Oracle® Beehive RESTful Web Services API Reference
  Release 2 (
Oracle Beehive

Oracle Beehive RESTful Web Services Authentication

Oracle Beehive RESTful Web services supports the following types of authentication:

The following topics are also covered:

Single Sign-On

You may use the following single sign-on technologies to secure Oracle Beehive RESTful Web services:

Oracle Application Server Single-Sign On

You may register Oracle Beehive as a partner application with Oracle Application Server Sign-On (which is also know as Oracle Single Sign-On or OSSO). This means you may delegate authentication to the OSSO server. For more information, refer to the module "Configuring Single Sign-On with Oracle Beehive" in the installation guide of the operating system of your Oracle Beehive deployment.

OC4J Java Single-Sign On

OC4J Java Single Sign-On is an alternative single sign-on solution that does not rely on additional required infrastructure. By default, OC4J Java Single Sign-On is automatically configured for Oracle Beehive.

Basic HTTP Authentication

Oracle Beehive RESTful Web Services follows these standards:

Form Based Authentication

Refer to JSR 154: Java Servlet 2.4 Specification for more information about form-based authentication:

Form based authentication involves the HTTP POST method and the action j_security_check. This action requires the following parameters:

  • j_username

  • j_password

  • j_character_encoding: This parameter is not part of the Java Servlet 2.4 specification. Specify the value utf-8 for this parameter.

Use the session tracking cookie named JSESSIONID to set these parameters.

If you are not using an HTML form to perform form based authentication, set the parameter submit to the value Login in your HTTP POST request.

S2S Authentication

S2S (service-to-service) authentication enables external services to securely call Oracle Beehive services on behalf of users provisioned in Oracle Beehive.

To enable S2S authentication, follow these steps:

  1. Create an Oracle Beehive user that external services will use to authenticate with Oracle Beehive services. These steps use the user portalapp.

  2. Call the following beectl command:

    beectl add_trusted_identity --type S2S --password --service_name portalapp


To change the context to another user, use the runas parameter. For example, to retrieve the user first.user, call /my/user?runas=first.user. Later on, you may call /my/user?runas=second.user to retrieve the user second.user.

Session Timeouts

Depending on the authentication method you use, the authenticated user is logged out after a specific amount of time:

Changing Timeout of Oracle Beehive's HTTP Server

You may change the timeout value of Oracle Beehive's HTTP server. Run the following beectl commands:

beectl list_components --type HttpServer

Component type | Component identifier
HttpServer |

beectl modify_property --component -–name Timeout --value <new timeout value in seconds>

beectl activate_configuration
beectl modify_local_configuration_files
beectl restart --component

Securing POST, PUT, and DELETE Method Calls

All calls to POST, PUT, and DELETE method calls require an anti-CSRF token. This token guards against cross-site request forgery (CSRF) attacks.

Follow these steps to retrieve and specify this anti-CSRF token whenever you call a POST, PUT, and DELETE method.

Step 1   Retrieve the anti-CSRF token

This step assumes you already successfully logged in with the POST method /session/login

Retrieve the anti-CSRF token with the GET method /session/anticsrf:

GET /comb/v1/d/session/anticsrf
Step 2   URL encode the anti-CSRF token

Convert the anti-CSRF token to the application/x-www-form-urlencoded MIME format so that the anti-CSRF token is valid as a parameter in a HTTP method call. This token frequently contains an equal sign (=). To use the anti-CSRF token in URIs with characters like the equal sign, you must URL encode the token.

Most programming languages and environment have built-in operations for URL encoding strings. The following are suggested utilities:

Step 3   Specify the URL encoded anti-CSRF token in the HTTP method call

In the HTTP method call, set the parameter anticsrf to the URL encoded anti-CSRF token. For example, the following method demonstrates how to call the Read Batch method, /afrh/read:

POST /comb/v1/d/afrh/read?anticsrf=kp3PZtMeXK0%3D


Security Best Practices

The following security and management best practices are recommended when building applications with Oracle Beehive RESTful Web services:


Use HTTPS (as opposed to HTTP) when communicating with Oracle Beehive.

Ensure Secured System When Using S2S Authentication

Note that S2S authentication delegates authentication to the system built by the developer. Therefore, for example, if you are building an Oracle Beehive RESTful Web services application with Oracle WebCenter and decide to use S2S authentication, then you should follow the security practices of Oracle WebCenter.

Protect Your Site from XSS Attacks

Cross site-scripting (also referred to as XSS) is a security breach that takes advantage of dynamically generated Web pages. In a XSS attack, a Web application is sent a script that activates when it is read by a user's browser. Once activated, these scripts can steal data, even session credentials, and return the information to the attacker.

Do Not Use JavaScript eval() Function to Parse JSON Data

It is possible to use the built-in JavaScript eval() function to convert JSON data to native JavaScript objects. However, unless the JSON data comes from a single trusted source, using eval() to parse JSON data may create security vulnerabilities in your application. For example, your application may be open to JavaScript code injection attacks if untrusted JSON data contains malicious JavaScript code, then executed by eval().

Instead of using eval(), use a JSON specific parser. It will recognize and parse only valid JSON data. Some web browsers support JSON, which come with native JSON parsers. For more information about this issue, refer to JSON in JavaScript.

Oracle Logo
Copyright © 2008, 2011, Oracle and/or its affiliates. All rights reserved.
Legal Notices