When you create a Web Service, you have the option of applying security constraints so that only approved clients (those with administrator privileges, for example) can execute it. You specify the security constraints using a security configuration, which is a repository item that stores information that controls access to the Web Service. You can create any number of different security configurations using the Web Services Administration UI, and you can apply a security configuration to any number of Web Services.

A security configuration has a corresponding security policy component, plus an optional ACL. A security configuration is identified by its functional name, which is a property of the repository item that maps the security configuration to a security component and ACL.

This section describes the main components involved in securing Web Service methods, as well as how to create security configurations through the Web Services Administration UI. For a broader discussion of the Oracle ATG Web Commerce security API, see the Managing Access Control section in the ATG Platform Programming Guide.

Security Components

There are two primary components involved in securing a Web Service method:


At startup time, the NucleusSecurityManager retrieves the repository items from the NucleusSecurityRepository (described below) and creates an internal mapping between each functional name and the SecurityPolicy component and ACL associated with it.

When a client calls a Web Service, the service invokes the hasAccess() method on the /atg/webservice/security/NucleusSecurityManager component, passing it the functional name of the service’s security configuration, the name of the Nucleus component and method exposed by the service, and a Map containing the method’s parameters. The NucleusSecurityManager uses the functional name to find the associated SecurityPolicy component and ACL, applies them to the call, and returns the result (true or false) to the client. If true is returned, the Nucleus method exposed by the Web Service is invoked; if false is returned, access to the method is denied, and an exception of class atg.security.SecurityException is thrown.

If the NucleusSecurityManager is unable to apply the security configuration to a Web Service call (for example, if the SecurityPolicy is not valid), it determines whether to grant access based on the value of its defaultGrantAccess property. The default value of this property is false (deny access).

Setting defaultGrantAccess to true facilitates the development process, because it allows any Web Service that does not have an associated security configuration to be called by any client.

For deployment purposes, though, this behavior is undesirable, because of the security risks involved. Therefore, when you enable liveconfig settings for the Oracle ATG Web Commerce platform, the defaultGrantAccess property is set to false. Note, however, that this means that each of your Web Services must have an associated security configuration, because any call to a service without a security configuration will fail.

For information about enabling liveconfig settings, see the ATG Installation and Configuration Guide


Web Service security configurations are stored in the NucleusSecurityRepository. This repository includes a single item descriptor called nucleusSecurity, which has properties called functionalName, policy, and ACL. The NucleusSecurityManager parses the items in this repository at startup time.

The Web Services Administration interface provides an easy way to add new security configurations to this repository. See the next section for details.

Creating and Editing Security Configurations

The Web Services Administration page in the Dynamo Server Admin includes a Web Service Security Manager link that takes you to a page that where you can view and edit the security configurations stored in the NucleusSecurityRepository, or create new security configurations.

Follow these steps to create a new security configuration:

The new security configuration appears on the main Web Service Security Configurations page. If you need to make changes to it, click the Edit link to open the Edit Web Service Security Configuration page. Note that you cannot change the functional name.

Copyright © 1997, 2013 Oracle and/or its affiliates. All rights reserved. Legal Notices