Home
Authenticating requests
Many operations, such as entry updates, require authentication by default. In addition, if the Lotus Connections administrator configures the servers to force authentication, all operations will first require you to authenticate.
API resources that are public do not require authentication. In release 2.5, authentication is required before users can access the Activities feature by default. The rest of the features do not initially force authentication. This configuration allows features like Profiles and Blogs to be open to everyone for browsing, and only require authentication when a user tries to edit a personal profile or blog. If you want Lotus Connection to require authentication for all of the features, the administrator must explicitly configure it.
For API resources that do not require authentication, traffic is sent over HTTP. API programs that access resources that require authentication must use the HTTP basic authentication method to provide a user name and password. Do not send credentials preemptively. The server does not accept them. Instead, design the API client program to wait for a "HTTP/1.1 401 Unauthorized" challenge from the Lotus Connections server before sending basic credentials. To prevent credentials from being sent in the clear, the API (except for the Files and Wikis API) always sends a redirect to HTTPS before issuing the unauthorized challenge. The Files and Wikis APIs use J2EE declarative security, which does not support the redirection of basic authentication requests to HTTPS before requesting authentication credentials.
To force API traffic to be sent over HTTPS, you can configure Lotus Connections to force all traffic to be sent using SSL. See Forcing traffic to be sent over SSL for more details. To force the Files and Wikis APIs that require authentication to use HTTPS, also configure Lotus Connections to force Files and Wikis authenticated API traffic over HTTPS. See Forcing Files and Wikis Authenticated API traffic to be sent over HTTPS for more details.
Related tasks
Forcing users to log in before they can access a feature
Forcing traffic to be sent over SSL
Forcing Files and Wikis authenticated API traffic to be sent over HTTPS