1.3 Authentication

Before determining how to connect your client application to the server, it is important to decide on the authentication method that you want to use. Vibe and its Web services support two types of authentication:

1.3.1 HTTP Basic Authentication Access (ssr)

For basic authentication, use calls from your client application to pass a username and password as you establish an HTTP session. Then, perform SOAP calls or calls using the client-side routines. If you want to use basic authentication, you muse use the /ssr/secure/ws endpoint when connecting to the server.

HTTP Basic Authentication is the existing transport authentication to authenticate the Web services client. HTTP Basic Authentication uses a username and password to authenticate a service client to a secure endpoint. To use this authentication mechanism, use /ssr/secure/ws endpoint. To enable this service on the Vibe side, select the Enable Basic Authentication (recommended) check box during product installation.

See Section 1.4, Server Endpoints, for more information about connecting to the server.

1.3.2 Web Services Security Access (ssf)

For WSS authentication, you need to place the authentication information (username and password) in the SOAP calls. If you want to use this method of authentication, use the /ssf/ws endpoint to connect to the server.

Web Services Security (WSS) is a standard protocol from Oasis that provides a means for applying security to Web services. Unlike security mechanisms that rely on the use of transport layer services, WSS provides authentication at the message layer by using a SOAP header. To use this authentication mechanism, use /ssf/ws endpoint. The deprecated Web services operation is accessed only through this mechanism. This service is enabled on the Vibe side by selecting the Enable WSS Authentication (recommended) check box during product installation.

If you choose to use WSS authentication instead of HTTP basic authentication:

  • Use the teamingservices-client-with-call.bat client and its sources to see an example of this type of authentication.

  • You must use the /ssf/ws endpoint (see Section 1.4, Server Endpoints, for more information).

  • You must use password-text methods.

    Password-digest is still supported in Teaming 2.0 and earlier but support is dropped with Teaming 2.1. We strongly recommended that you use only the password-text method.

On the client side of the Web services transaction, the client code uses password-text to provide a username and password to the Web services framework, and the framework passes the password as plain text.

On the server side, the security framework allows Vibe to retrieve the clear-text password from the operation by using an application programming interface (API) call. Vibe applies its internal password encryptor and compares the result with the password stored in the database for the user when the password is retrieved.

Although it is easy to code, this method is not secure, because the password is transmitted in plain text. Systems requiring a higher level of security should connect to Vibe over SSL.

To use this service with the teamingservice-client-with-call.bat, edit the script and set the value of the -Dauthmethod switch to wss_text.

See Section 1.4, Server Endpoints, for more information about connecting to the server.