Oracle Web Services On Demand Guide > Overview of Web Services On Demand > Oracle CRM On Demand Web Services and Integration with Oracle CRM On Demand >

Web Services Security

The Oracle CRM On Demand Web Services Integration framework includes the following security features:

• The mustUnderstand attribute of Simple Object Access Protocol (SOAP) 1.1 is supported. This allows a client to specify that the target server must be capable of processing all parameters in the SOAP request header, otherwise the requests must be rejected.
• SOAP message validation is performed, for example, to check for badly formed SOAP requests or for SOAP header elements that are not namespace-qualified.
• Support is provided for the WS-I Basic Security Profile Version 1.0. For more information, see Support for the WS-I Basic Security Profile Version 1.0.
• All communications are encrypted with Secure Sockets Layer (SSL) for security (minimum 128-bit).
• Access is session-based, requiring authorization with a valid Oracle CRM On Demand user name and password.
• Inactive sessions are reused or closed automatically after a period of inactivity.
• The same data visibility and access capabilities that apply to users in the Oracle CRM On Demand hosted service are applied to users connected through the Web services interface. Data visibility and access are restricted by the role that your company assigns. Permissions are checked for every data access.
• A full audit trail of Web services activity is available through Oracle CRM On Demand's Administration pages. These pages display both current and historical usage statistics.
• A number of other proprietary solutions protect Oracle CRM On Demand against malicious use of the Web services interface. These solutions are constantly reviewed and improved as new technologies and techniques become available.

A session with a standard HTTPS request is created to establish a connection with Oracle CRM On Demand through the Web services interface. A client can create a new session with the login operation and close it with the logoff operation. When a session is created, an encrypted session identifier is provided to the client. which for stateful Web services requests, must be included in all subsequent requests during that session. For more information, see About Establishing and Managing the Web Services Session.

Support for the WS-I Basic Security Profile Version 1.0

Support is provided for the WS-I Basic Security Profile Version 1.0, which describes the set of parameters used to authenticate a Web services transaction.

Oracle CRM On Demand has implemented support for the Username and PasswordType parameters, which are part of the UserNameToken standards. This allows a username and password to be passed with a SOAP request, which removes the necessity for a separate login operation. For more information, see Using Stateless Web Service Requests.

Passwords can be specified as type PasswordText only, which mean that the password is in clear text format.

WSSE Namespace Support

The SOAP header of messages received by Oracle CRM On Demand are validated to ensure they are namespace-qualified. Oracle CRM On Demand supports the following namespace values when specifying the WSSE namespace in a SOAP request:

• Draft Namespaces:
  • wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"
  • wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"
• Version 1.0 Namespace: wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

  The WSSE Version 1.0 namespace must be specified to perform a stateless transaction. (In addition, the Web Services R16 Compatibility Mode check box must be cleared in the Company Profile page and the Username and PasswordText tokens must be provided in the request.)

For more information about stateless transactions and the use of the WSSE namespace, see Establishing and Managing the Web Services Session.