Problem

- API Manager inbound security policy is expected all authentications information to be in the request.

- HTTP Digest flow is working with 2 requests, the first without authentication for which the server return a 401 with the WWW-Authenticate header, and the second with the Authorization header set.

- Because of this, authentication will always failed if an API is protected by a policy with a HTTP Digest filter invoked as security policy.

- How can API Manager protect an API with HTTP Digest?

Resolution

- Create a policy with an HTTP Digest filter (configured per your need).

- Instead of using this policy as an Inbound Security Policy in API Manager configuration (Server Settings > API Manager), set this policy as a Request Policy.

- Edit your Frontend API, in the Inbound tab, Inbound Security must be set to Pass Through, in the Outbound tab, select the Advanced view, and select your policy as Request policy.