Skip to main content

Instance Authentication and WS-Security

Instance Authentication and WS-Security

It is useful to understand that with an InterSystems IRIS web service, two separate mechanisms are in effect: the IRIS server and the web service code.

  • In the Management Portal, you specify allowed authentication modes for a web application, thus controlling access to the %Service_WebGateway service. (For details, see Timestamp and Username Token Example. For additional background, see Web Applications.) If you select the Password option, the web application can accept an InterSystems IRIS username/password pair; this is called instance authentication.

  • Independently of this, the web service can require an InterSystems IRIS username/password pair.

These mechanisms work together as follows:

  1. Upon receiving a message, the web service checks for the presence of a header element called <Security>, without examining the contents of that element.

  2. If no <Security> header element is present and if the SECURITYIN parameter equals REQUIRE, the web service issues a fault and quits.

  3. If the <Security> header element contains a <UsernameToken> element:

    • If you selected the Password option for the web application, the web service reads the <UsernameToken> element, obtains the username and password from that, and logs in to the web application.

      The web service does this for any value of the SECURITYIN parameter, except for IGNOREALL.

      The username is available in the $USERNAME special variable and in the Username property of the web service. The password is not available.

    • If you did not select the Password option, no login occurs.

Note:

The SECURITYIN parameter is ignored if there is a security policy in an associated (and compiled) configuration class.

Next sectionRetrieving a Security Header Element
Previous sectionAccessing a SAML Assertion in the WS-Security Header
FeedbackOpens in a new tab