Previous Page Arrow Next Page Arrow

5.2 Authentication

SData relies on the standard HTTP authentication protocol for authentication.

This protocol is described in RFC 2617. Two modes are available:

  • Basic: The password is passed in base 64 encoding, which is no safer than clear text. This option should only be used in conjunction with HTTPS.
  • Digest: The password is passed as a hash. Use this option when the communication is not encrypted.

The basic mode is actually quite simple: the user name and password are combined as user:password. This string is then encoded in base 64 and passed to the provider through the HTTP authorization header, as the following example demonstrates:

GET /sdata/myApp/myContract/-/customers HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

The server decodes the Authorization header, extracts the user name and password and sets the authorization accordingly. If the user name or password is invalid, the server responds with a 401 Unauthorized response.

The digest mode is more complex. A good description can be found in the wikipedia article.

HTTP authentication is built into the standard HTTP infrastructure. Unless they implement the HTTP layer themselves, teams that implement SData providers or consumers don’t need to worry about the low level protocol details. They just need to know the API to pass the credentials if they implement the consumer side, and the API to verify them if they implement the producer side.

For example, a javascript consumer based on the XMLHttpRequest component can pass the credentials with a call like:

xmlhttp.open("GET", "http://www.example.com/sdata/myApp/myContract/-/customers", false, "admin", "sesame");
The consumer side doesn't need to worry about whether the provider requires basic or digest authentication. The HTTP protocol incorporates an exchange of information so that the consumer component selects the correct authentication mode. Components such as XMLHttpRequest do this automatically.
SData providers SHOULD use HTTP authentication, digest or basic, unless they use a more secure protocol like Sage SSO. HTTP basic SHOULD NOT be used over the internet, unless the communication is secured by HTTPS.

Previous Page Arrow Next Page Arrow