Web Services Authentication

You can protect the access to a REST or SOAP Web service by configuring the authentication method of the Service. The available authentication methods depend on the Web service type:

Authentication methods support by SOAP and REST Web services



Available in SOAP Web Services Available in REST Web Services Uses the Credentials of the Web Service Uses the Credentials of the Web Service’s Clients
HTTP Basic X X X  
HTTP Basic with LDAP (*) X X X  
HTTP Basic with VDP X X   X
HTTP Digest X X X  
HTTP SPNEGO (Kerberos) X X   X
SAML 2.0   X   X
WSS Basic X   X  
WSS Basic with LDAP (*) X   X  
WSS Basic with VDP X     X
WSS Digest X   X  

When a Web Service uses the Virtual DataPort authentication methods (BASIC VDP and WSS VDP), the clients of the Web service have to use their Virtual DataPort credentials. That is, when a client sends a request to one of these Services, the Service uses the credentials provided by the client to open a connection to the Server and execute the appropriate query. By setting this authentication method, the Server can take into account the privileges of the user and its roles and her custom policies.

This is not possible with the other authentication methods, because with them, the Service uses the same connection with the Server to execute all the queries.

The parameter VDPACCEPTEDUSERS of the BASIC VDP and WSS VDP is a comma-separated list of user names. Only users, whose user name is in that list, will have access to the Service. If this parameter is missing, the Service will accept all Virtual DataPort’s users.

Unlike with the other authentication methods, with this one, we have to grant the user privileges to access the published views.

Basic and Digest

The BASIC and DIGEST authentication modes use the Basic and Digest HTTP Access Authentication methods.

In HTTP Basic the credentials are passed as plaintext and in HTTP Digest they are sent encrypted.

All the users will use the same credentials indicated in the parameters USER and PASSWORD.

The ENCRYPTED modifier indicates that the password provided is encrypted (this option is typically only used by the server export/import metadata processes. Users do not need to use this option).

Basic LDAP

In the BASIC LDAP authentication the credentials are passed as plain text and validated using a LDAP server.

Unlike the BASIC authentication, which forces every user to use the same user name and password, by using a LDAP server, every user has its own user name and password.

The following parameters are required to configure this authentication method:

  • LDAPDATASOURCE: URI of the LDAP server used to validate the users’ credentials.
  • LDAPUSERPATTERN: Pattern used to build the user’s Distinguished Name replacing the @login token with the received user name. I.e. if User pattern is cn=@login,ou=People,dc=YourOrganization,dc=com, the @login token is replaced by the user name provided by the invoker of the Service.
  • LDAPACCEPTEDUSERS: If this parameter is present, only users whose user name is in this list and his/her password is correct, will be granted permission to the Service. The user names must be separated by commas. This parameter is optional and if it is not present, every user authenticated by the LDAP server will be granted access to the Service.


The REST web services published by Virtual DataPort support SAML authentication (Security Assertion Markup Language).

Before enabling SAML on a web service, you have to enable SAML on the global configuration of the Server. The section “SAML Authentication” explains how to do this. After doing this, you can publish web services with this type of authentication.

Add the parameter SPENTITYID, which is a string that identifies this web service as a service provider with the identity provider (IdP).

The section SAML 2.0 of the Administration Guide explains in more detail how to configure web services with this authentication type.


When using the authentication methods BASIC VDP (SOAP and REST) and WSS BASIC VDP (only SOAP), the Web Service will connect to Virtual DataPort with the credentials used by the client of the Web service.

Only users whose user name is in the VDPACCEPTEDUSERS list will have access to the Service. If the list is empty, all Virtual DataPort’s users will be accepted. With this authentication method, the users also need to have permission to access the published views.


Web Services Security (WSS) enforces integrity and confidentiality over the Web service messaging. It works on top of the Basic or Digest authentication methods. Currently, Virtual DataPort supports the authentication profile called “Username Token”