#2 - Broken authentication and session management

Risks associated with broken authentication and session management are often due to these functions not being implemented properly. As previously stated, custom authentication mechanisms should not be implemented and have not been implemented. To address web service client authentication attacks, the IRT REST API supports username token authentication. To ensure the integrity of web client authentication, the proper handling of the authentication artifacts should be followed.

To ensure the web client authentication is secure, the password for the username token should be treated with the utmost care since exposure of the password could compromise the authentication mechanisms systems. The IRT REST API does not store the password in clear-text on the file system and does not log the password. As such, the client password should be protected in the same way. The password should always be stored in an encrypted fashion.

The IRT REST API is stateless and does not maintain the session. The IRT REST API is re-entrant and the same credentials may be used for the calls. Considerations with the number of the concurrent calls should be designed not to exhaust the resources of the systems.

• Access to Oracle Support
• Accessibility
• Legal Notices

Copyright © 2016, 2018 Oracle and/or its affiliates. All rights reserved.