#2 - Broken authentication

Risks associated with broken authentication and session management are often due to these functions not being implemented properly. As previously stated, custom authentication mechanisms should not be implemented and have not been implemented. To address web service client authentication attacks, the Clinical Data API supports username token authentication. To ensure the integrity of web client authentication, the proper handling of the authentication artifacts should be followed.

To ensure the web client authentication is secure, the password for the username token should be treated with the utmost care since exposure of the password could compromise the authentication mechanisms systems. The Clinical Data API does not store the password in clear-text on the file system and does not log the password. As such, the client password should be protected in the same way. The password should always be stored in an encrypted fashion. Do not transfer the password through un-encrypted side channels between web service endpoint parties when exchanging the password to reduce exposure. The authentication of each side channel endpoint is also a concern during the exchanging of the password and is open to social engineering attacks if not done properly. To access the web service interfaces and to use the Clinical Data API, you must be an InForm Integration user with the ODM Submit right. For more information, see the Clinical Data API Guide.

The Clinical Data API is stateless and does not maintain the session. The API is re-entrant and the same credentials may be used for the calls. Considerations with the number of the concurrent calls should be designed not to exhaust the resources of the systems.

• Access to Oracle Support
• Accessibility
• Legal Notices

Copyright © 2020 Oracle and/or its affiliates. All rights reserved.