Layer7 API Management

Expand all | Collapse all

Custom HTTP Authorization Header

Jump to Best Answer
  • 1.  Custom HTTP Authorization Header

    Posted 02-14-2017 04:10 AM

    Hi All,


    We got requirement like user does not want to send user authentication credentials in header and interested to send in request body itself in  username , password fields.

    We are trying to validate user credentials that are sent in request body against Active Directory. We are able to form custom  authorization HTTP header with Basic encode username:password .


    headers:accept:*/*, accept-encoding:gzip, deflate, br, accept-language:en-US,en;q=0.8, Authorization:Basic eGthc3VuZTpDaGFyYW5AMjAxNg==, cache-control:no-cache, connection:keep-alive, content-length:8505, content-type:text/xml,  origin:chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop, user-agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/


    Still we are observing  "Authentication Required" error from service.Could you please suggest us on how can we do authentication in this scenario.


    Is it possible to do authentication what we are trying to do ?




  • 2.  Re: Custom HTTP Authorization Header

    Posted 02-14-2017 09:53 AM

    Have you tried using the request xpath credentials for pulling the username and password out of the body?


    Sent from my iPhone

  • 3.  Re: Custom HTTP Authorization Header

    Posted 02-14-2017 09:24 PM

    Hi Derek,


    Thanks for reply.

    I am able to pull username ,password from request body and able to form Basic authorization header as well. Even though policy throwing "Required Authentication" error.


    I have already attached policy logic.




  • 4.  Re: Custom HTTP Authorization Header

    Posted 02-14-2017 05:29 PM

    It looks like you do everything in one policy.

    You may try add header in one policy, and route via http to another policy for authentication.

  • 5.  Re: Custom HTTP Authorization Header

    Posted 02-14-2017 09:29 PM

    HI Zhijun,


    Thank you very much for your response.


    We are able to form Basic Authorization header in policy but still its throwing error. Is it possible to handle in one policy itself ?.


    If we develop another policy to route credentials to actual  policy for authentication going forward more  policies will come. In that case maintenance of more policies is bit difficult. 




  • 6.  Re: Custom HTTP Authorization Header

    Posted 02-14-2017 11:00 PM

    Hello saisuneel ,

    I done a quick test, it's all right to put them into one policy, but you don't need Require HTTP Basic Credentials assertion here, just Authenticate against ***. 

    If the credential in your custom header is correct, it will pass, or it will give error "No Credential found!"




  • 7.  Re: Custom HTTP Authorization Header

    Posted 02-14-2017 11:13 PM

    Furthermore, if you split the policy, you can use Require HTTP Basic Credentials assertion in the authenticating policy.

    It seems the Require HTTP Basic Credentials assertion only read the original headers.

  • 8.  Re: Custom HTTP Authorization Header

    Posted 02-14-2017 11:25 PM

    Sorry saisuneel ,

    It could be due to the cache of my browser, the Authenticate against *** assertion ignore the custom header too -- after I change to another user, it's not working anymore.

    ie. the custom header doesn't take effect inside the policy. You may have to split the policy.




  • 9.  Re: Custom HTTP Authorization Header

    Posted 02-15-2017 01:46 AM

    Hi Zhijun,


    Thank you very much for quick update.


    Removed Require HTTP Basic Credentials assertion when I passed custom http authorization header but even though it did not work.

    My concern is if we split service into two services instead of one service , we have to split services when any customer wants to send credentials in request body not in request header.


    So I am looking for best approach that will reduce maintenance problems too.


    Thanks a lot once again.




  • 10.  Re: Custom HTTP Authorization Header
    Best Answer

    Posted 05-01-2017 06:03 PM
      |   view attached

    Good afternoon,


    The gateway is able to pull the username and password from the payload using various different assertions including WS-Security UsernameToken Profile Credentials and Require XPath Credentials. The WS-Security UnsernameToken is a WS-Security Header Security token that will contain the username and password which will be extracted with the assertion WS-Security UsernameToken Profile Credentials. The Require XPath Credentials even though has the appearance of XML only can do so much more. Its primary usage is if you have a username and password in XML then you can XPath out each component and authenticate against an Identity Provider. This assertions also allows you to take in context variable to authenticate even if the payload is not XML. You will need to find another means such as regular expression or retrieve from a form post using the request.http.parameter.<NAME> context variable. I've attached a sample policy that will hopefully get you started.




    Stephen Hughes

    Director, CA Support


  • 11.  Re: Custom HTTP Authorization Header

    Posted 05-03-2017 09:25 PM

    Thank you Stephen_Hughes ,

    This is the  better solution.