Web Services Security

Note: This section outlines the Inbound Web Services security facility only.

Note: Refer to Migrating from XAI to IWS (Doc Id: 1644914.1) for more information.

Inbound Web Services allows external web service-based integrations to access functionality within Oracle Utilities Work and Asset Management. The security settings for the Inbound Web Services can be summarized as follows:

• Inbound Web Services rely on Web Services standards supported by Oracle WebLogic for authentication support.

• Inbound Web Services supports the WS-Policy standards supported by Oracle WebLogic to provide both transport and message security. Refer to the Oracle WebLogic documentation for details of the WS-Policies supported. The following rules apply to those policies:

• Oracle WebLogic policies are supported if the corresponding setup is performed within Oracle WebLogic. For example, encryption is supported if keystores are configured for encryption keys.

• WS-Policies are attached within the Oracle WebLogic console or Oracle Fusion Middleware Control after deployment. These policies are maintained independently as per the console documentation.

• Element Level policies are not supported in the current release.

• Security policies at the operation level are not supported directly but are supported via authorization.

• The product ships an internal policy for backward compatibility (UserToken).

• Inbound Web Services uses the underlying business objects, maintenance objects, business services and service scripts to determine authorization of records. This includes authorization for specific operations.

• Inbound Web Services can use Oracle Web Service Manager for additional WS-Policy support and web service access controls.

• Security policies can vary between individual Inbound Web Services.

• Multiple WS-Policies are supported per Web Service. The clients calling these services must conform to at least one of the policies attached.

By default, the WS-Client calling the product must supply an authentication token in the format configured on the WS-Policy on individual web services. By default, there is no default user on Inbound Web Services transactions. A default user may be configured on the ouaf.ws.defaultUser setting in the spl.properties file for the Inbound Web Services. Refer to the Server Administration Guide for details of the process.

Note: Setting of a default user is not recommended for implementations unless backward compatibility is required for older XML Application Interface-based services.

For backward compatibility there are several additional settings that cover Inbound Web Services:

Setting	Comments
ouaf.ws.defaultUser	Default user for authorization of Web Services calls
ouaf.ws.superusers	Delimited set of effective users to translate calls from authentication users not known to the system.
ouaf.ws.deploy.user	Administration user for deployment activities. This setting is only specified if differs from the administration settings.