Go to primary content
Oracle® Retail Home Oracle Retail Home Security Guide
Release 19.0.001.1
F29399-01
  Go To Table Of Contents
Contents
Previous
Previous 		 Next
Next		  

3 Security Features

Retail Home has several security features that protect the system and its data. See the following sections for more information.

The Security Model

Retail Home's security requirements come from the need to protect application data from unauthorized changes. This is accomplished by the following security features:

  • Authentication - Retail Home services restrict access to users that have been authenticated by the configured security provider.

  • Authorization - Retail Home uses enterprise roles to limit what features individual users can access.

  • Origin Control - Retail Home services implement the Cross-Origin Resource Sharing (CORS) protocol using a domain whitelist to limit where requests may be made from.

  • Transport Security - The Retail Home client and services communicate via REST calls from the client. The services also make SOAP calls if configured to use an OBIEE instance. These communications need to be secured.

Configuring and Using Authentication and Authorization

The authentication mechanism for Retail Home depends on whether it is being run inside a hosted container or on a Weblogic Server instance.

Authentication and Authorization for Hosted Containers

When running in a hosted container, Retail Home is deployed behind an Oracle WTSS instance configured to authenticate users against Oracle IDCS. WTSS authenticates with a single sign on for all applications protected by it, which should include all RGBU applications Retail Home is configured for. WTSS and IDCS configuration are covered in their respective documentation.

Retail Home checks for authentication against the same IDCS instance used for authorization.

Authentication and Authorization for Weblogic Server

When running in Weblogic Server, Retail Home can be configured to use authentication and authorization from any supported security provider. This includes running a WTSS instance authenticating via IDCS in front of the Weblogic Server instance. Refer to the appropriate documentation for securely configuring your chosen security provider.

Configuring and Using the Domain Whitelist

The Retail Home REST services restrict access to clients being served by trusted hosts. This is accomplished using a whitelist of allowed domains. Domains that are not on the whitelist will result in requests being rejected and no CORS headers will be applied to responses.

Configuring the Whitelist for Hosted Containers

When running in a hosted container, the domain whitelist is provided as part of the container configuration. The container handles setting it on the services.

Configuring the Whitelist for Weblogic Server

When installing to a Weblogic Server, the whitelist will be set by default to only contain the domain of the host server. This will disallow connections from clients hosted elsewhere.

Transport Security

To ensure the security of service calls made by Retail Home, follow the following rules when configuring endpoints:

  • Always use TLS encryption. Endpoints should be HTTPS URLs and the servers should be configured to use trusted certificates.

  • Route access through WTSS or equivalent. Make sure all URLs are to the location exposed on WTSS or will otherwise be independently authenticated.

  Previous
Previous 		 Next
Next
  Go To Table Of Contents
Contents