Handling Passwords in OWSM - Best Practices - 11g

I came across some excellent blogs on the net that talk about OWSM and how to use OWSM to secure your web services/web service clients.

Here are some examples that I see on the net:

http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html by Ediwin Beimond.

http://blogs.oracle.com/wssi/entry/securing_weblogic_web_servcies_with  by Jiandong Guo

Edwin Beimond has some excellent posts in terms of providing a detailed step-by-step How To describing how to use various OWSM policies. However one of things I have noticed is that people end up specifying passwords in the clear as part of their code snippets.

This is something I would strongly discourage customer's from adopting. Passwords in the clear in code is a recipe for security vulnerabilities. It also results in brittle code - if the passwords change - you need to change code.

Oracle FMW provides a credential store framework (CSF) to enable storing passwords in a secure fashion and I encourage people to use CSF rather than specifying passwords in the clear.

In future blog posts I will discuss how to use CSF instead of clear text passwords.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today