Securing WebService with Basic Security Profile

Similar Messages

• Call secure RestFul WebService with basic authorization via https

  Hi,
  is there a way to call a secure RestFul WebService with basic authorization via https from APEX?
  Database: Oracle 11g XE
  APEX: 4.2.1
  I have a solution by calling the WebService from Java which was called from the database via scheduled job (execute).
  As my hosting partner does not support Java I am looking for another option.
  Regards
  Markus

  Hi,
  I think its not possible, in this link you can find in more detail why.
  Its related with the use of wallets to acess https requests.
  http://www.apexninjas.com/blog/2011/06/https-access-with-utl_http-on-oracle-xe-has-anyone-managed-to-do-this/
  Edit: Because you are using Oracle XE
  Edited by: carlos.pereira on Jan 23, 2013 6:15 PM

• Need help !!! Regarding invoking Webservices with Basic Auth

  I have a partner who requires me to pass credentials in order to invoke their Webservice.
  I have created a Partner link using a local WSDL (copy of the original partner's WSDL) and assigned the following properties
  <property name="HTTPbasicHeaders">credentials</property>
  <property name="basicUsername">hilal.khan</property>
  <property name="basicPassword">welcome123</property>
  And invoked this partnerlink in a Synchronous BPEL process, the invocation fails with the following error message
  <remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>exception on JaxRpc invoke: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 401 Unauthorized</summary>
  </part></remoteFault>
  Looks like I am missing the way in which these credentials should be sent, I know for sure that the values being sent are correct - I tried to open the WSDL from a browser and it prompted me with a username/password window and I entered the same credentials and it then took me to the WSDL. Can one of you please help me figure out the issue and resolve it.

  Hi,
  In BPEL.xml file that is built for bpel pass the binding with the httpUsername and httpPassword which you can make anything.
  <partnerLinkBinding name="PartnerLink_SPTel_Register">
  <property name="wsdlLocation">RegisterServiceRef.wsdl</property>
  <property name="httpUsername">dummy</property>
  <property name="httpPassword">dummy</property>
  </partnerLinkBinding>
  and in the BPEL process change the value of httpUsername and httpPassword dynamically to whatever you want.
  <copy>
  <from variable="httpUsername"/>
  <to partnerLink="EventService_Partner" bpelx:property="httpUsername"/>
  </copy>
  <copy>
  <from variable="httpPassword"/>
  <to partnerLink="EventService_Partner" bpelx:property="httpPassword"/>
  </copy>
  This works great if you have to pass different credentials to the same WS depending on who accesses the bpel process.
  hope this helps
  Sandeep

• Restful webservice with basic authentication

  Hi, i am running the following:
  Oracle: 11.2....
  ApexListener: 2.....
  Glassfish: 3.0...
  Apex: 4.2.1
  I have successfully established some restful webservices. Now i want to add a basic authentication to them against an APEX Authentication Scheme which is used in one of my APEX Applications. I cannot find any documentation related to Glassfish or ApexListener or APEX to do that.
  Or are the RESTful Service Privileges which belong to APEX User Goups intent to do a basic authentication ?
  Thanks for your help !
  -- Klaus

  OK got it solved by my self.
  Solution:
  Define a RESTFUL (POST, PLSQL) Service with the following HEADER parameters:
  authorization          authorization     IN     STRING
  X-APEX-STATUS-CODE     status          OUT     INTEGER
  As per RFC 1945, the Authorization header value should contain the username:password
  as encoded (base64) string. That is what the RESTclient send (over https)
  In the PLSQL i decode :authorization and validate it against APEX Authentication Scheme.
  The result of the validation drives the response header (:status) in PLSQL with 200 (ok) or 401 (Not Authorized)
  -- Klaus

• Security Profile Seeting with in a Same Business Group

  Hello,
  With in one business group I have employee of multiple country. Now the concern is that I need to have two different responsibility through which I can restrict the employee as per the country.
  The things which identify between countries are. 1. They have different GRE. 2. They have different Operating Units. I have tried to create a security profile it has the one option Secure organization by single Operating units, but I ma not able to see that working? Where exactly we need to declare the operating Unit i need to secure for? Can any one suggest me a suitable work around.
  The version we are using is 11.5.10
  Thanks

  If you security profile is 'static', then you need to run the concurrent process 'Security List Maintenance'. This will identify all records which match the security profile rule and then allow the user to see those records when the use their 'secured' responsibility.
  Regards
  Tim

• WS security on webservices with JAX-WS Provider Interface

  Hi Experts:
  I have developed webservices with JAX-WS Provider Interface (WSProvider),it gives message level handling and also eliminates POJOs for user defined types; but how to add operation level Weblogic security policy on such services ?
  In my Weblogic console, I can see the endpoint of the service, and my services has at least 10 operations as defined in the WSDL, but I do not see operations details in the server console when I try to attach Weblogic security policy; so how do I add security rule to decide which operation is allowed by which user?
  am I missing something? or this is not possible ?  I am using WSProvider Interface and wondering is any issue because of that?  Or my operations should be visible regards of any JAX-WS standards implementation ?
  Thanks in advance!

  appaerently with the switch to the oc4j ws providers - a regression was introduced - bug 5665917 ... which is to be fixed for 10.1.3.3 ..
  pls contact oracle support to retrieve the patch ..
  /clemens

