Exploring Web service security

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Web service security

    This content explains how to enforce security on ServiceNow web services using Basic Authentication, mutual authentication, or WS-Security, focusing primarily on Basic Authentication. It guides ServiceNow customers on configuring authentication to protect WSDL documents and SOAP message postings to ensure secure and authorized access.

    Show full answer Show less

    Key Features

    • Basic Authentication Enforcement: Enable the property glide.basicauth.required to require an "Authorization" header in every WSDL or SOAP request, enforcing Basic Authentication.
    • User Context Tracking: When Basic Authentication credentials are supplied, data modifications are recorded under the authenticated user's ID rather than the default Guest user, improving auditability.
    • Case Insensitive Authorization Header: The property glide.security.script.include.name.case.insensitive.list allows configuring script includes to ignore capitalization in Authorization headers, supporting smoother authentication processing.
    • Programming Language Examples: Code snippets demonstrate how to implement Basic Authentication in various client environments including Perl (SOAP::Lite), C# .NET (VS 2005 and VS 2008), and VB .NET, illustrating practical integration approaches for invoking ServiceNow web services securely.
    • Error Handling: If Basic Authentication is enforced but credentials are missing, the service responds with an HTTP 401 Unauthorized status, indicating authentication is required.

    Practical Benefits for ServiceNow Customers

    • Ensures web service requests are securely authenticated, protecting sensitive operations such as record creation and updates.
    • Provides audit trails by associating changes with authenticated users instead of generic accounts.
    • Supports multiple client technologies with concrete examples, facilitating easier integration into existing applications.
    • Helps avoid common pitfalls such as case sensitivity in headers and missing credentials, improving reliability of service interactions.

    Implementation Guidance

    To secure ServiceNow SOAP web services using Basic Authentication:

    • Set glide.basicauth.required to true in system properties.
    • Ensure client requests include the proper "Authorization" header per Basic Authentication standards.
    • Adjust glide.security.script.include.name.case.insensitive.list as needed to allow case-insensitive header processing.
    • Utilize provided code samples to configure clients in Perl, C#, or VB.NET to send credentials correctly.
    • Test service calls to confirm that unauthorized requests are rejected with HTTP 401 errors.

    Enforce security using basic authentication, mutual authentication, or WS-Security.

    Basic Authentication

    To enforce basic authentication on each request for a WSDL document or posting of SOAP messages, you may set the property glide.basicauth.required to true. If you do so, each WSDL or SOAP request would have to contain the "Authorization" header as specified in the Basic Authentication protocol. Because the request is non-interactive, the Authorization header is always required during a request.

    Supplying basic authentication information whether or not it is required has the added advantage that the data created or updated as a result of the Web Service invocation is done on behalf of the user supplied in the basic authentication credentials. As an example, when creating an Incident record, the journal fields have the user id of the basic authenticated user, instead of the default Guest user.

    To make the authorization header ignore the capitalization rules, use the glide.security.script.include.name.case.insensitive.list property. You can modify this property in the System Properties [sys_properties] table and add the script includes that are necessary to process the authentication. By default, this property has these values:
    • BasicAuth
    • CustomAuth
    Add other script includes as needed.
    To supply basic authentication when using Perl and the SOAP::Lite libraries, you can implement the following function:
    sub SOAP :: Transport :: HTTP :: Client :: get_basic_credentials { return 'user_name' => 'password' ; }
    • When using C# .NET VS 2005 or older, you can take advantage of the Credentials object, for example:
      System.Net . ICredentials cred  = new System.Net . NetworkCredential ( "user_name",  "password" ) ;
 
service . ServiceNow proxy  = new service . ServiceNow ( ) ;
service . get getService  = newservice . get ( ) ;
service . getResponse getServiceResponse  = new service . getResponse ( ) ;
 
 try {
  proxy . Credentials = cred ;
  getService . sys_id = "bf522c350a0a140701972dbf876f1610" ;
  getServiceResponse  = proxy . get (getService ) ; catch (Exception ex ) { }
    • When using C# .NET VS 2008, you can take advantage of the ClientCredentials object, for example:
      Demo_Incident. ServiceNowSoapClient client  = new Test08WebService . Demo_Incident . ServiceNowSoapClient ( ) ;
client . ClientCredentials . UserName . UserName = "admin" ;
client . ClientCredentials . UserName . Password = "admin" ;
      Then in your app.config file look for the following and change None to Basic:
      <transport clientCredentialType= "None" proxyCredentialType= "None" realm= "" />
    • When using VB .NET taking advantage of the Credentials object would look like the following:
      Sub Main()
         Dim cred  As New System.Net.NetworkCredential( "user_name",  "password")
 
         Dim proxy  As New VB_Democm.incident.ServiceNow
         Dim getIncident  As New VB_Democm.incident. get Dim getResponse  As New VB_Democm.incident.getResponse
 
        proxy.Credentials = cred
 
        getIncident.sys_id =  "[your sysID here]"
 
        getResponse = proxy. get(getIncident)
 
     End Sub
      The resulting response when Basic Authentication is turned on and no credentials are supplied looks like this:
      <html> <head > <title >Apache Tomcat/5.0.28 - Error report </ title > <style > <!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}    H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}    H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}    B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}    P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}   A {color&nbsp;: black;}   A.name {color&nbsp;: black;}   HR {color&nbsp;: #525D76;}--> </ style > </ head > <body > <h1 >HTTP Status 401 -\ </ h1 > <HR size = "1" noshade = "noshade" > <p >< b >type </ b > Status report </ p > <p >< b >message </ b > <u >< / u >< / p > <p >< b >description </ b > <u >This request requires HTTP authentication (). </ u >< / p > <HR size = "1" noshade = "noshade" > <h3 >Apache Tomcat/5.0.28 </ h3 > </ body > </ html >