Authentication
HCL VersionVault OSLC-CM REST APIs support both Basic Access Authentication and OAuth for authenticating users.
Customers must be prepared to answer authentication challenges when attempting to access any resource. The only resource that is not protected is the list of schema repositories when running a GET request on the Base URI. Authentication challenges are accompanied by a 401 HTTP status code.
For most purposes, basic access authentication is fine. It's simpler to use and requires no setup. This method of authentication is not secure unless you use SSL.
Basic Access Authentication
When using
basic access authentication, you specify your user name and password
as a Base64 encoded string in the Authorization
HTTP
request header. This authentication method is not secure unless you
use SSL.
Almost all browsers support basic access authentication. If you follow a HCL Compass OSLC URI in a browser, you are by the browser for your ID and password unless you already have an active session.
HttpClient http = new HttpClient();
Credentials credential = new UsernamePasswordCredentials("user", "password");
http.getParams().setAuthenticationPreemptive(true);
http.getState().setCredentials(AuthScope.ANY, credential);
Consult the documentation of the library that you use to learn how to work with the other HTTP client libraries.
OAuth Authentication
Registering OAuth Consumers
If you want to authenticate by using OAuth, you need to register your application as an OAuth consumer.
First log in toHCL Compass web as an administrator, then select "OAuth Consumer Management" from the "Site Administration" menu. When the dialog appears, you can enter your OAuth consumer details.
Property | Description |
---|---|
Consumer Name | A name for your application that is displayed to users. |
Consumer Key | The consumer key can be any value, but it must be unique. |
Consumer Secret | The customer secret is the shared secret between your application and HCL Compass. Compass uses this secret to validate that requests are really from your application. You can pick any secret. |
Trusted | If checked, HCL Compass might share authorization with other trusted consumers. |
Obtaining OAuth Tokens
- Request an OAuth request token from the
oslc:oauthRequestTokenURI
. - Redirect the user to authorize access by using the
oslc:authorizationURI
. - Exchange the OAuth request token for an access token by using
the
oslc:oauthAccessTokenURI
.
These OAuth URIs are properties of the oslc:OAuthConfiguration
resource
that is defined in the service provider catalog for each database
set.
The OAuth access token allows you to make requests on behalf of a user. The access token is good until the HCL Compass server restarts.
Signing Requests
You
will need an OAuth library to help you sign requests using
the access token. As an OAuth provider, HCL
VersionVault supports
the HMAC-SHA1
signature method and accepts Authorization
OAuth
parameters in the header, as part of the query string, and in the
request body. See OAuth
1.0a: Parameter Transmission.