Oracle Retail Point-of-Service uses web services for its integrations with Oracle Retail Returns Management and Oracle Retail Store Inventory Management. This appendix discusses security for the web services.
The OASIS WS-Security specification is the open standard for web services security. Its goal is to enable applications to secure SOAP message exchanges by providing encryption, integrity, and authentication support. WS-Security offers a general-purpose mechanism for associating security tokens with message content.
It is recommended that all web service communication performed by the Oracle POS Suite applications utilize a WS-Security authentication mechanism. The Oracle POS Suite applications include support for specific WS-Security implementations, however, alternative implementations can be implemented as needed.
The supported WS-Security implementations fall into two categories:
These web services are designed to participate in Retail Service Backbone (RSB) flows which all support two Oracle WebLogic WS-Policy configurations.
This following table lists the consumers and providers of RSB web services:
Service Name | Customer | Provider |
---|---|---|
CustomerOrderService | Point-of-Service | Order Management System (OMS) |
CustomerService | Point-of-Service, Central Office | Customer Management (CM) |
InvAvailableToPromiseService | Point-of-Service | Order Management System (OMS) |
ItemBasketService | Point-of-Service | Oracle Retail Store Inventory Management |
POSTransactionService | Point-of-Service | Oracle Retail Store Inventory Management |
ShippingOptionsService | Point-of-Service | On-line Order Capture (OOC) |
StoreInventoryService | Point-of-Service | Oracle Retail Store Inventory Management |
StoreInventoryUinService | Point-of-Service | Oracle Retail Store Inventory Management |
Oracle Retail has defined two WS-Policy configurations for use with RSB web services. The policy configurations are referred to as Policy A and Policy B. On the provider side of the communication, Policy A and Policy B are configured using one or more Oracle WebLogic WS-Policy configurations defined in the xml files included in Oracle WebLogic:
Policy A:
Description:
Message must be sent over SSL and requires authentication of a plain text UsernameToken.
Configuration:
Wssp1.2-2007-Https-UsernameToken-Plain.xml
Policy B:
Description:
Message body must be encrypted and signed, and requires authentication of an encrypted UsernameToken.
Configuration:
Wssp1.2-2007-Wss1.1-UsernameTokenPlain-EncryptedKey-Basic128.xml
Wssp1.2-2007-EncryptBody.xml
Wssp1.2-2007-SignBody.xml
The web service communication between Oracle Retail Point-of-Service and the centralized applications, Oracle Retail Central Office and Oracle Retail Returns Management, does not participate in RSB flows. This communication is secured using a custom Username Token policy that does not rely on an Oracle WebLogic configuration. Authentication of non-RSB web services utilizes the Encryption Service.
JAX-WS handlers are used on the consumer-side of RSB and non-RSB web services. Three handlers are available:
oracle.retail.stores.common.webservice.security.PolicyAHandler
oracle.retail.stores.common.webservice.security.PolicyBHandler
oracle.retail.stores.common.webservice.security.UsernameTokenHandler
On the provider-side, non-RSB web services utilize a single handler:
oracle.retail.stores.common.webservice.security. AuthenticationHandler
Handlers are configured as beans in a ServiceContext.xml configuration file. In most cases, implementing a customized web service authentication mechanism requires substituting a supported handler for a customized implementation.
Oracle Retail Point-of-Service can communicate with both secured and unsecured Oracle Retail Store Inventory Management web services. If the web service is secured, the Oracle Retail Point-of-Service application adds the Username Token using the stub classes provided by the Oracle Retail Store Inventory Management application.