Generally the API application can be combined with different security setups, for example with Tomcat filters. Ask Customer Support for details.
The API application itself currently understands the following ways of presenting credentials:
- Basic authentication via the 'Authorization' header.
- This header is read from the request if present.
-
Note: Basic Authentication is only secure when combined with secure communication (for example HTTPS).
- Its own authentication header format which also is transported via the 'Authorization' header.
- It contains session information. The response to a request will contain this header, and it should be re-sent with the next request for the same user to re-use resources. Browsers will automatically do so.
- Request filters which write authenticated user names to the request attribute 'uid'.
- The configuration option "Allow trusted login via filter writing to 'uid' HTTP request attribute" needs to be activated in the Search Web Api configuration, in the Login settings node.
- Request filters which write to the 'SecurityContext' class
- The 'SecurityContext' class is a security feature of Spring-based application code.
- The configuration option "Activate the reader for the Spring SecurityContext" needs to be activated in the Search Web Api configuration, in the Login settings node. .
For convenience, if no credentials are available to the API application,
the response will have
HTTP status '401' with a WWW-Authenticate header
requesting basic authentication. If received by a browser, the browser will
automatically open a form requesting name and password.
Note: Basic authentication is only secure when combined with secure communication (for example HTTPS)
Configuration of the Search Web Api
The searchWebApi is configured in CORE Administration.Security configurations are located in the Login settings node.
These options are available:
| Property | Default configuration | Explanation |
|---|---|---|
|
Allow trusted login via filter writing to 'uid' HTTP request attribute |
false |
Activating this option allows to use request filters which write authenticated user names to the request attribute 'uid'. |
| Allow trusted login via username-only HTTP Authorization header | false | If set to 'false', the first request in a session needs name and password, and will be authenticated. Otherwise the first request in a session needs a name (principal) |
| Activate the reader for the Spring SecurityContext | false | Activating this option allows to use request filters which write to the 'SecurityContext' class. This class is a security feature of Spring-based application code. |