Authorization in httpsClient()

ashamdeep.saini · August 5, 2024, 3:42pm

Dear members,

What is the right way to set basic Authorization in httpsClient Function Block of ArSsl library?

Thanks

alexander.hefner · August 6, 2024, 10:01am

Hi,

I haven’t implemented a basic authorization until now, but I think it could be solved by dealing with the header parameters of AsHttps.
In detail I mean:
there’s the possibility to attach a request header and response header structures to the service function blocks. And you have to use and to “manipulate” those header informations to realise basic auth.

What is basic auth:

When using basic auth, the web client has to send in the header a variable called “Authorization” with a value “Basic XXXXYYYYZZZZ”, where “XXXXYYYYZZZZ” is the Base64 coded combination of “username:password”.
this header “line” has to be send by the client with every request. If the client does not send this information, the server has to refuse the connection by sending the HTTP status 401, with a additional header variable “WWW-Authenticate” with value “Basic Realm=“AABBCCDD””
- the realm “AABBCCDD” means the authentication scheme … it’s too much to explain it here, more or less it’s a user-defined string and you should use the same realm everywhere on your server where the same credentials should be used).

More theory about basic auth can be found in the internet
What does that mean for AsHttp(s) webservice? Unfortunately I haven’t a sample for it availiable, but I try to explain how it should work (as I said, I haven’t tried until now):

use the RequestHeader and ResponseHeader datapaoints of the http(s) service function block to connect to the HTTP headers
Set in the ResponseHeader the information for basic auth by setting one of the userLine[z].name to ‘WWW-Authenticate’ and .value to 'Basic Realm=“YourRealm” ’
If a requests arrives: check if the RequestHeader contains a variable “Authorization” (by setting one of the userLine[z].name variable to ‘Authorization’)
- if no, set in the ResponseHeader the variable .status to ‘401’ (means HTTP Unauthorized) and send a response (of course without the user data you want to send if auth was correct)
- if yes, base64 decode the value after "Basic " and check, if it contains the username and password wanted
  - if credentials match, in ResponseHeader set .status to ‘200’ (means HTTP OK)
  - if credentials are not right, proceed like described above when ‘Authorization’ is not set (respond with status ‘401’) if you wan’t the client to show again the credentials message, or with some other HTTP status like ‘503’ (Service unavailable) if you don’t want the client to proceed.

Hope that helps,
best regards!

ashamdeep.saini · August 6, 2024, 3:47pm

Well I tried, as you suggested and I was able to post the request.
It works, thanks

Topic		Replies	Views
TLS issues Ask Questions automation-studio , automation-runtime	5	73	December 31, 2024
Dropped frames with AsHttp Ask Questions x20 , c-cpp	4	78	January 3, 2025
AS6 OPCUA Client Communication, Authorization required Ask Questions automation-studio , opc-ua	5	154	August 8, 2024
Send and retreive data using AsTCP Ask Questions library	15	49	December 19, 2024
How to create HTTPS connection? Ask Questions plc	2	276	May 15, 2024

Authorization in httpsClient()

Related topics