Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


titleHTTP Authentication

This material has changed with V5 due to changes in the underlying HttpClient library and the original examples from V4 do not work for this release.

There is now official support for Basic Authentication using our APIs. Other HTTP authentication mechanisms may work but likely require interacting with lower-level HttpClient library objects.

The supported API for this involves injecting a map keyed by HttpHost objects whose value is the username and password to use. This API supports pre-emptive authentication; that is, the code will offer the credentials automatically when contacting the specified host and will not wait for a challenge from the server to do so. It should therefore be used only with TLS-protected hosts with appropriate verification, as described earlier.

We have defined a pair of parent beans to abstract some of the classes needed to define the map:

  • shibboleth.HttpHost – a parent bean that wraps the Apache client’s HttpHost class

  • shibbleth.BasicAuthCredentials – a parent bean that wraps the Apache client’s UsernamePasswordCredentials class

The map must be injected into the HttpClientSecurityParameters bean via the preemptiveBasicAuthMap property.

Example of Basic Authentication along with TLS Verification
Code Block
<bean id="CustomHttpSecurity" class=""
	<property name="tLSTrustEngine">
		<bean parent="shibboleth.StaticExplicitTrustEngine"
			p:certificates="%{idp.home}/credentials/server.pem" />

<util:map id="restAuthMap">
            <bean parent="shibboleth.HttpHost"
                p:scheme="https" p:hostname="" p:port="443" />
        <bean parent="shibboleth.BasicAuthCredentials"
            p:username="%{rest.username}" p:password="%{rest.password}" />

Since the map discriminates the credentials by host, it’s safe to define all your various credentials in one map and use it wherever needed.