| Oracle® Retail Home Oracle Retail Home Security Guide Release 19.1 F35059-02 |
|
 Previous |
 Next |
Retail Home has several security features that protect the system and its data. See the following sections for more information.
Retail Home's security requirements come from the need to protect application data from unauthorized changes. This is accomplished by the following security features:
Authentication - Retail Home services restrict access to users that have been authenticated by the configured security provider.
Authorization - Retail Home uses enterprise roles to limit what features individual users can access.
Origin Control - Retail Home services implement the Cross-Origin Resource Sharing (CORS) protocol using a domain allowlist to limit where requests may be made from.
Transport Security - The Retail Home client and services communicate via REST calls from the client. The services also make SOAP calls if configured to use an OBIEE instance. These communications need to be secured.
Retail Home is deployed behind an Oracle WTSS instance configured to authenticate users against Oracle IDCS. WTSS authenticates with a single sign on for all applications protected by it, which should include all RGBU applications Retail Home is configured for. WTSS and IDCS configuration are covered in their respective documentation.
Retail Home checks for authorization against the same IDCS instance used for authentication.
The Retail Home REST services restrict access to clients being served by trusted hosts. This is accomplished using an allowlist of allowed domains. Domains that are not on the allowlist will result in requests being rejected and no CORS headers will be applied to responses. The domain allowlist is provided as part of the container configuration. The container handles setting it on the services.
To ensure the security of service calls made by Retail Home, follow the following rules when configuring endpoints:
Always use TLS encryption. Endpoints should be HTTPS URLs and the servers should be configured to use trusted certificates.
Route access through WTSS or equivalent. Make sure all URLs are to the location exposed on WTSS or will otherwise be independently authenticated.
