webMethods Knowlegebase : Mediator sends incorrect HTTP status code for APIs with multiple authentication policies (1795016)

Problem

In CentraSite 10.3 Fix 2, a REST Service has been created and virtualized with the following policies:

- Evaluate HTTP Basic Authentication

- Evaluate OAuth2 Token (through the API Consumption Settings)

- Require API Key Check (through the API Consumption Settings)

The Operator (Applicable to only "Evaluate" actions) radio button to "Or" has been set.

Then it has been published to Mediator 9.12 Fix 17 using the axis-free stack.

For Basic Authentication and OAuth2, everything is working fine: authenticate with Basic Authentication or an OAuth2 token generated with the client ID and secret of a registered consumer application.

But when the API with an API key of a registered consumer application is called, the Mediator will always respond with HTTP status code 401, but the status text will be correct (OK or Created, depending on the method called), and it will correctly deliver the respective payload.

This behavior is not reproducible with one of the authentication policies alone. It seems to be a result of the combination of the three authentication policies. Looks like the OR connector is not being considered.