Web Services Authentication¶
You can protect the access to a REST or SOAP Web service by configuring the authentication method of the Service. The available authentication methods depend on the Web service type:
Available in SOAP Web Services
Available in REST Web Services
Uses the Credentials of the Web Service
Uses the Credentials of the Web Service’s Clients
HTTP Basic with VDP
HTTP SPNEGO (Kerberos)
OAuth 2.0 and OpenID
WSS Basic with VDP
When a Web Service uses the Virtual DataPort authentication methods
BASIC VDP and
WSS VDP), the clients of the Web service have to
use their Virtual DataPort credentials. That is, when a client sends a
request to one of these Services, the Service uses the credentials
provided by the client to open a connection to the Server and execute
the appropriate query. By setting this authentication method, the Server
can take into account the privileges of the user and its roles and her
This is not possible with the other authentication methods, because with them, the Service uses the same connection with the Server to execute all the queries.
VDPACCEPTEDUSERS of the
BASIC VDP and
is a comma-separated list of user names. Only users, whose user name is
in that list, will have access to the Service. If this parameter is
missing, the Service will accept all Virtual DataPort users.
Unlike with the other authentication methods, with this one, we have to grant the user privileges to access the published views.
Basic and Digest¶
DIGEST authentication modes use the Basic and
Digest HTTP Access Authentication methods.
In HTTP Basic the credentials are passed as plaintext and in HTTP Digest they are sent encrypted.
All the users will use the same credentials indicated in the parameters
ENCRYPTED modifier indicates that the password provided is
encrypted (this option is typically only used by the server
export/import metadata processes. Users do not need to use this option).
OAuth 2.0 and OpenID¶
To use these authentication methods on a web service, first you need to enable OAuth authentication on the Virtual DataPort server. The section OAuth Authentication explains how to do this.
OpenID is an extension of OAuth 2.0. Denodo supports OpenID when it is configured to accept a JSON Web Tokens (JWT). That is, in the OAuth 2.0 configuration of the Server, the option Use JWT is selected.
The REST web services published by Virtual DataPort support SAML authentication (Security Assertion Markup Language).
Before enabling SAML on a web service, you have to enable SAML on the global configuration of the Server. The section “SAML Authentication” explains how to do this. After doing this, you can publish web services with this type of authentication.
Add the parameter
SPENTITYID, which is a string that identifies this
web service as a service provider with the identity provider (IdP).
The section SAML 2.0 of the Administration Guide explains in more detail how to configure web services with this authentication type.
When using the authentication methods
BASIC VDP (SOAP and REST) and
WSS BASIC VDP (only SOAP), the Web Service will connect to Virtual
DataPort with the credentials used by the client of the Web service.
Only users whose user name is in the
VDPACCEPTEDUSERS list will have
access to the Service. If the list is empty, all Virtual DataPort
users will be accepted. With this authentication method, the users also
need to have permission to access the published views.