3 Configuring Authentication and Security Policies

This chapter provides an overview of how to configure authentication and security policies, how to provide SSL communication for basic authentication, how to apply OWSM security policies to Imaging web services, and how to reconfigure client-side security policies for Java API login.

This chapter contains the following sections:

3.1 About Configuring Authentication and Security Policies

Authentication and session management are handled differently depending on the integration method being used. When first installed, the Imaging Web Services are configured with no Oracle Web Service Manager security policies applied. When no security policies are applied, the services leverage either the HTTP Basic Authentication mechanism, or username token authentication. Note that Basic Authentication, where user credentials (user ID and password) are transmitted in the web service HTTP message header mechanism is not very secure because the user credentials are not encrypted in any way unless a Secure Socket Layer (SSL) transport mechanism is used.

3.2 Providing SSL Communication for Basic Authentication

If SSL is properly configured for the Imaging server instance, Imaging can be configured to force the use of SSL in all web service communication. This is done by setting the Imaging configuration MBean RequireBasicAuthSSL to true. By default, it is false.


The RequireBasicAuthSSL setting only applies when no HTTP Basic Authentication is in use because no OWSM security policies have been applied.

Using OWSM Security Policies

When higher degrees of security are desirable, Imaging web services support the following Oracle Web Services Management (OWSM) security policies.

  • wss_username_token

  • wss_username_token_over_ssl

  • wss11_username_token_with_message_protection

When applying a security policy to the Imaging web services, remember that the same policy must be applied to all of the web services with the exception of the DocumentContentService. The DocumentContentService is designed to use streaming MTOM that is incompatible with OWSM security policies. Security for DocumentContentService first requires a separate, stateful login through the LoginService, which does leverage OWSM security policy. (This information is primarily significant for making direct web services calls. The proper login sequence occurs automatically when using the native Java API.)

3.3 Applying OWSM Security Polices to Imaging Web Services

Security policies are applied to Imaging web services from the WebLogic Server Administration Console using the following procedure.

  1. Log in to Administration Console.

  2. Click Deployments. The Summary of Deployments page is displayed.

  3. Click the plus (+) icon next to imaging in the Name column of the Deployments table. The imaging deployment expands.

  4. For each imaging web service under Web Services except DocumentContentService, do the following:

    1. Select the web service. The setting page for the service is displayed.

    2. Select the Configuration tab. The configuration tab becomes active.

    3. Select the WS-Policy tab. The WS-Policy tab becomes active.

    4. Click the web service port in the Service Endpoints and Operations column of the WS-Policy Files Associated With This Web Service table. The Configure the Policy Type for a Web Service page is displayed.

    5. Ensure OWSM is selected and click Next. Note that WebLogic polices are not supported. The Configure a WebService Policy page ID displayed.

    6. Choose a supported service policy from the Available Endpoint Policies field. Supported polices are listed in the Providing SSL Communication for Basic Authentication.

    7. Click the right arrow to move the selected policy to the Chosen Endpoint Policies field. Note that only one security policy should be selected.

    8. Click Finish. The Save Deployment Plan Assistant page is displayed.

    9. Click OK to save the deployment plan.

    10. Repeat step Applying OWSM Security Polices to Imaging Web Services for each web service except DocumentContentService until the same policy is applied for all services.

  5. Click Deployments to return to the Deployments page.

  6. Enable the check box next to imaging in the Name column of the Deployments table and click Update. The Update Application Assistant page is displayed with the new deployment plan specified next to Deployment plan path.

  7. Click Finish. The new policies are applied and the deployment updated.

3.4 Reconfiguring Client-Side Security Policies for Java API Login

When OWSM security policies are applied to the Imaging web service, Java API code must use the WsmUserToken class to login rather than the BasicUserToken class. The WsmUserToken class is a helper class for configuring OWSM client side security polices, including a set of static constants for setting the correct client side policy. Depending on the policy being used, addition configuration setting may be required as well. Refer to OWSM document for complete details on the meaning of the various configuration options.

The code fragments in Example 3-1 demonstrate possible usages of the WsmUserToken class for various policy types.

Example 3-1 WsmUserToken Class for Various Policy Types

WsmUserToken userToken = new WsmUserToken ("weblogic", "weblogic");
ServicesFactory.login(userToken, wsurl);