Oracle® Fusion Middleware
Part 11. Authentication

In cases where user credentials are passed to the API Gateway in a non-standard way, these credentials can be copied into API Gateway message attributes, and then authenticated against a specified authentication repository, such as the API Gateway User Store, an LDAP directory, or a database. For example, assume that username and password credentials are passed to the API Gateway in the following XML message:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <ns:User xmlns:ns="http://www.user.com">
      <ns:Username>1</ns:Username>
      <ns:Password>2</ns:Password>
    </ns:User>
  </s:Body>
</s:Envelope>

In this example, the standard methods of passing credentials, such as HTTP Basic/Digest authentication, SAML assertions, WS-Security Username tokens, are bypassed, and the client sends the username and password as parameters in a simple SOAP message. When the API Gateway receives this message, it can extract the value of the <Username> and <Password> elements using an XPath expression configured in the Retrieve Attributes from Message filter. This filter uses an XPath expression to retrieve the value of an element or attribute, and can then store this value in the specified message attribute.

You can configure an instance of this filter to retrieve the value of the <Username> attribute, and store it in the authentication.subject.id message attribute. Similarly, you can configure another filter to retrieve the value of the <Password>, and store it in the authentication.subject.password message attribute.

The Attribute Authentication filter can then use the username and password values stored in these message attributes to authenticate the user against the specified authentication repository.

Complete the following fields to configure this filter:

Name:

Enter an appropriate name for this filter.

Username:

Specify the API Gateway message attribute that contains the username of the user to be authenticated. The default attribute is the authentication.subject.id attribute, which is typically used to store a username.

Password:

Enter the API Gateway message attribute that contains the password of the user to authenticate. The default message attribute is authentication.subject.password, which typically stores a password.

Credential Format:

Select the format of the credential stored in the API Gateway message attribute specified in the Username field above. By default, User Name is selected.

Repository Name:

Select an existing repository to authenticate the user against from the drop-down list. Alternatively, you can configure a new authentication repository by clicking the Add button. For more details on configuring the various types of repository supported by the API Gateway, see the Authentication Repository tutorial.