Basic authentication is still a very common approach for securing web services. It is widely supported and can be tested with a browser. If used over a HTTPS connection also the credentials are encrypted.
To use basic authentication the usual way with OSB it is necessary to select ‘Basic’ at the authentication section and a service account for the business service:
For the service account the OSB supports three settings:
- Pass Through: The credentials provided to the proxy service are forwarded to the business service.
- Static: You enter the credentials to the service account file.
- Mapping: You create inside the service account file a mapping from local usernames to remote usernames and passwords.
There is a problem with all three selections: If you are on enterprise level where you use a version control system, build OSB projects with a build process and want to deploy the project on different stages with different credentials, they will not support this.
It is not possible to modify the service account file with the customization mechanism.
A working solution is to create different service account files for each stage and select the needed one by customization. But there is still the problem, that you need to check in the production credentials into the version control system.
A workaround for this would be to have an apart configuration project with restricted access referenced by the project containing the business service.
I would like to show another solution here. As described in this blog post we have chosen to store all kind of settings of the OSB projects in a configuration file on the OSB server. Access to these settings happens through custom XQuery functions. Using this we are able to get username and password stored in an OSB variables. For details look at this topic.
How we can use these credentials?
First we have to build a basic authentication string. According to wiki we have to concatenate username and password and then do a base64 encoding. This can be done with a java callout or the already base64-encoded string can be stored in the configuration file.
Then we change the authentication of the business service to ‘None’. The service account is not needed anymore.
The last step is to add the basic authentication header to the outbound request. This can happen inside the routing or the service callout.
Now we can configure the credentials we want to pass to the business service in our configuration file.