Explore Web service security

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explore Web service security

    This documentation explains how ServiceNow customers can enforce security on web service requests by using Basic Authentication, Mutual Authentication, or WS-Security. It focuses primarily on configuring and implementing Basic Authentication for SOAP web services, ensuring that only authorized users can access WSDL documents and post SOAP messages.

    Show full answer Show less

    Basic Authentication

    To require Basic Authentication for every SOAP request or WSDL retrieval, set the system property glide.basicauth.required to true. This forces every request to include an Authorization header with the user credentials. Because the requests are non-interactive, the Authorization header is mandatory.

    Providing valid Basic Authentication credentials not only secures the request but also ensures that any data created or updated within ServiceNow is attributed to the authenticated user rather than a default or guest user. For example, when an Incident is created via a web service call, the journal fields will reflect the authenticated user's ID.

    To handle case insensitivity in the Authorization header, modify the glide.security.script.include.name.case.insensitive.list property in the System Properties [sysproperties] table. This property contains script includes that process authentication and can be extended as needed.

    Implementing Basic Authentication in Client Code

    The document provides examples of how to supply Basic Authentication credentials programmatically for different development environments:

    • Perl SOAP::Lite: Implement a function returning username and password.
    • C# .NET (Visual Studio 2005 or older): Use the NetworkCredential object assigned to the proxy's Credentials property.
    • C# .NET (Visual Studio 2008): Use the ClientCredentials.UserName property on the SOAP client and update the app.config to set clientCredentialType to "Basic".
    • VB .NET: Assign a NetworkCredential object to the proxy's Credentials property before making calls.

    Expected Behavior When Authentication Fails

    If Basic Authentication is enabled but credentials are missing or invalid, the server responds with an HTTP 401 Unauthorized status. The response includes an error page indicating that HTTP authentication is required, preventing unauthorized access to the web service.

    Practical Implications for ServiceNow Customers

    • Enforcing Basic Authentication enhances security by ensuring that only authorized users can invoke web services.
    • Audit trails and data ownership in ServiceNow accurately reflect the authenticated user making changes via web services.
    • Configuration involves setting system properties and potentially updating client applications to include credentials properly.
    • Understanding client-side implementation examples helps customers integrate their systems securely with ServiceNow SOAP APIs.

    Enforce security using basic authentication, mutual authentication, or WS-Security.

    Basic Authentication

    To enforce basic authentication on each request for a WSDL document or posting of SOAP messages, you may set the property glide.basicauth.required to true. If you do so, each WSDL or SOAP request would have to contain the "Authorization" header as specified in the Basic Authentication protocol. Because the request is non-interactive, the Authorization header is always required during a request.

    Supplying basic authentication information whether or not it is required has the added advantage that the data created or updated as a result of the Web Service invocation is done on behalf of the user supplied in the basic authentication credentials. As an example, when creating an Incident record, the journal fields have the user id of the basic authenticated user, instead of the default Guest user.

    To make the authorization header ignore the capitalization rules, use the glide.security.script.include.name.case.insensitive.list property. You can modify this property in the System Properties [sys_properties] table and add the script includes that are necessary to process the authentication. By default, this property has these values:
    • BasicAuth
    • CustomAuth
    Add other script includes as needed.
    To supply basic authentication when using Perl and the SOAP::Lite libraries, you can implement the following function:
    sub SOAP :: Transport :: HTTP :: Client :: get_basic_credentials { return 'user_name' => 'password' ; }
    • When using C# .NET VS 2005 or older, you can take advantage of the Credentials object, for example:
      System.Net . ICredentials cred  = new System.Net . NetworkCredential ( "user_name",  "password" ) ;
 
service . ServiceNow proxy  = new service . ServiceNow ( ) ;
service . get getService  = newservice . get ( ) ;
service . getResponse getServiceResponse  = new service . getResponse ( ) ;
 
 try {
  proxy . Credentials = cred ;
  getService . sys_id = "bf522c350a0a140701972dbf876f1610" ;
  getServiceResponse  = proxy . get (getService ) ; catch (Exception ex ) { }
    • When using C# .NET VS 2008, you can take advantage of the ClientCredentials object, for example:
      Demo_Incident. ServiceNowSoapClient client  = new Test08WebService . Demo_Incident . ServiceNowSoapClient ( ) ;
client . ClientCredentials . UserName . UserName = "admin" ;
client . ClientCredentials . UserName . Password = "admin" ;
      Then in your app.config file look for the following and change None to Basic:
      <transport clientCredentialType= "None" proxyCredentialType= "None" realm= "" />
    • When using VB .NET taking advantage of the Credentials object would look like the following:
      Sub Main()
         Dim cred  As New System.Net.NetworkCredential( "user_name",  "password")
 
         Dim proxy  As New VB_Democm.incident.ServiceNow
         Dim getIncident  As New VB_Democm.incident. get Dim getResponse  As New VB_Democm.incident.getResponse
 
        proxy.Credentials = cred
 
        getIncident.sys_id =  "[your sysID here]"
 
        getResponse = proxy. get(getIncident)
 
     End Sub
      The resulting response when Basic Authentication is turned on and no credentials are supplied looks like this:
      <html> <head > <title >Apache Tomcat/5.0.28 - Error report </ title > <style > <!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}    H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}    H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}    B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}    P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}   A {color&nbsp;: black;}   A.name {color&nbsp;: black;}   HR {color&nbsp;: #525D76;}--> </ style > </ head > <body > <h1 >HTTP Status 401 -\ </ h1 > <HR size = "1" noshade = "noshade" > <p >< b >type </ b > Status report </ p > <p >< b >message </ b > <u >< / u >< / p > <p >< b >description </ b > <u >This request requires HTTP authentication (). </ u >< / p > <HR size = "1" noshade = "noshade" > <h3 >Apache Tomcat/5.0.28 </ h3 > </ body > </ html >