create an asset type of "Application".

Choose "Identification token" as identifier and set the attribute value(s) to the token Eg. "Administrator", "DeveloperJava", "...". 

  1. Navigate to Operations -> Deployment and invoke "Deploy Consumers" tab in CentraSite. Select target(s).
  2. Invoke "Syncronize" to deploy the Consumer Application to wM Mediator
  3. Confirm the status as success
    User can now enforce the restriction of allowing only these consumer applications or identifying the calling applications for virtual services in wM Mediator using the Evaluate HTTP Basic Authentication policy.
    <<IMage
  4. Verify deployed consumer application (eg. MyBasicAuthConsumers) with expected attribute in wM Mediator.

    1. Open wM Mediator page, http://<hostname>:5555/WmMediator and click on "Consumers" link.

Look for the deployed Consumer Application listed as in the sample screen below

4.2. Create a virtual alias with Evaluate HTTP basic authentication action

Perform the following steps to create a virtual alias with evaluate HTTP Basic Authentication Policy

  1. Login to BusinessUI
  2. Open a service details page of the service that needs to be virtualized.
  3. Click on "Virtualize" action to get virtualization wizard screen. Provide alias name (eg.VS_EchoWS_BasicAuth) in "Create a New Virtual Alias" input box 
  4. Select an endpoint from the list of "Endpoints of <service name> to Virtualize" and click "Next".

4.3. Configure Evaluate HTTP basic authentication policy in CentraSite

  1. Navigate to "Policy Enforcement" heading -> "Security" -> drag & drop "Evaluate HTTP Basic Authentication" action into "Enforce" message flow. 
  2. Click on the configure icon, the icon will appears on mouse over of "Evaluate HTTP Basic Authentication" text in message flow. 

Select one of the following option to identify the consumer(s)

  1. "Global Consumers" (relax) - wM Mediator will try to verify the token (sec.4.1.6) against a list of all global consumers available in the Mediator.
  2. "Registered Consumers" (strict)- wM Mediator will try to verify the token (sec.4.1.6) against the list of consumer applications which are registered as consumers for this specific API.
  3. "Do not identify" (donotidentify) - wM Mediator will not identify consumer(s).  Anonymous access is allowed for this specific API.

    Note

    Icon

    Do not identify – Does not identify the consumer, nevertheless it will evaluate the value presents in the header and the request will be sent to the native service. 
    This policy will fail if the expected value(s) is not present in the request header.

  4. Authenticate User - If this option is selected then wM Mediator will identify and authenticate the user begin carried using HTTP basic authentication header

Optional Step: Apply Log Invocation Policy to the virtual service and select CentraSite to send the log data. 
This step is required only to generate and validate the events.

  1. Click "Virtualize" to complete the virtualization of the service.

5. DEPLOY AND VALIDATE THE DEPLOYMENT

Deploy the virtual alias (Eg. VS_EchoWS_BasicAuth) to wM Mediator target(s) by clicking "Publish..." option from BusinessUI.

  1. Verify deployed service(s) in wM Mediator page
    1. Invoke http://<mediator_host>:5555/WmMediator from a web browser and provide credentials to access the page

Click "Services" link to get list of mediated service(s) in the wM Mediator and find the virtual service (eg.VS_EchoWS_BasicAuth).

  1. Verify virtual service definition for the policy in wM Mediator
    1. In the above page, click on the [VSD] link for the virtual service to see the virtual service definition (VSD).
    2. It should be able to find the following entries in the VSD as seen in the below snippet when Global Consumers (relax) and "Authenticate User" (validate="true") is selected.

      VSD of VS_EchoWS_BasicAuth
      1
      2
      3
      4
      5
      6
      7
      <enforcement-actions allow-anon="false">
              <expressions>
                <expression>
                  <params identify="relax" type="httpBasicAuth" validate="true" />
                </expression>
              </expressions>
            </enforcement-actions>
    3. If Registered Consumers selected as identify (strict) method then the enforcement action element should have identify attribute set to strict. This is to identify the consumer from the register consumers list. 

    4. If Do not identify selected as identify (donotidentify) method then the enforcement action element should have identify attribute set to donotidentify.

6. EXECUTION AND VERIFICATION OF VIRTUAL SERVICE RUNTIME INVOCATION

  1. Get the WSDL by clicking on [WSDL] to invoke the virtual service as stated in step 5.2.b 
  2. Execute the virtual service (eg.VS_EchoWS_BasicAuth) from a SOAP Client with the specific user in HTTP Header of Authorization header as below 

    For example, if the user agent uses 'Administratgor' as the username and 'manage' as the password then the header is formed as follows

    Icon

    Authorization = Basic QWRtaW5pc3RyYXRvcjptYW5hZ2U=

  3. The sample virtual service request looks like

    Sample Request with Header
    HTTP Header::
    Content-Type: text/xml;charset=UTF-8
    SOAPAction: "urn:sayHello"
    Authorization: Basic U0VOVEhJTDptYW5hZ2U=
    Content-Length: 291
     
     
    SOAP Request::
    <soapenv:Envelope xmlns:soapenv=" xmlns:axis=">
  4. The sample virtual service response looks like the below for successful consumer identification with HTTP Basic Authentication

  5. Verifying the result in log invocation event

    1. View Runtime events after invoking the service as guided in sec. 6.2 and look for Consumer attribute's value as expected (Eg.MyBasicAuthConsumers).

Successful consumer identification for the HTTP Basic Authentication user (eg. Administrator) begin passed in the HTTP Header

Failure consumer identification with the policy violation event

7. TROUBLESHOOTING WITH EVALUATE HTTP BASIC AUTHENTICATION ACTION

S.No.
Exception
Description
Possible cause/ Solution
1

Mediator encountered an error:Consumer could not be identified.

com.softwareag.pg.exceptions.PolicyViolationException

Consumer could not be identified. Anonymous access is not allowed for this service!

The user not identified as specified in the HTTP Header.

  • Make sure the HTTP Header Authorizationpresent in the HTTP Header
  • Make sure the value(s) for HTTP HeaderAuthorization present in the HTTP Header as specified in the consumer application in step 4.1
  • Make sure the user name and password values are in the proper case (it is case sensitive)

 

2 Mediator encountered an error:Authentication failed for user XXXXX com.softwareag.pg.exceptions.PolicyViolationException

Authentication failed

Authentication is failed (but the user is identified) for the given user in the HTTP Header as specified in step 4.1 when "Authenticate user" is selected.

Click here to download PDF version of this tutorial.