Thursday, May 30, 2013

Retrieve and pass around http Authorization header with OSB

It never ceases to amaze me how i stumble on some "new" features with OSB. This time it's to retrieve and pass around http Authorization header with OSB.

I thought it was a long closed chapter that OSB strips off the http basic authentication header before the pipeline is invoked. Well, it's still true, except a colleague showed me there is a trick to make OSB show the http Authorization header!

The trick is to add -Dcom.bea.wli.sb.transports.http.GetHttpAuthorizationHeaderAllowed=true to the OSB start up command. Once you do that, (you still need to check "Get All Headers" on the proxy) you can access the authentication header like regular http user header.
   $inbound/ctx:transport/ctx:request/tp:headers/tp:user-header/@value
The above expression worked for me, because i have only one user-header. i would assume you need to do something like below if you have more than one user-header.
   $inbound/ctx:transport/ctx:request/tp:headers/tp:user-header[@name='Authorization']/@value

In my test case, i'm doing a bit more than just access it on the incoming proxy. I have 3 parts, Proxy1, a biz svc, and Proxy2. I want to pass the authorization header from proxy1 to proxy2 via the biz svc.

The screen below shows Proxy1 uses route to call the biz service, you need to set transport headers for "Outbound Request", check "Pass all Headers through pipeline". That should pass the authorization header on. In my case, i also tested with an additional custom header "aTestHeader" as shown in the screen shot.
One important note, on the biz service, normally it would require enabling "basic" authentication with a "Pass through" service account. However, if you added that magic start up option, then it doesn't matter what the biz service setting is. Because you are passing the authorization header explicitly. Additionally, if you want to see the authorization header in proxy2, you still need to check "pass all headers through pipeline".

On the biz service, that "pass through" service account will help you, if you don't use the magic start up option. In that case, the authorization header will not be explicitly accessible in the proxy, but the biz service will pass it on behind the scene. So if Proxy2 has enabled basic authentication, then the authorization header will be handed over to Proxy2 (behind the scene), so the authentication on proxy2 would succeed.

2 comments:

  1. Thank you for this contribution, in my case is very useful for connecting to Business Service with Basic Authentication

    ReplyDelete