Oracle Web Services Manager (OWSM) policies enforce and enable web service security in Oracle Fusion Applications. This post is about the use of secure authentication tokens and the webservice policies that govern them.
In previous blog posts we have walked through SOAP and REST web services, illustrating how to use them. In those examples we used Basic Authentication to authenticate against the respective application. Whilst this is sufficient for a demonstration there are more secure ways to use Fusion Applications web services.
This involves the use of a secure session header token. The token expires within a few hours of being generated as session tokens generally do. The JWT token is secure because it's encrypted and signed. Additional security is built-in as tokens become invalid upon session time-out, in contrast to Basic Authentication which will continue to work until the users password is changed.
Oracle Fusion Applications SOAP web services are secured by a global server-side policy called oracle/wss11_saml_or_username_token_with_message_protection_service_policy. Click here for further details on this policy. A global policy is one that is deployed by default in Oracle Web Services Manager (OWSM), but can be overridden.
Fusion Applications SOAP WSDLs contain an X509 certificate in binary form, that needs to be imported into the client machine certificate key store. This is so that the client application can encrypt web service requests to Fusion Applications and that the Fusion applications environment can un-encrypt the request successfully.
In addition a certificate needs to be generated on the client machine and then imported into the Fusion Applications environment certificate keystore. Oracle Support can help with importing the certificate into a Fusion Applications environment.
Oracle Fusion Applications REST services are secured by a single global server-side policy called oracle/multi_token_over_ssl_rest_service_policy. The policy supports a list of three different authentication mechanisms.
Basic Authentication is where a combination of the username and password are base64 encoded and passed in the header to authenticate to use the REST Service. This is how we authenticated to Sales Cloud in the REST service walk through.
SAML 2.0 was discussed in the previous section. The principles apply for REST Services as well.
The JSON Web Token otherwise known as a JWT token is a secure token that is encrypted and signed to make it difficult to hack. JSON Web Tokens adhere to an open standard. The JWT token can be used to store session data amongst other things. Oracle Fusion Applications stores session information within a JWT token and therefore it can be used to maintain a session. More information on JWT tokens can be found here.
The JWT token is retrieved during the authentication process and is then placed in the header of every REST service request. JWT tokens expire after a few hours and a new one is necessary to continue the session.
In the next post we will walk through an example Sales Cloud REST Service execution that uses a JWT Token to authenticate. Also in this series we will walk through execution of Fusion Applications Webcenter Content Generic SOAP Service using SAML to execute the service securely.