Authentication methods

Owned by Marco Baurdoux
Last updated: Nov 17, 2015

For every request a third party software client send, an authentication will take place. The authentication is made up out of an USERNAME and a PASSWORD. Different solutions are available for this.

Do not mix

In order to avoid any problems, a third party software client should only use one single authentication method.

1. Using HTTP Basic authentication

When opting for this authentication method, a third party software client must transfer an additional HTTP header besides the mandatory headers described in the chapter Transmission. The value to transmit ("QWxhZGRpbjpvcGVuIHNlc2FtZQ==" in our example) is obtained in 3 steps.

    1. USERNAME and PASSWORD are combined into a string "USERNAME:PASSWORD"
    2. The resulting string is then encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line
    3. The authorization method and a space i.e. "Basic" is then put before the encoded string.
Basic access authentication
User-Agent: MyApplicationName
Content-Type: text/xml; charset=utf-8 
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

2. Using the POS element in the XML body

When opting for this authentication method, a third party software client must include the POS element within the OTA message that is being transmitted to the Hotel-Spider servers.

Using the POS element
<?xml version="1.0" encoding="utf-8"?>
<OTA_HotelAvailNotifRQ ........>
  <POS>
    <Source>
      <RequestorID Type="5" ID="USERNAME" MessagePassword="PASSWORD"></RequestorID>
    </Source>
  </POS>
  ........
</OTA_HotelAvailNotifRQ>

3. Using the WSSE header (only when using SOAP)

When transmitting requests via SOAP, the authentication is done via WS-Security (Web Services Security)

WS-Security examples
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken>
        <wsse:Username>USERNAME</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <OTA_HotelAvailNotifRQ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opentravel.org/OTA/2003/05" xsi:schemaLocation="http://www.opentravel.org/OTA/2003/05 OTA_HotelAvailNotifRQ.xsd" TimeStamp="2012-10-05T14:20:50" Target="Test" Version="1.005">
      <AvailStatusMessages>
        <AvailStatusMessage BookingLimit="25" LocatorID="1">
          <StatusApplicationControl Start="2015-09-24" End="2015-09-24" InvTypeCode="*************"/>
        </AvailStatusMessage>
      </AvailStatusMessages>
    </OTA_HotelAvailNotifRQ>
  </soap:Body>
</soap:Envelope>