Skip to main content
Version: 10.0

Authorization

The web service endpoints of the webPDF SOAP API are not protected in the default installation. In this configuration, anonymous access to the endpoints is possible at any time, i.e. no authorisation information needs to be specified in the web service call.

Endpoint authorization

To protect the endpoints, i.e. to be able to use them only with authorization, this must be enabled in the configuration. To do this, anonymous access is disabled in the Admin Portal in the configuration.

Enable SOAP Authorization

In this case, the SOAP web services can only be used with user authentication or an external OAuth2 provider.

Authorization through user authentication is based on the server's user source and local authorization.

User source

Each time the SOAP web services are accessed, the credentials (username and password) for a user must be passed in the ‘Authorization’ header of the SOAP request as basic authentication (RFC 7617).

Example: Authorization: Basic YWRtaW46YWRtaW4=

Alternatively, authorization by an external OAuth2 provider can also be used.

This must be configured via the Admin Portal under Server -> OAuth.

An access token issued by the OAuth2 provider can then be used to authorize the SOAP web services. The access token is then passed in the Authorization header as Bearer: [Access token].

Example: Authorization: Bearer eyJraWQiOiJyb3ZZTFQ4TXgwcTd1WW1i ... CO2TLHCiQCsuMf-1Vw

caution

The request for the access token must be processed by the client application. The server only validates the token of the OAuth2 provider based on the configuration.

If SOAP web services authorization is enabled and invalid data is passed in the Authorization header, then this will result in the error message 401 Unauthorized when calling a SOAP web service.

Token format

Access tokens originating from external OAuth providers and understood by the server must be "JSON Web Token" (JWT).

The access tokens must be digitally signed, i.e. they must be available as "JSON Web Signature" (JWS) tokens. The signature must be based on RSA cryptography (consisting of a public and private key).