Web Services Security
Note: This section outlines the Inbound Web Services security facility only.
Inbound Web Services allows external web service-based integrations to access functionality within the application. The security settings for the Inbound Web Services can be summarized as follows:
• Inbound Web Services rely on Web Services standards supported by Oracle WebLogic for authentication support.
• Inbound Web Services supports the WS-Policy standards supported by Oracle WebLogic to provide both transport and message security. Refer to the
Oracle WebLogic documentation for details of the WS-Policies supported. The following rules apply to those policies:
• Oracle WebLogic policies are supported if the corresponding setup is performed within Oracle WebLogic. For example, encryption is supported if keystores are configured for encryption keys.
• WS-Policies are attached within the Oracle WebLogic console or Oracle Fusion Middleware Control after deployment. These policies are maintained independently as per the console documentation.
• Element Level policies are not supported in the current release.
• Security policies at the operation level are not supported directly but are supported via authorization.
• The product ships an internal policy for backward compatibility (UserToken).
• Inbound Web Services uses the underlying business objects, maintenance objects, business services and service scripts to determine authorization of records. This includes authorization for specific operations.
• Inbound Web Services can use Oracle Web Service Manager for additional WS-Policy support and web service access controls.
• Security policies can vary between individual Inbound Web Services.
• Multiple WS-Policies are supported per Web Service. The clients calling these services must conform to at least one of the policies attached.
By default, the WS-Client calling the product must supply an authentication token in the format configured on the WS-Policy on individual web services. By default, there is no default user on Inbound Web Services transactions. A default user may be configured on the ouaf.ws.defaultUser setting in the spl.properties file for the Inbound Web Services. Refer to the Server Administration Guide for details of the process.
Note: Setting of a default user is not recommended for implementations unless backward compatibility is required for older XML Application Interface-based services.
For backward compatibility there are several additional settings that cover Inbound Web Services: