Page Comparison

There is now official support for Basic Authentication using our APIs. Other HTTP authentication mechanisms may work but likely require interacting with lower-level HttpClient library objects.

The supported API for this involves injecting a map keyed by HttpHost objects whose value is the username and password to use. This API supports pre-emptive authentication; that is, the code will offer the credentials automatically when contacting the specified host and will not wait for a challenge from the server to do so. It should therefore be used only with TLS-protected hosts with appropriate verification, as described earlier.

We have defined a pair of parent beans to abstract some of the classes needed to define the map:

• shibboleth.HttpHost – a parent bean that wraps the Apache client’s HttpHost class

• shibbleth.BasicAuthCredentials – a parent bean that wraps the Apache client’s UsernamePasswordCredentials class

The map must be injected into the HttpClientSecurityParameters bean via the preemptiveBasicAuthMap property.

Example of Basic Authentication along with TLS Verification

<bean id="CustomHttpSecurity" class="org.opensaml.security.httpclient.HttpClientSecurityParameters"
        p:preemptiveBasicAuthMap-ref="restAuthMap">
	<property name="tLSTrustEngine">
		<bean parent="shibboleth.StaticExplicitTrustEngine"
			p:certificates="%{idp.home}/credentials/server.pem" />
	</property>
</bean>

<util:map id="restAuthMap">
    <entry>
        <key>
            <bean parent="shibboleth.HttpHost"
                p:scheme="https" p:hostname="rest.service.example.org" p:port="443" />
        </key>
        <bean parent="shibboleth.BasicAuthCredentials"
            p:username="%{rest.username}" p:password="%{rest.password}" />
    </entry>
</util:map>

Since the map discriminates the credentials by host, it’s safe to define all your various credentials in one map and use it wherever needed.