| Table of Contents | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Content Gateway allows for the use of an optional token-based authentication in addition to HTTP Basic authentication. Token-based authentication works by performing a one-time HTTP Basic authentication request within the Management API or to a special URI path in the Storage API to receive a token. This token is used on subsequent requests as proof of the user's credentials.
...
The token administrator is recommended to be a fully qualified user name to avoid ambiguity in a situation where a storage domain may inherit the IDSYS from the tenant or root scope.
See "Qualification of User/Group Names" in the IDSYS Document Format.
Gateway stores all tokens within the administrative domain as automatically expiring objects using the object lifepoint feature. The expiration time of an authentication token can be specified when the token is created. A default expiration time is assigned based on the tokenTTLHours parameter in the [gateway] section of the gateway.cfg file if the time is not specified. The request proceeds as an anonymous user subject to all normal access control policies if an expired token is presented to Gateway. The Set-Cookie header of the response instructs the HTTP client to delete the expired token cookie.
...
Use HTTP Basic authentication to authenticate the request. Requests to the tokenPath URI are processed independently from the storage protocol handling and these instructions work with both SCSP and S3 front-end protocols and to the Management API.
...
Note
HTTP Basic authentication is demonstrated using "Auth: {user}:{password}" for clarity. Use the Authorization HTTP request header according the definition in RFC 2717.