Customers must be prepared to answer authentication challenges when attempting to access any resource. The only resource that is not protected is the list of schema repositories when running a GET request on the Base URI. Authentication challenges are accompanied by a 401 HTTP status code.
For most purposes, basic access authentication is fine. It's simpler to use and requires no setup. This method of authentication is not secure unless you use SSL.
When using basic access authentication, you specify your user name and password as a Base64 encoded string in the Authorization HTTP request header. This authentication method is not secure unless you use SSL.
Almost all browsers support basic access authentication. If you follow a ClearQuest OSLC URI in a browser, you are by the browser for your ID and password unless you already have an active session.
HttpClient http = new HttpClient();
Credentials credential = new UsernamePasswordCredentials("user", "password");
http.getParams().setAuthenticationPreemptive(true);
http.getState().setCredentials(AuthScope.ANY, credential);
Consult the documentation of the library that you use to learn how to work with the other HTTP client libraries.
Registering OAuth Consumers
If you want to authenticate by using OAuth, you need to register your application as an OAuth consumer.
First log in to ClearQuest web as an administrator, then select "OAuth Consumer Management" from the "Site Administration" menu. When the dialog appears, you can enter your OAuth consumer details.
Property | Description |
---|---|
Consumer Name | A name for your application that is displayed to users. |
Consumer Key | The consumer key can be any value, but it must be unique. |
Consumer Secret | The customer secret is the shared secret between your application and ClearQuest. ClearQuest uses this secret to validate that requests are really from your application. You can pick any secret. |
Trusted | If checked, ClearQuest might share authorization with other trusted consumers. |
Obtaining OAuth Tokens
These OAuth URIs are properties of the oslc:OAuthConfiguration resource that is defined in the service provider catalog for each database set.
The OAuth access token allows you to make requests on behalf of a user. The access token is good until the ClearQuest server restarts.
Signing Requests
You will need an OAuth library to help you sign requests using the access token. As an OAuth provider, ClearQuest supports the HMAC-SHA1 signature method and accepts Authorization OAuth parameters in the header, as part of the query string, and in the request body. See OAuth 1.0a: Parameter Transmission.