|Oracle® Fusion Middleware Developer's Guide for Oracle Imaging and Process Management
11g Release 1 (11.1.1)
Part Number E12784-03
Authentication and session management are handled differently depending on the integration method being used. This chapter contains the following sections:
When first installed, the Oracle I/PM Web Services are configured with no Oracle Web Service Manager security policies applied. When no security policies are applied, the services leverage the HTTP Basic Authentication mechanism where by user credentials (user ID and password) are transmitted in the web service HTTP message header. This mechanism is, however, not very secure since the users credentials are not encrypted in any way unless a Secure Socket Layer (SSL) transport mechanism is used. If SSL is properly configured for the Oracle I/PM server instance, I/PM can be configured to force the use of SSL in all web service communication. This done by setting the I/PM configuration MBean “RequireBasicAuthSSL” to true. By default, it is false. [Note, the RequireBasicAuthSSL setting only applies when no HTTP Basic Authentication is in use because no OWSM security policies have been applied.]
When higher degrees of security are desirable, Oracle I/PM web services support the following Oracle Web Services Management (OWSM) security policies.
When applying a security policy to the I/PM web services, remember that the same policy must be applied to all of the web services with the exception of the DocumentContentService. The DocumentContentService is designed to use streaming MTOM that is incompatible with OWSM security policies. Security for DocumentContentService first requires a separate, stateful login through the LoginService, which does leverage OWSM security policy. (This information is primarily significant when making direct web services calls. The proper login sequence occurs automatically when using the native Java API.
Security policies are applied to I/PM web services from the WebLogic Server Administration Console using the following procedure.
Log in to Administration Console.
Click Deployments. The Summary of Deployments page is displayed.
Click the plus (+) icon next to imaging in the Name column of the Deployments table. The imaging deployment expands.
For each imaging web service under Web Services except DocumentContentService, do the following:
Select the web service. The setting page for the service is displayed.
Select the Configuration tab. The configuration tab becomes active.
Select the WS-Policy tab. The WS-Policy tab becomes active.
Click the web service port in the Service Endpoints and Operations column of the WS-Policy Files Associated With This Web Service table. The Configure the Policy Type for a Web Service page is displayed.
Ensure OWSM is selected and click Next. Note that WebLogic polices are not supported. The Configure a WebService Policy page ID displayed.
Choose a supported service policy from the Available Endpoint Policies field. Supported polices are listed in the section "Using OWSM Security Policies".
Click the right arrow to move the selected policy to the Chosen Endpoint Policies field. Note that only one security policy should be selected.
Click Finish. The Save Deployment Plan Assistant page is displayed.
Click OK to save the deployment plan.
Repeat step 4 for each web service except DocumentContentService until the same policy is applied for all services.
Click Deployments to return to the Deployments page.
Enable the check box next to imaging in the Name column of the Deployments table and click Update. The Update Application Assistant page is displayed with the new deployment plan specified next to Deployment plan path.
Click Finish. The new policies are applied and the deployment updated.
When OWSM security policies are applied to the I/PM web service, Java API code must use the WsmUserToken class to login rather than the BasicUserToken class. The WsmUserToken class is helper class for configuring OWSM client side security polices, including a set of static constants for setting the correct client side policy. Depending on the policy being used, addition configuration setting may be required as well. Refer to OWSM document for complete details on the meaning of the various configuration options.
Example 3-1 WsmUserToken Class for Various Policy Types
WsmUserToken userToken = new WsmUserToken ("weblogic", "weblogic"); userToken.setClientPolicy(WsmUserToken.USERNAME_TOKEN_POLICY); ServicesFactory.login(userToken, wsurl); WsmUserToken userToken = new WsmUserToken ("weblogic"); userToken.setClientPolicy(WsmUserToken.SAML_TOKEN_POLICY); WssUserToken userToken = new WssUserToken (); userToken.setUserName("weblogic"); userToken.setClientPolicy(WsmUserToken.SAML_TOKEN_MP_POLICY); userToken.setKeystore(".\\config\\default-keystore.jks", "JKS", "welcome"); userToken.getSecurityParameters().put(SecurityConstants.ClientConstants.WSS_ENC_KEY_ALIAS, "orakey"); userToken.getSecurityParameters().put(SecurityConstants.ClientConstants.WSS_ENC_KEY_PASSWORD, "welcome"); userToken.getSecurityParameters().put(SecurityConstants.ClientConstants.WSS_SIG_KEY_ALIAS, "orakey"); userToken.getSecurityParameters().put(SecurityConstants.ClientConstants.WSS_SIG_KEY_PASSWORD, "welcome");