XAI server security supports the basic HTTP authentication mechanism as well as web service security (WS-Security) to authenticate the user requesting service. When authenticating using WS-Security, the SOAP header contains the authenticating information.
The base package provides two XAI server URLs, one that uses basic HTTP authentication ('/classicxai') and another that supports both methods ('/xaiserver'). Regardless of which authentication method is practiced, it is the latter you should expose as your main XAI server. The main XAI servlet gathers authentication information from the incoming request (HTTP or SOAP header) and further calls the internal ("classic") servlet for processing.
The "classic" XAI server security uses the basic HTTP authentication mechanism to authenticate the user requesting service. It assumes the requester has been authenticated on the Web server running the XAI servlet using the standard HTTP (or HTTPS) basic authentication mechanism. The authenticated user-id is passed to the application server, which is responsible for enforcing application security. This requires the system administrator to enable basic authentication for the Web server running the XAI servlet. To enable HTTP basic authentication, the XAI server '/classicxai' should be defined as a url-pattern in the web resource collection in the web.xml file. When the XAI server is not enabled for basic authentication, it transfers the user-id specified on the Default User XAI option to the application server.
By default, the system would always attempt to further authenticate using SOAP header information. This is true even if the request has already been authenticated via the Web server. Use the Enforce SOAP Authentication XAI Option to override this behavior so that a request that has been authenticated already by the Web server does not require further authentication by the system.
If SOAP authentication information is not provided, the system attempts to authenticate this time using information on the HTTP header. You can force the system to solely use SOAP authentication using the Attempt Classic Authentication XAI Option.
Currently the system only supports the standard Username Token Profile SOAP authentication method where "Username", "Password" and "Encoding" information is used to authenticate the sender's credentials. The following is an example of a Username Token Profile in a SOAP header:
<SOAP-ENV:Envelope xmlns:SOAP-ENV = "urn:schemas-xmlsoap-org:envelope"> <SOAP-ENV:Header xmlns:wsse="http://www.w3.org/2001/XMLSchema-instance"> <wsse:Security> <wsse:UsernameToken> <wsse:Username>MYUSERID</wsse:Username> <wsse:Password Type="PasswordText">MYPASSWORD</wsse:Password> </wsse:UsernameToken> </wsse:Security> <SOAPActionVersion>2.0.0</SOAPActionVersion> </SOAP-ENV:Header> <SOAP-ENV:Body> ... </SOAP-ENV:Body> </SOAP-ENV:Envelope>
By default both user and password are authenticated. You can use the System Authentication Profile XAI Option to change this.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.