Oracle® Application Server Web Services Developer's Guide
10g Release 2 (10.1.2) Part No. B14027-01 |
|
Previous |
Next |
The ability to control user access to Web content and to protect your site against people breaking into your system is critical. This appendix describes the architecture and configuration of security for Oracle Application Server Web Services, including the Oracle Application Server UDDI Registry.
This chapter covers the following topics:
SOAP is the messaging protocol for Oracle Application Server Web Services. Oracle Application Server Web Services only supports HTTP (S) for a transport protocol for SOAP messages. Oracle Application Server security that applies for HTTP(S) can be leveraged for Oracle Application Server Web Services.
Oracle Application Server Web Services supports the following security features:
Secure Connection: By securing the connection using SSL (HTTPS), one can invoke a Web Service securely.
Authentication: Basic and Digest Access Authentication can be enforced using HTTP (S) headers. This method is not secure unless the authentication is specified in conjunction with SSL.
Authorization: Authorization is supported by retrieving the Principal using a User Manager such as the Oracle Application Server Java Authentication and Authorization Service (JAZN) User Manager.
All the HTTP(S) transport security features are applicable to all types of Oracle Application Server Web Services implementations (including stateless and stateful java classes, stateless session bean and stateless stored procedures). In addition, if a stateless session bean is exposed as a Web Service, ACL policies can be enforced on the bean when the connection is authorized by a User Manager and a Principal object is obtained.
If a stored procedure is exposed as a Web Service, then it is secure to encrypt the password of the corresponding data source in the data-sources.xml file.
See Also:
|
When you run a client-side application that uses Oracle Application Server Web Services, you can access secure Web Services by setting properties in the client application. Table B-1 shows the available properties that provide credentials and other security information for Web Services clients.
In a Web Services client application, you can set the security properties shown in Table B-1 as system properties by using the -D
flag at the Java command line, or you can also set security properties in the Java program by adding these properties to the system properties (use System.setProperties()
to add properties). In addition, the client side stubs include the _setTranportProperties
method that is a public method in the client proxy stubs. This method enables you to set the appropriate values for security properties by supplying a Properties
argument.
Table B-1 Web Services HTTP Transport Security Properties
This section covers the following topics:
Oracle Application Server UDDI resources are protected as follows.
For the OracleAS UDDI Registry, the following resources are protected:
Data – Write access to the data stored in the OracleAS UDDI Registry is protected; this is typically metadata of Web Services.
Functions – Administrative operations to the OracleAS UDDI Registry.
Passwords – N/A. User passwords are protected by JAZN.
Protection for the following OracleAS UDDI Registry resources are managed and enforced as follows.
Oracle Application Server Java Authentication and Authorization Service (JAZN) and the UDDI application manages and enforces write access to the data stored in the OracleAS UDDI Registry. JAZN determines the identity and the security role of a user. Only the owner has rights to update data.
For administrative operations for the OracleAS UDDI Registry JAZN also manages and enforces access; in addition, JAZN protects the servlets that provide administrative operations.
The application manages the UDDI syndication subscription password used to access Oracle Application Server Syndication Services. The password, which is persistently stored in the database, is further protected by the database DBMS_OBFUSCATION PL/SQL
package.
Update of the UDDI syndication subscriber password is available through a UDDI Web-based tool. The web-based tool uses JAZN to query the security role of the authenticated user. The password update facility is available only if the authenticated user has the uddiadmin
security role.
To configure UDDI for security, consider the following areas:
To ensure the confidentiality of the communication between the OracleAS UDDI Registry and clients, do the following:
Configure the Oracle HTTP Server/SSL listener to provide HTTPS access.
Configure OC4J to prohibit HTTP access.
To ensure the communication to a UDDI replication endpoint is authorized, configure the Oracle HTTP Server/SSL listener to enable HTTPS client-certificate based authentication.
Configure all security-sensitive UDDI endpoints, including: publishing, administration, replication wallet administration, and subscription management (typically, the inquiry endpoint does not need to be confidential).
In order to make the Oracle Application Server Content Subscription Manager functional, you must supply the proper password of the UDDI syndication subscriber.