Skip to main content

Using HTTP Authentication

Some web services require HTTP authentication instead of using WS-Security (which is described in Securing Web Services). For these web services, InterSystems IRIS® data platform supports the following HTTP authentication schemes:

  1. Negotiate (SPNEGO and Kerberos, per RFC 4559Opens in a new tab and RFC 4178Opens in a new tab)

  2. NTLM (NT LAN Manager Authentication Protocol)

  3. Basic (Basic Access Authentication as described in RFC 2617Opens in a new tab)

Note that on HTTP 1.0, only Basic authentication is used; the other authentication schemes require multiple round trips within a single connection, which is not permitted in HTTP 1.0.

To use HTTP authentication:

  • Set the HttpUsername and HttpPassword properties of the web client before invoking the web method.

  • If you want the client to send an initial header indicating the scheme to use (and you know that the server permits the scheme), set the HttpInitiateAuthentication property before invoking the web method. For the value of this property, specify an authentication scheme name, as given in Providing Login Credentials in Sending HTTP Requests.

  • If you want to customize the list of schemes that the client tries, set the HttpInitiateAuthentication property before invoking the web method. For the value of the property, use a comma-separated list of names, as given in Providing Login Credentials in Sending HTTP Requests.

Important:

If there is a chance that Basic authentication will be used, ensure that you are using SSL between the web client and the web server that hosts the web service. In Basic authentication, the credentials are sent in base-64 encoded form and thus can be easily read. See Configuring the Client to Use SSL.

FeedbackOpens in a new tab