Oracle® Beehive RESTful Web Services API Reference Release 2 (2.0.1.7) E16658-04 |
Oracle Beehive RESTful Web services supports the following types of authentication:
The following topics are also covered:
You may use the following single sign-on technologies to secure Oracle Beehive RESTful Web services:
You may register Oracle Beehive as a partner application with Oracle Application Server Sign-On (which is also know as Oracle Single Sign-On or OSSO). This means you may delegate authentication to the OSSO server. For more information, refer to the module "Configuring Single Sign-On with Oracle Beehive" in the installation guide of the operating system of your Oracle Beehive deployment.
OC4J Java Single Sign-On is an alternative single sign-on solution that does not rely on additional required infrastructure. By default, OC4J Java Single Sign-On is automatically configured for Oracle Beehive.
Oracle Beehive RESTful Web Services follows these standards:
RFC 1945, Hypertext Transfer Protocol—HTTP/1.0
RFC 2616, Hypertext Transfer Protocol—HTTP/1.1
RFC 2617, HTTP Authentication: Basic and Digest Access Authentication
Refer to JSR 154: Java Servlet 2.4 Specification for more information about form-based authentication:
http://jcp.org/en/jsr/detail?id=154
Form based authentication
involves the HTTP POST method and the action j_security_check
.
This action requires the following parameters:
j_username
j_password
j_character_encoding
:
This parameter is not part of the Java Servlet 2.4 specification.
Specify the value utf-8
for this parameter.
Use the session tracking cookie named JSESSIONID to set these parameters.
If you are not using an HTML
form to perform form based authentication, set the parameter submit
to the value Login
in your HTTP POST request.
S2S (service-to-service) authentication enables external services to securely call Oracle Beehive services on behalf of users provisioned in Oracle Beehive.
To enable S2S authentication, follow these steps:
Create an Oracle Beehive
user that external services will use to authenticate with Oracle
Beehive services. These steps use the user portalapp
.
Call the following beectl command:
beectl add_trusted_identity --type S2S --password --service_name portalapp
Note: To change the context to another user, use therunas
parameter. For example, to retrieve the user first.user ,
call /my/user?runas=first.user .
Later on, you may call /my/user?runas=second.user
to retrieve the user second.user . |
Depending on the authentication method you use, the authenticated user is logged out after a specific amount of time:
OC4J Java Single-Sign On: The authenticated user is logged out after two hours irrespective of whether that user was active or not.
HTTP authentication (basic only): By default, the authenticated user is logged out after one hour of inactivity.
You may change the timeout value of Oracle Beehive's HTTP server. Run the following beectl commands:
beectl list_components --type HttpServer
-----------------+-------------------------------------------------------------
Component type | Component identifier
-----------------+-------------------------------------------------------------
HttpServer | ohs_site1.example.com
-----------------+-------------------------------------------------------------
beectl modify_property --component ohs_site1.example.com -–name Timeout --value <new timeout value in seconds>
beectl activate_configuration
beectl modify_local_configuration_files
beectl restart --component ohs_site1.example.com
All calls to POST, PUT, and DELETE method calls require an anti-CSRF token. This token guards against cross-site request forgery (CSRF) attacks.
Follow these steps to retrieve and specify this anti-CSRF token whenever you call a POST, PUT, and DELETE method.
This step assumes you
already successfully logged in with the POST method /session/login
Retrieve the anti-CSRF
token with the GET method /session/anticsrf
:
GET /comb/v1/d/session/anticsrf
Convert the anti-CSRF token
to the application/x-www-form-urlencoded
MIME format so that the anti-CSRF token is valid as a parameter in a
HTTP method call. This token frequently contains an equal sign (=
).
To use the anti-CSRF token in URIs with characters like the equal sign,
you must URL encode the token.
Most programming languages and environment have built-in operations for URL encoding strings. The following are suggested utilities:
In the HTTP method call,
set the parameter anticsrf
to the URL encoded anti-CSRF token. For example, the following method
demonstrates how to call the Read Batch method, /afrh/read
:
POST /comb/v1/d/afrh/read?anticsrf=kp3PZtMeXK0%3D
Notes:
If you use the method
override header X-HTTP-Method-Override
to GET
,
for example, to perform a GET method with a POST method, you still need
the anti-CSRF token. Any call that reaches the servlet as a HTTP POST,
PUT, or DELETE method requires this token irrespective of the method
override.
It is simpler for your application to pass this token on every call. For example, you can create a common routine that handles all server traffic. If you decide to do this, note that passing the token on GET calls will not result in an error.
The following security and management best practices are recommended when building applications with Oracle Beehive RESTful Web services:
Use HTTPS (as opposed to HTTP) when communicating with Oracle Beehive.
Note that S2S authentication delegates authentication to the system built by the developer. Therefore, for example, if you are building an Oracle Beehive RESTful Web services application with Oracle WebCenter and decide to use S2S authentication, then you should follow the security practices of Oracle WebCenter.
Cross site-scripting (also referred to as XSS) is a security breach that takes advantage of dynamically generated Web pages. In a XSS attack, a Web application is sent a script that activates when it is read by a user's browser. Once activated, these scripts can steal data, even session credentials, and return the information to the attacker.
It is possible to use the
built-in JavaScript eval()
function to convert JSON data to native JavaScript objects. However,
unless the JSON data comes from a single trusted source, using eval()
to parse JSON data may create security vulnerabilities in your
application. For example, your application may be open to JavaScript
code injection attacks if untrusted JSON data contains malicious
JavaScript code, then executed by eval()
.
Instead of using eval()
,
use a JSON specific parser. It will recognize and parse only valid JSON
data. Some web browsers support JSON, which come with native JSON
parsers. For more information about this issue, refer to JSON in JavaScript.
|
Top |