Validating Oracle Health Insurance Web Services

Oracle Health Insurance Web Services are REST-based. A REST based service has no formal definition that can be used to validate incoming messages against (unlike other technologies that use an XSD).

Oracle Health Insurance Web Services are designed and optimized to process "normal" requests. They may or may not be able to handle "invalid", or "malicious" requests. For example, many Web Services support the processing of an object including its children, where a moderate number of children is assumed.

For example, a claim typically has a fairly low number of claim lines (2-5), but some claims can may have a higher number. How many claim lines actually can be processed depends on the hardware and configuration in the customer configuration. During testing one need to find out what is possible in a given setup.

The Claims In Integration Point is not designed to handle a claim with a high number of claim lines. The same holds true for any other IP or API. A hacker might send in such a claim to bring the system down. It is therefore essential to validate incoming request before presenting them to the Oracle Health Insurance application. The Oracle Health Insurance application cannot do that validation as REST Integration Points do not support this kind of payload validation.

When Oracle Health Insurance Web Services are exposed to external clients, it is therefore essential to implement a Web Application Firewall and configure rules to detect and handle malicious requests. Only valid requests should be forwarded by the Web Application Firewall to the Oracle Health Insurance application. An example of a Web Application Firewall is Oracle Traffic Director.