You have to secure Oracle Infrastructure web services.
This chapter describes how to secure Oracle Infrastructure web services. It includes the following sections:
Oracle Web Services Manager (WSM) is designed to define and implement web services security.
Web services security includes several aspects, as described below:
Authentication—Verifying that the user is who she claims to be. A user's identity is verified based on the credentials presented by that user, such as:
Something one has, for example, credentials issued by a trusted authority such as a passport (real world) or a smart card (IT world).
Something one knows, for example, a shared secret such as a password.
Something one is, for example, biometric information.
Using a combination of several types of credentials is referred to as "strong" authentication, for example using an ATM card (something one has) with a PIN or password (something one knows).
Authorization (or Access Control)—Granting access to specific resources based on an authenticated user's entitlements. Entitlements are defined by one or several attributes. An attribute is the property or characteristic of a user, for example, if "Marc" is the user, "conference speaker" is the attribute.
Confidentiality, privacy—Keeping information secret. Accesses a message, for example a web service request or an email, as well as the identity of the sending and receiving parties in a confidential manner. Confidentiality and privacy can be achieved by encrypting the content of a message and obfuscating the sending and receiving parties' identities.
Integrity, non repudiation—Making sure that a message remains unaltered during transit by having the sender digitally sign the message. A digital signature is used to validate the signature and provides non-repudiation. The timestamp in the signature prevents anyone from replaying this message after the expiration.
For more information about these web services security concepts, see "Understanding Web Services Security Concepts" in Understanding Oracle Web Services Manager.
Oracle Web Services Manager (WSM) is designed to define and implement web services security in heterogeneous environments, including authentication, authorization, message encryption and decryption, signature generation and validation, and identity propagation across multiple web services used to complete a single transaction. In addition, OWSM provides tools to manage web services based on service-level agreements. For example, the user (a security architect or a systems administrator) can define the availability of a web service, its response time, and other information that may be used for billing purposes. For more information about OWSM, see "Understanding OWSM Policy Framework" in Understanding Oracle Web Services Manager.
OWSM provides a set of predefined policies and assertion templates that are automatically available when you install Oracle Fusion Middleware.
For more information, seeUnderstanding How Policies Attach to Oracle Infrastructure Web Services.
OWSM provides a set of predefined policies and assertion templates that are automatically available when you install Oracle Fusion Middleware. The following categories of security policies and assertion templates are available in this pre-defined set:
Authentication Only Policies
Message Protection Only Policies
Message Protection and Authentication Policies
Authorization Only Policies
For more information about the predefined OWSM policies and assertion templates, see the following sections in Securing Web Services and Managing Policies with Oracle Web Services Manager:
For assistance in determining which security policies to use, see "Determining Which Security Policies to Use" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
You can attach security policies to Oracle Infrastructure web services and clients at design time using Oracle JDeveloper, or at runtime using the Fusion Middleware Control.
For more information see Understanding How Policies Attach to Oracle Infrastructure Web Services.
You must configure the security policies before you can use them in your environment.
The steps to configure security policies are described in "Securing Web Services" in Securing Web Services and Managing Policies with Oracle Web Services Manager.