| Oracle® Retail Service Backbone Security Guide 14.0 E49442-01 |
|
 Previous |
 Next |
Implementing security at an enterprise level involves making effective trade-offs and integrating security throughout your software development life cycle. One of the most effective ways to deal with security is to leverage proven principles, patterns, and practices. The key is to know which principles, patterns, and practices are effective for your particular situation.
Designing a Web service with security in mind presents an interesting set of challenges. Some are unique to service-oriented architecture and some are similar to the challenges that enterprise Web application development teams face.
A Web service is most commonly implemented as a wrapper; that is, as an interface between a consuming service and the back-end business logic components doing the actual work. A Web service acts as a trust boundary in your application architecture. By nature, a Web service acts as a gateway between the trusted business components and the less trusted or untrusted client components. For this reason, it is impossible to think about the security of a Web service without thinking about authentication, authorization, protection of sensitive data on the network, and handling potentially malicious input. Each of these areas represents key decisions you need to make in order to maintain the security of your application.
By following security best practices during the design of your Web service, you can use proven practices to improve your decision-making capabilities and make a cascading positive impact on the overall security of your application. Use the following design guidelines to reduce wasted effort trying to solve security problems for which there are already best practices in place to improve the security of your service:
Understand the difference between threats, attacks, vulnerabilities, and counter measures.
Understand the key distinctions for Service-Oriented Architecture (SOA).
Understand the Web services security framework.
Understand the key principles and patterns for building secure services.
Oracle Retail, at an enterprise level, does not try to dictate customers about the security policy they must use in their enterprise. Oracle Retail does provide security recommendations for its applications.
The RSB services security principles must be able to fit into your predefined corporate security policies / guidelines. Oracle Retail applications test, certify, and document a few commonly used security policies that work out of the box with minimal effort.
You are free to reconfigure to a higher or lower level of Web service security than that certified by Oracle Retail. In such situations, Oracle Retail does not provide setup/configuration documentations. You should follow the Fusion Middleware documentation and set up the system on your own. The security configuration is supported (as long as Fusion Middleware supports it) but not certified by Oracle Retail.
Consider the following technical guidelines and standards while implementing security:
All Web services provided by Oracle Retail must advertise their security policy in their WSDL file.
Standard WS-Security 1.1 with WS-SecurityPolicy 1.2 assertions must be used in the WSDL files.
Retail applications running on WebLogic server must use the newer WebLogic policy files. These files are prefixed with Wssp1.2-2007-.
Avoid building custom security policy files and use out-of-the-box policies available in WebLogic server and OWSM.
Authorization and data security is not within the scope of Web service security. Any such security requirement must be fulfilled by the individual applications.
|
 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|