The REST service described under
REST Service Mediation
has to be secured by allowing access only to properly authenticated users. Unauthenticated requests to
access the API should be declined with HTTP 401 responses with appropriate error messages.
The proposed authentication solution is based on JWT (JSON Web Tokens). In addition to the endpoint for
handling API requests, a dedicated endpoint is introduced for user authentication and issuing of JWTs.
Basic authentication is utilized during the initial authentication, where the user sends a Basic
Authorization header with a base 64 encoded, colon-separated username-password pair as part of the token
request. UltraESB reads credentials from a CSV-formatted user credentials file, and decodes and
validates passwords received on the Authorization headers against their respective usernames. If either
the header cannot be parsed or it does not correspond to a valid username-password pair, UltraESB blocks
the request and returns an HTTP 401 response along with an appropriate error message. Otherwise, a signed
JWT is generated by enclosing the username, and sent back to the user.
When accessing the actual API endpoint, the user sends a Bearer Authorization header as part of the
request, including the issued JWT. UltraESB decodes the JWT, compares the enclosed username against the
user base and decides whether to allow the API call to proceed to the backend. If either the token cannot
be decoded (due to tampering, signing secret key mismatch, etc.) or the enclosed user does not correspond
to the existing user base, API access is denied with a HTTP 401 response. Otherwise the request is
allowed to proceed as in the case of the original REST service mediation flow.