Secure WSO2 ESB proxy service with HTTP Basic Authentication.

Lets how we can secure a WSO2ESB proxy service using HTTP Basic Authentication.

Step 1.  Creates a simple proxy service in WSO2ESB.

Here i am using the same  “echo”  service in same WSO2ESB as the BE service.  If not, you can start new WSO2ESB instance and use “echo”  service as your BE service.

Simple flow would be

Client -------- HTTP Basic Auth -------> WSO2ESB ------------>  BE service (echo Service in ESB)

Sample proxy configuration would be as following.

<proxy name="BasicAuthProxy"
 <address uri="https://localhost:8243/services/echo"/>
 <publishWSDL uri="http://localhost:8280/services/echo?wsdl"/>


Step 2.  Secure proxy service with  security scenario 01  (which is usename toke).

Note :   Please do not confuse here.  We are using WS-Security Username token to secure the proxy.  But;  you do not need to send Username token request and you can even send HTTP Basic Auth.




Step 3. Select Authorized group which you are allowing to access this proxy service. (This is RBAC which build into the Basic Authentication)  If you want to allow this service for all users just check on “Internal/everyone” role.



Step 4.  We have secured the service,  Now let sends a message with Basic Auth.

I am using SOAPUI for it.

If you send message without  HTTP Basic Auth,  you will be hit with  401.


If you send with HTTP Basic Auth,  you will receive the correct message.




What is happening.. ?

You are securing the proxy service with WS-Security.  But when Basic authentication request is hit with the ESB,  Basic authentication header would be converted to WS-Security headers inside the WSO2ESB.

Thanks for reading…!!!


Discuss this article on Stack Overflow


  1. Thanks for pointing. Concept is not outdated. But in ESB 4.9.0 QoS UI has been removed :(. You need to configure it using Dev studio. (developer tool for WSO2ESB). So; you can not try this using management console UI

  2. I tried the above with ESB 4.9.0 and got the following

    POST https://wasims-mbp.home:8243/services/echoProxy.echoProxyHttpSoap11Endpoint HTTP/1.1
    Accept-Encoding: gzip,deflate
    Content-Type: text/xml;charset=UTF-8
    SOAPAction: “urn:echoInt”
    Authorization: Basic YWRtaW46YWRtaW4=
    Content-Length: 805
    Host: wasims-mbp.home:8243
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)




    HTTP/1.1 500 Internal Server Error
    Content-Type: text/html
    Date: Fri, 13 May 2016 09:38:45 GMT
    Transfer-Encoding: chunked
    Connection: Keep-Alive

    Failed to process the requestError processing POST request for : /services/echoProxy.echoProxyHttpSoap11EndpointUsernameToken missing in cannot be cast to org.apache.axiom.soap.SOAPHeaderBlock

  3. xml tags are not showing in my previous comment, any way, it seems the automatic “Basic Authorization” header conversation to WS-Security UT token is not working by default, I wonder if there is any server configurations needed.

Leave a Reply

Your email address will not be published. Required fields are marked *