Authentication

Web service clients can authenticate themselves either by using the authentication mechanisms provided by the HTTP protocol such as HTTP Basic authentication, or by adding a security token to the WS Security header. Depending on the authentication mechanism, different authentication options are available.

Authentication mechanisms:

Effect:

None

Web service client is not authenticated.

Transport Authentication

The Web service client is authenticated using data supplied in the HTTP header or by the SSL protocol.

·        Basic Authentication (Username/Password)

Authenticates the caller based on a username and password in the HTTP header. This option is supported for HTTP and HTTPS.

·        Strong Authentication (X.509 Client Certificate)

Authenticates the caller using SSL mutual authentication. The caller must provide an SSL client certificate (see: Using Client Certificates for User Authentication).

For further information refer to Configuring Transport Authentication.

Document Authentication

The Web service client is authenticated using the security token included in the WS Security header.

·        Basic Authentication (Username/Password)

Authenticates the caller based on a username and password in the WS Security SOAP header. 

·        Strong Authentication (X.509 Client Certificate)

Authenticates the caller based on a digital signature over the SOAP:Body and a timestamp element.

Document authentication supports the transport protocols HTTP and HTTPS. The authentication of standalone proxies is not supported.

For further information refer to Configuring Document Authentication.

Further Information

You can refer to the following web services security tutorials available on the SAP Developer Network Web site:

Authentication of a WS Client Using a SAP Logon Ticket

Authentication of a Web Service Client via Certificate

Authentication of a Web Service Client with User-Password Request

Creating a User Authentication Using Logon Tickets

Creating a User Authentication for a Java Web Service Using a Certificate