Require HTTP Basic Credentials Assertion in Policy Logic

Document ID : KB000010067
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

When I use the "Require HTTP Basic Credentials" assertion inside policy logic such as "At Least One Assertion Must Evaluate to True", the policy does not work as I expect. The "Require HTTP Basic Credentials" assertion falsifies unless the Authorization Header is sent with the initial request. 

 

 

 

 

Background:

"Require HTTP Basic Credentials" always fails when using the assertion within conditional logic if the "Authentication" header is not being sent together with request. Putting it inside a "All Assertion must evaluate to true" and trying to handle the failed condition always returns fails response.

 

For Example:

The following policy will always go to line 8, unless request is being sent via a client that includes authentication header (username/password)

policy.PNG

 

Environment:
API Policy ManagerCA API GATEWAY
Instructions:

The "Require HTTP Basic Credentials" is working as designed. When the assertion is processed, it looks for the "Authorization" header in the request, if that header doesn’t exist, then the assertion fails and sets a “401 Unauthorized” response back to the client, which the browser will see, and will then give you a prompt to fill in credentials. Once you populated the credentials, and hit enter, then the browser will send a second request that contains the “Authorization” header this time around. 

So, in policy on this case, since the Authorization header doesn’t exist, the Require HTTP Basic Credentials assertion fails. Policy logic results in the branch failing, but since there is “At least one” , it proceeds to the second “Return Template Response” which succeeds, and so the 401 Unauthorized doesn’t get returned to the client. 

NOTE: The “Require HTTP Basic Credentials” is not responsible for “prompting” the user for credentials. The application (i.e. browser) will see a 401 Unauthorized as a response, and the application will decide to prompt the user for credentials, and try again.

Additional Information:


If you still have questions on this article, please open a Case with CA Support.