HTTP Basic Auth access

Protected resources may be accessed by sending an HTTP Basic Auth header if desired. Airlock IAM does not provide an explicit end-point for HTTP Basic Auth but it provides an authentication flow step that is capable of checking a username and password given an HTTP Basic Auth header.

If no "Authorization" header with username and password is present in a request to the URI, an HTTP status code 401 with the corresponding WWW-Authenticate header is returned. It uses the page access-unauthorized.jsp as body.


  • Go to:
    Loginapp >> Applications and Authentication.
  • Add a target application to the Applications list.
  • Define an authentication flow with the Basic Auth Step as the first step. When using HTTP Basic Auth, this is typically the only authentication step. However, it is possible to combine HTTP Basic Auth with other authentication steps, even 2nd-factor steps.
  • For authentication enforcement with Airlock Gateway: set the Access Denied URL of the corresponding mapping to the  /check-login to /http-basic-auth.

Accessing the target application

To enforce access control and authentication using the Airlock Gateway, set the Access Denied URL in the Gateway's mapping to https://iam-host/auth-login/rest/public/authentication/applications/applicationid/access (where applicationid is the ID of the configured target application).