Web Services Reference for Oracle Self-Service E-Billing > Customizing RESTful Resources >

About Authentication and Authorization

This topic provides information about Oracle Self-Service E-Billing user authentication and authorization by using Web services.

About Authentication with Web Services

To invoke Oracle Self-Service E-Billing Web services to create, read, update or delete (CRUD) business objects, the caller must be authenticated as a registered user. The Oracle Self-Service E-Billing REST services server authenticates REST service users in the same way as users who log in using the Oracle Self-Service E-Billing Web application. Once a user is authenticated, the REST services server returns a token to the client. The client must add an HTTP header with the attribute name ebrstoken and add the value of the returned token to each REST services request. For example, in the Jersey client, you can use the WebResource.Builder.header(name,value) method to add the ebrstoken name and the token value to the HTTP header.

The token has an expiration period. The default period is 20 minutes. The default string token has a length of 48. You can optionally change both the string length and duration of the token in the webservice.xma.xml file, located in the following directory:

• UNIX. EDX_HOME/xma/config/modules/webservice
• Windows. EDX_HOME\xma\config\modules\webservice

Change the property values in the IWebserviceAuthTokenProvider bean.

By default, Oracle Self-Service E-Billing uses its preconfigured authentication provider to authenticate users. You can use a different authentication provider, such as an external system. For information on how to customize Oracle Self-Service E-Billing to use a different authentication server, see Implementation Guide for Oracle Self-Service E-Billing.

About Authorization with Web Services

Oracle Self-Service E-Billing REST services server uses the same authorization scheme as the server provided in the Oracle Self-Service E-Billing Web application. For example, if a request is made on behalf of a registered user to the /analytics/accounts service, then only the accounts that the user is permitted to access are returned in the response. In addition, the Web service server provides capabilities that are not supported in the Oracle Self-Service E-Billing Web application. As a result, the Oracle Self-Service E-Billing REST services server provides more authorization rules. For example, using a REST services request, the CSR administrator can create and update companies, accounts, or service agreements.

Protection from Cross-Site Request Forgery

Oracle Self-Service E-Billing uses the server-side request filter, com.sun.jersey.api.container.filter.CsrfProtectionFilter, to protect from a cross-site request forgery (CSRF) attack. The request filter checks for an X-Requested-By header in incoming HTTP requests other than GET, OPTIONS, or HEAD, by default. If the header is not found, then Response.Status.BAD_REQUEST returns.

You must add an X-Requested-By header with an arbitrary value to all HTTP POST, PUT and DELETE requests sent to your REST endpoints.