Authentication and Authorization

All client users accessing the OIPA APIs must be authenticated and authorized for data access and functional behavior.

Service and Caches

Module: Caches

Related functionality: Clearing Cache

Provides cache management operations within the OIPA REST Service Layer.

  • Cache refresh operations
  • Cache clearing operations
  • Runtime cache synchronization
  • Metadata and configuration reload support

Security includes authentication validation, authorization validation, role-based controls, and access-security controls for cache APIs.

Cache APIs follow the same OAuth 2.0 authentication and authorization framework used by the OIPA Service Layer REST APIs.

REST APIs for OIPA Web Services

The recently converted OIPA REST services use the same header-based authorization mechanism as the existing web services. During REST API testing, authentication must be configured using the No Auth option, with the required authorization details passed through HTTP headers.

The following existing SOAP web services are exposed through REST APIs:

  • FileReceived
  • PolicyValuation
  • ExposedComputation
  • ProcessPolicy

For web services authorization follows header-based validation aligned with the existing SOAP model for current testing.

REST Endpoint Examples:

  • http://hostname:portNumber/PASJava/rest/fileReceived
  • .../policyValuation
  • .../exposedComputation
  • .../processPolicy

Authorization Settings:

  • Set the authorization type to No Auth.

Required request headers:

  • Username: username
  • Password: password
  • PasswordType: PasswordText

Supported password types:

PasswordType is mandatory and case-sensitive.

The PasswordType header supports the following values:

  • PasswordText - Plain-text password
  • PasswordDigest - Hashed password

Hashed-password authentication is controlled through the existing configuration property, which is shared between web services.

webservice.allowHashedPassword=No

When the configuration value is set to No

  • PasswordDigest authentication is disabled.
  • PasswordText must be used for authentication.

When hashed-password support is enabled:

  • PasswordDigest can be used instead of PasswordText

REST API web services compatibility reuses the existing SOAP header-driven authorization logic, preserving the same password validation and security behavior.

Request flow:

  1. Client invokes REST endpoint.
  2. Headers are validated (Username, Password, PasswordType).
  3. Authentication type is validated against webservice.allowHashedPassword.
  4. If authentication succeeds, request is processed.
  5. If authentication fails, an authorization/access error is returned.