Web Services Reference for Oracle Self-Service E-Billing > Customizing RESTful Resources >

About Authentication and Authorization

This topic provides information about Oracle Self-Service E-Billing user authentication and authorization by using Web services.

About Authentication with Web Services

To invoke Oracle Self-Service E-Billing Web services to create, read, update or delete (CRUD) business objects, the caller must be authenticated as a registered user. The Oracle Self-Service E-Billing REST services server authenticates REST service users in the same way as users who log in using the Oracle Self-Service E-Billing Web application. Once a user is authenticated, the REST services server returns a token to the client. The client must add an HTTP header with the attribute name ebrstoken and add the value of the returned token to each REST services request. For example, in the Jersey client, you can use the WebResource.Builder.header(name,value) method to add the ebrstoken name and the token value to the HTTP header.

The token has an expiration period. The default period is 20 minutes. The default string token has a length of 48. You can optionally change both the string length and duration of the token in the webservice.xma.xml file, located in the following directory:

• UNIX. edx_home/xma/config/modules/webservice
• Windows. edx_home\xma\config\modules\webservice

Change the property values in the IWebserviceAuthTokenProvider bean.

By default, Oracle Self-Service E-Billing uses its preconfigured authentication provider to authenticate users. You can use a different authentication provider, such as an external system. For information on how to customize Oracle Self-Service E-Billing to use a different authentication server, see Implementation Guide for Oracle Self-Service E-Billing.

About Authorization with Web Services

Oracle Self-Service E-Billing REST services server uses the same authorization scheme as the server provided in the Oracle Self-Service E-Billing Web application. For example, if a request is made on behalf of a registered user to the /analytics/accounts service, then only the accounts that the user is permitted to access are returned in the response. In addition, the Web service server provides capabilities that are not supported in the Oracle Self-Service E-Billing Web application. As a result, the Oracle Self-Service E-Billing REST services server provides more authorization rules. For example, using a REST services request, the CSR administrator can create and update companies, accounts, or service agreements.

Protection from Cross-Site Request Forgery

Oracle Self-Service E-Billing uses the server-side request filter, com.sun.jersey.api.container.filter.CsrfProtectionFilter, to protect from a cross-site request forgery (CSRF) attack. It checks for an X-Requested-By header in each request. If the header is not found, then it returns Response.Status.BAD_REQUEST in response to the client.

You must add an X-Requested-By header in the request from the client. Configure a corresponding client filter provided by Jersey, called com.sun.jersey.api.client.filter.CsrfProtectionFilter, in the client application to make this work. See the following URL for details:

http://jersey.java.net/nonav/apidocs/latest/jersey/com/sun/jersey/api/client/filter/CsrfProtectionFilter.html

You might have to add the following lines to your client code:

CsrfProtectionFilter csrfFilter = new CsrfProtectionFilter();

client.addFilter(csrfFilter);