Question:
We're running CA Access Gateway (SPS), and we'd like to know what type of action (GET or POST) is recommended to use the REST base authentication. We're afraid that if a POST action is used, the credentials could show up in the CA Access Gateway (SPS) logs and traces.
Answer:
As per our documentation, the REST Interface doesn't put the data in the URL, but set it as headers :
A URI in this format:
http://hostname:port/authazws/AuthRestService/login/appID/Resource,
posts the following request:
<loginRequest>
<binaryCreds></binaryCreds>
<password>user1</password>
<userName>user1</userName>
<action>GET</action>
</loginRequest>
Authentication REST Interface
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/ca-siteminder-sps-configuration/configuring-the-authentication-and-authorization-web-services
So, the credentials won't show up in any log or traces.
More, the GET action is for the Authentication request, and the POST is the action for the Authorization.
See the sample in the same documentation page :
Authentication REST Interface
A URI in this format, http://hostname:port/authazws/AuthRestService/login/appID/Resource, posts the following request:
<loginRequest>
<binaryCreds></binaryCreds>
<password>user1</password>
<userName>user1</userName>
<action>GET</action>
</loginRequest>
[...]
Authorization REST Interface
The REST interface for authorization is http://hostname:port/authazws/AuthRestService/authz/appID/Resource:
<authorizationRequest>
<action>POST</action>
<resource>RealmA/index.html</resource>
<sessionToken>affl;;alkf;l;fd</sessionToken>
</authorizationRequest>
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/ca-siteminder-sps-configuration/configuring-the-authentication-and-authorization-web-services
KB : TEC1252652