Providing credentials for basic authentication

When an HTTP 401 WWW-Authenticate message is received, your application must provide the user name and password (credentials) required by the server for basic authentication. Your application can also provide these credentials without waiting for the 401 message.

1. Open a web session with the server using the WEB OPEN command, using the SESSTOKEN option.
   The SESSTOKEN is returned to you when the session is opened successfully, and the session token must be used on all CICS® WEB commands that relate to this use of the connection.
2. Issue a WEB SEND command, specifying the SESSTOKEN for this use of the connection.
   This WEB SEND command retrieves the realm from the server.
3. Issue a WEB RECEIVE command. The server returns a status code. Use the STATUSCODE option on the WEB RECEIVE command to check for a 401 response.
4. If the status code is 401 (the server requires authentication details), repeat your first WEB SEND request, but this time add the AUTHENTICATE(BASICAUTH) option. The XWBAUTH global user exit is called by the client application.
   This second WEB SEND command uses the realm received from the first WEB SEND command and the XWBAUTH exit to determine the required user name and password.
5. You might prefer to specify AUTHENTICATE(BASICAUTH) in your initial WEB SEND command, instead of waiting for the 401 response. You have a choice:
   • Supply your user name and password in the WEB SEND command using the AUTHENTICATE(BASICAUTH) option.
   • Call the XWBAUTH global user exit by specifying the AUTHENTICATE(BASICAUTH) option, but omitting your credentials. The user exit is called, but the realm passed to the exit is empty, because the realm has not yet been received from the server. The user exit must derive the required credentials from other parameters; for example, HOST and PATH.
6. If your application needs to know the realm that was sent in the 401 response, use the WEB EXTRACT command.