How to disable client authorization on RestV2

Hi Guys,
I’am using Integration Server 10.11 and update fix using core fix 6 version, and then create rest API using Rest Resource V2, and set acl execution to Anonymous, because i want handle authorization in service level, because i want to add payload response to any response status (200, 401, etc)

When tested API with blank authorization, can hit until service level, and got response from service level

but when filled authorization with wrong username & password, the response is like validation client authorization from Integration Server and not hit service level.

Is there a way to pass through / disable client credentials for RESTv2? So validation of client authorization can be done in service level.

Thanks in advanced.

Hi Edwi Wahid,

Did you add any security into the Rest API Description. Can you please share the RAD details.


Hi Priya Gupta,

I didn’t add any security in RAD dan didn’t create any RAD, just create RESTv2 Resource.

Hi Edwi Wahid,

Software AG highly recommends that you create REST API descriptors, if you want to expose existing services using REST.

Please follow the below steps:

1.Create Rest API descriptor using restv2 resource
2. Set ACL execution to Anonymous (PFA )

Try with REST Request: /rad/namespace_of_rad/URL template of resource without credential.

1 Like

Hi Priya Gupta,

Thanks for reply,
i’am following your step, and it succeed without credential, but with wrong credential, the IS responsed 401[ISS.0084.9001] Invalid credentials, can’t the IS passed the wrong credential and validate within Flow Service?


Integration Server should not allow bad credentials. When credentials are sent, they will be first be authenticated, before checking the ACL of the service, this behavior seems correct.

You would have to bypass the Authorization header to do this i.e.
Pass the token or whatever via an alternative header attribute e.g. access-key
You will need to make the service anonymous and then use the service pub.flow:getTransportInfo to get hold of the headers.

As Nagendra indicated, be careful as you are bypassing the built-in security and will need to make sure that your code is water tight. What is your use case for doing this programatically ? it might be possible to combine both.