Authentication with UHTTP

The UHTTP component is used to send requests to a web server, often via a proxy server. One or both servers may require user credentials to authenticate the request.

No authentication is performed when the SEND operation has no Username parameter and there is no default authentication scheme specified in the assignment file.

Authentication is triggered for one or both servers when the UHTTP SEND operation includes a user name and password for the applicable server. If no authentication scheme is specified, Basic authentication is used.

Default Authentication

You can set the default authentication scheme for both the web server and the proxy server in the application's assignment file by setting the values of UHTTP_DEF_AUTH and $UHTTP_DEF_PROXY_AUTH, respectively. One or more of the following values can be specified:

  • B—Basic authentication, which sends the credentials in clear text format

  • L—NTLM authentication, which uses the Microsoft NT LAN Manager authentication protocol

  • N—Negotiate, which chooses between NTLM and Kerberos protocols.

For example:

[LOGICALS]
UHTTP_DEF_AUTH = BL

[PROXY_SETTINGS]
$UHTTP_DEF_PROXY_AUTH = B

In this case, either NTLM or Basic authentication will be used for the web server, depending on which is supported by the server. The strongest scheme is chosen.

Note:  When values are combined like this, an extra round trip to the applicable server is required to determine which schemes the server supports.

if a default is specified, it is used for every SEND where no other scheme is specified in the user parameter.

On Windows only, when the default authentication is specified in the assignment file, and no Username parameter is supplied, the credentials of the current user are used for authentication. (This functionality is not available under Unix.)

Authentication per SEND Request

Per SEND operation, it is also possible to specify an authentication scheme for the web server and the proxy server. In this case, the scheme(s) provided in the SEND operation's Username parameter override the default schemes, if specified.

For example, assume the following situations:

  • The Username parameter specifies an authentication method for the web server (vUri):

    vUsername="wsuser(scheme=BL)"
vStatus = vUHTTP->SEND(vUri, "POST", vUsername, "", vHeaders, vContent, vResponse)

    The user name wsuser will be used for web server authentication, using either NTLM or Basic, depending on which is supported by the server. If there is a default scheme defined for the proxy server, that will be used for proxy server authentication.

  • The Username parameter specifies a user and an authentication method for both the proxy server and the web server:

    vUsername = ""
putitem vUsername, -1, "proxyuser(scheme=B)"
putitem vUsername, -1, "wsuser(scheme=L)"

    The user name proxyuser will be used in Basic proxy server authentication and the user name wsuser in NTLM web server authentication. The default schemes specified in the assignment file are ignored.

  • The Username parameter specifies a user and an authentication method for the proxy server and only an authentication method, with no user name, for the web server:

    vUsername = ""
putitem vUsername, -1, "proxyuser(scheme=B)"
putitem vUsername, -1, "(scheme=N)"

    The user name proxyuser will be used in Basic proxy server authentication and the currently logged on user's credentials will be Negotiated with web server for NTLM or Kerberos authentication. The default schemes specified in the assignment file are ignored.

Related Topics