1. Security Guide
  2. Security Considerations for Developers

4 Security Considerations for Developers

This chapter provides information for developers about how to create secure applications for Oracle Communications Unified Inventory Management (UIM) and how to extend UIM without compromising its security.

About UIM Security Policies

UIM uses ADF security for its UI resources (JSDD or JSPX), and protects them with the uimuser role. Users having this role can run create, read, update, and delete operations on these pages. These policies can be customized in Oracle Fusion Middleware Enterprise Manager.

About Securing UIM APIs

By default, UIM APIs are not secured. To secure an API, you must extend UIM security to include the APIs. This can be done by:

  • Securing APIs through the SecurityValidation Aspect

  • Securing APIs through rulesets and extension points

See UIM Developer's Guide for more information.

About Securing Entity Data

By default, UIM entity data is not secured. To secure entity data, you must extend UIM security to control data access to individual entities. This is done by creating custom rulesets that run at specified extension points. The custom rulesets set permissions or partitions for an entity, enforces any permissions or partitions that are set for an entity, and logs error messages whenever a security violation is detected.

See UIM Developer's Guide for more information.

About Securing Web Services

By default, the Service Fulfillment Web service has security enabled upon installation. Specifically, the HTTP and JMS Web service ports are associated to the default WebLogic security policy file, Auth.xml. As a result, a user name and password must be sent in clear text over a secure tunnel (HTTPS/t3s). You can modify the default security settings through the WebLogic Server Administration Console. See UIM Web Services Developer's Guide for more information.

When you create a custom Web service, it is up to you secure the Web service. How you secure the Web service depends upon how you created the Web service. For example, if your custom Web service deploys with the custom.ear file, you need to create your own deployment plan; if your custom Web service deploys with the inventory.ear file, you need to modify the inventory.ear deployment plan that is part of the UIM installation. See UIM Web Services Developer's Guide for more information.