You can translate the question and the replies:

Credentials in message body?

I have two web service data source which expect the user name and password to be passed as part of the POST body. This is easy to make work with interpolation variables but is far less than ideal. Is there a method where the configured credentials can be passed in the POST body in a fashion much like interpolation variables work? This would allow them to be paced into the body along with any other content & structure that might be necessary.
user
20-08-2019 12:54:13 -0400
code

5 Answers

Hi, I understand that you are trying to dynamically pass the user credentials to access the web service data source. As you mentioned, Interpolation variable is a good approach for your scenario. As an alternative to above, I would suggest you to enable “**pass through session credentials**” option in the Authentication section of the web service data source configuration. This way the user who logged into Virtual DataPort server is passed through as the user for accessing the Web Service datasource during any query execution. This way I would avoid passing the credentials when querying the base view created over the web service data source (using Interpolation variable). I would refer to the below link for more details on the Authentication configuration with Pass through credentials. * [**Authentication in HTTP Paths**](https://community.denodo.com/docs/html/browse/7.0/vdp/administration/creating_data_sources_and_base_views/path_types_in_virtual_dataport/http_path#authentication-in-http-paths) Hope this helps!
Denodo Team
21-08-2019 09:09:53 -0400
code
Thanks for the response. I have reviewed the provided link. Is there a way to use pass through credentials with the credentials need to be part of the message body? That, ultimiately, is the problem I'd like to solve for. The interpolation variables work for placing the credentials in the POST body but, as you note, suffer from how they would be secured. Unlike other credentials which are encrypted at least, that doesn't seem doable with the variable approach.
user
 Edited on: 27-03-2020 14:04:42 -0400
Hi, In general, passing the credentials through HTTP POST is not encrypted and it can be intercepted by a network sniffer, by a proxy or leaked in the logs of the server with a customized logging level. To secure a password or other confidential data, I would use the SSL mode of communication. SSL will cover the whole HTTP communication and encrypt the HTTP data sent between the Virtual DataPort server (client) and the HTTP data source(server). I would read through the [SSL connection from VDP to data sources](https://community.denodo.com/kb/view/document/SSL%20connection%20from%20VDP%20to%20data%20sources?category=Security) knowledge base article and [HTTP Path](https://community.denodo.com/docs/html/browse/7.0/vdp/administration/creating_data_sources_and_base_views/path_types_in_virtual_dataport/http_path) section for steps to connect to an SSL enabled web service from Virtual DataPort Administration Tool. If you are a user with support access and still need more help, I would suggest you to raise a support case in the Denodo Support Site. Hope this helps!
Denodo Team
03-09-2019 07:08:49 -0400
code
HTTPS is being leveraged. The risks around interception of HTTP Basic (which Denodo supports) is the same as interception of a POST body containing credentials. Only difference is that HTTP Basic is base64-encoded which is not a sort of protection. It sounds like interpolation variables are the only option (other than hardcoding). Obviously, this presents some risks as those are not encrypted when stored. It'd be great if Denodo would consider an option for handling POST body as a first class citizen like the other options which are available.
user
 Edited on: 27-03-2020 14:04:42 -0400
Hi, In general, Denodo customer can access the support site with a valid Support user and create new Requests. With that said, I would suggest you to raise a support request in the [Denodo Support Site](https://support.denodo.com/) so that Denodo support team will review and analyze it internally. Hope this helps!
Denodo Team
23-09-2019 01:03:34 -0400
code
You must sign in to add an answer. If you do not have an account, you can register here