Web Services Reference for Oracle Billing Insight > Overview of Web Services >

About Web Services Security

Oracle Billing Insight Web services uses Basic authentication. Custom token authentication is supported, but requires the configuration, as described in Configuring Token-Based Authentication.

HTTP Basic authentication (BA) implementation is the simplest method for enforcing access controls to Web resources because cookies, session identifiers, and login pages are not required. Instead, HTTP Basic authentication uses standard fields in the HTTP header, eliminating the need for handshakes. It is preferable to use HTTPS over or with Basic authentication. With Basic authentication, transmitted credentials are encoded with Base64 in transit, and are not encrypted or hashed.

With custom token authentication, the authentication API generates a unique token for each registered API user, and then the token for the user is included with each request to the service.

A token is a secure random text string with a default length of 48. The following string is an example of a token:

Dlc7lkpeVp9InmOUB82dJMg6LF7WQ6ZnujTHq8zP94uCWtjg

When a token is created, it stays on the server temporarily and expires automatically after a certain period. The default value is 20 minutes, and it is preconfigured. The valid token must be passed in an HTTP header for each subsequent Web service request. If a request is made with an invalid token, then an exception with status code 401, which is a standard code for unauthorized access, is returned.

User roles determine which functionality and data a user can access. For details about permissions assigned to each user role, see Implementation Guide for Oracle Billing Insight.

Using Basic Authentication

For basic authentication, you send the authentication credentials to the server for each service request.

To use basic authentication

• Place the authentication credentials in the Authorization field of the request header.
• Place the authorization method and a space (such as "Basic ") before the encoded user and password string. Combine the username and password into a string separated by a colon, as in username:password, where, the resulting string is encoded using the RFC2045-MIME variant of Base64, except it is not limited to 76 characters per line.

  For example, for user agent name ftown and password Password1234, the field is formed as follows:

  Authorization: Basic ZnRvd246UGFzc3dvcmQxMjM0

Configuring Token-Based Authentication

Oracle Billing Insight uses Basic authentication by default. If you want to use token-based authentication, you must modify the configuration in the spring-security.xml file.

To configure Oracle Billing Insight to use token-based authentication

1. Edit the spring-security.xml file located in the EDX_HOME/config/security/rs/ directory.
2. Uncomment the configuration XML for token-based authentication in the section:

   <security:http> for token based authentication

3. Comment out the configuration XML for Basic authentication in the section below the one you uncommented:

   <security:http> create-session="stateless: use-expressions="false"

4. Save the file.