Handling Passwords in OWSM - Best Practices - 11g
By Prakash Yamuna on Sep 06, 2011
I came across some excellent blogs on the net that talk about OWSM and how to use OWSM to secure your web services/web service clients.
Here are some examples that I see on the net:
http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html by Ediwin Beimond.
Edwin Beimond has some excellent posts in terms of providing a detailed step-by-step How To describing how to use various OWSM policies. However one of things I have noticed is that people end up specifying passwords in the clear as part of their code snippets.
This is something I would strongly discourage customer's from adopting. Passwords in the clear in code is a recipe for security vulnerabilities. It also results in brittle code - if the passwords change - you need to change code.
Oracle FMW provides a credential store framework (CSF) to enable storing passwords in a secure fashion and I encourage people to use CSF rather than specifying passwords in the clear.
In future blog posts I will discuss how to use CSF instead of clear text passwords.