What is the recommended action (<action>) to use in the Authentication REST Interface for the REST base authentication?

Document ID : KB000016571
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

We're running CA Access Gateway (SPS), and we'd like to know what type of action (GET or POST) is recommended to use the REST base authentication. We're afraid that if a POST action is used, the credentials could show up in the CA Access Gateway (SPS) logs and traces.

 

Answer:

As per our documentation, the REST Interface doesn't put the data in the URL, but set it as headers : 

 

A URI in this format:

http://hostname:port/authazws/AuthRestService/login/appID/Resource, 

posts the following request: 

 

  <loginRequest> 

  <binaryCreds></binaryCreds> 

  <password>user1</password> 

  <userName>user1</userName> 

  <action>GET</action> 

  </loginRequest> 

 

Authentication REST Interface 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/ca-siteminder-sps-configuration/configuring-the-authentication-and-authorization-web-services 

 

So, the credentials won't show up in any log or traces.  

 

More, the GET action is for the Authentication request, and the POST is the action for the Authorization.

See the sample in the same documentation page :

 

Authentication REST Interface 

A URI in this format, http://hostname:port/authazws/AuthRestService/login/appID/Resource, posts the following request: 

 

  <loginRequest> 

  <binaryCreds></binaryCreds> 

  <password>user1</password> 

  <userName>user1</userName> 

  <action>GET</action> 

  </loginRequest> 

 

  [...] 

 

Authorization REST Interface 

The REST interface for authorization is http://hostname:port/authazws/AuthRestService/authz/appID/Resource: 

 

  <authorizationRequest> 

  <action>POST</action> 

  <resource>RealmA/index.html</resource> 

  <sessionToken>affl;;alkf;l;fd</sessionToken> 

  </authorizationRequest> 

 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/ca-siteminder-sps-configuration/configuring-the-authentication-and-authorization-web-services