Web services security Web services security is enforced using a combination of basic authentication challenge/response for the HTTP protocol and system-level access control using the Contextual Security Manager. To enforce basic authentication on each Web Service request, each request must contain the Authorization header as specified in the Basic Authentication protocol. Because the request is non-interactive, the Authorization header is required in a request. There is an added advantage when you supply basic authentication information whether or not it is required: the data that is created or updated as a result of the Web service invocation is done on behalf of the user supplied in the basic authentication credentials. For example, when creating an Incident record, the journal fields will contain the user ID of basic authenticated user, instead of the default "Guest" user.