Each authenticated request to the REST API must include an Authorization
request-header. The Authorization header's value has to be a base64-encoded representation of the username and password separated by a single colon
Example Value: Assuming the username "user" and the password "pass", the string "user:pass" is constructed and then base64-encoded. The value of the Authorization header is then:
Example Generation and Setting of the Authorization Header (Java):
String sPath = "https://<SERVER_NAME>:<PORT>/<PRODUCT><VERSION>/rest/myEndpoint";
String sUsername = "user";
String sPassword = "pass";
HttpGet aMethod = new HttpGet (sPath);
String sUnencodedToken = sUsername + ":" + sPassword;
aMethod.addHeader ("Authorization", "Basic " + DatatypeConverter.printBase64Binary (sUnencodedToken.getBytes ()));
As the credentials are only encoded and not encrypted, this method is not any more secure than sending the credentials in clear text. Therefore, it is highly recommended to basic authentication only in conjunction with HTTPS.
In general, standard users can be used for basic authentication without further preparation. The same user can be used both for REST requests and to log in to the web client. All permissions used in the web client (repository access, system roles, user groups, release workflow rights) are applied in the same way in REST requests.
However, the following restrictions apply:
- Basic authentication does not support login to the web client using an Identity Management System (IDM)
- Users with a colon in the username cannot be used for sending requests
- Technical users cannot be used for sending requests