• RFC- WebServices with Security Features

  Hi
  I have to execute one scenario RFC - WebServices with security features. Kindly let me know where or how can I implement the secuirty features in this scenario. Any documentation/blog/ thread are welcome to undestand about implemeting the  secuirty features for this scenario.
  Regards
  Ramesh

  Hi Ramesh,
    Check this:
  http://help.sap.com/saphelp_nwpi71/helpdata/en/45/504971f7a708d2e10000000a11466f/frameset.htm
  http://help.sap.com/saphelp_nwpi71/helpdata/en/87/0827a8d6e04a2a8f822f9c51fa7ef2/frameset.htm
  and
  http://help.sap.com/saphelp_nwpi71/helpdata/en/37/1a9b6a338cca448508f3a48d2d1e2d/frameset.htm
  Regards,
  Ravi Kanth Talagana

• Security Profile with Assignment-level Security limitations

  Hi, We are on an R12 installation, and have a security profile based on Organization Hierarchy (With Assignment-Level Security - i.e. 'Restrict on Individual Assignments' checkbox is ticked); this is based on a specific organisation as the 'Top Org' rather than the User's own Assignment.
  The profile option "HR: Access Non-Current Employee Data" is set to 'Yes', but the security profile still restricts access to Future-Dated Assignments and Ended Assignments. Is this expected behaviour, and is the only solution to develop a Custom security profile, and is this even feasible (to replicate organisation hierarchy security using SQL in the custom security tab), or would we have to use a different criteria, such as Payroll?
  Regards, Chris

  Further investigation reveals this is a limitation of the product - within security, the selection criteria which determines which individuals (or assignments) is handled seperately to Assignment-level security (i.e. whether individual assignments are restricted), it is not possible to get around this issue even using custom security, as that does not give one the power to determine how individual assignments are handled. Thus if assignment-level security is implemented, the user cannot see Ended or Future-Dated assignments, even if the profile option "HR: Access Non-Current Employee Data" is set to 'Yes'.
  The only workaround we have found for this is to:
  a) remove assignment-level security, and
  b) ensure that where an employee has multiple assignments that cross security groups, this individual is set up twice, as two separate employees.

• XML error when Crystal report calling Webservice with Rampart (ws-security)

  Could you please advise me where I am doing wrong -
  I have designed the report using CR 2008 following a SAP document instructions but getting error. -
  1. Created a Class file and put it in the class folder -
  public class PasswordHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException,UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { WSPasswordCallback pwcb = (WSPasswordCallback)callbacks<i>; pwcb.setPassword("clientPassword"); return; } } -
  2. created wse_policy.xml with below content clientName com.rockalltech.action.reports.PasswordHandler -
  3.Also modified CRConfig.xml with below data com.PasswordHandler -
  Still I am getting Rampart error like below -
  [2009-06-02 18:04:26,977,,FATAL,com.crystaldecisions.data.xml] org.apache.axis2.AxisFault: org.apache.rampart.Rampart at org.apache.axis2.deployment.URLBasedAxisConfigurator.getAxisConfiguration(URLBasedAxisConfigurator.java:77) at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:64) at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromURIs(ConfigurationContextFactory.java:190) at com.crystaldecisions.data.xml.a.b.a(Unknown Source) at com.crystaldecisions.data.xml.a.a.a(Unknown Source) at com.crystaldecisions.data.xml.f.a(Unknown Source) at com.crystaldecisions.data.xml.f.int(Unknown Source) at com.crystaldecisions.data.xml.CRDB_XMLImpl.DbExecuteQuery(Unknown Source) at com.crystaldecisions.reports.queryengine.driverImpl.xml.XMLQueryDefinition.Execute(Unknown Source) Thomas Edited by: thomasjv on Jun 2, 2009 7:15 PM Edited by: thomasjv on Jun 3, 2009 10:45 AM Edited by: thomasjv on Jun 3, 2009 10:45 AM Edited by: thomasjv on Jun 3, 2009 10:46 AM

  Hi!
  Thanks for the help:
  - I give all proxy details. In HTTP and HTTPS proxy tabs too.
  one interesting thing:
  - We publicate the same WebService with HTTP and HTTPS prefix.
  - If I create a proxy for the WS with HTTP, everything is correct and works well.
  - If I create a proxy for the WS with HTTPS, gives the error written the previous posts. (And can't create the logical port with SOAMANAGER)
  I compare the 2 WSDL. It is the same, except the links. (HTTP and HTTPS) all others are same.
  - And why it is possible in both case (HTTP, HTTPS) to create the proxy with SE80 from the WSDL URL? (And after the logical port was failed)

• Service Interface Security Profile & Idempotency

  Dear PI Experts,
  Based on the information given in the following link:
  https://help.sap.com/saphelp_nw73/helpdata/en/48/5b14cf63424992e10000000a42189c/frameset.htm
  - Quoting the link The security profile "... form the metadata descriptions which influence the behavior during implementation of this service definition."
       => Does this mean the implementation should be handled by the application programmer?
  - The Security Profile section shows that there are some values available for the security profile and the default value when we create a new SI is Low.
  From the link above, it is stated that "Low - Basic Authentication using user ID and password and no transport security."
       => Does this mean I can configure the user ID and password to be used at the interface? If yes, where can I configure it?
  - From the same link above, from what I get at the Idempotency section.
       => Does the Idempotency mechanism is handled by PI or should be handled by the provider application programmer? If it is automatically handled by PI, what is the transaction ID used for to check if the message has been sent before? If not, what is the advantage of ticking the Idempotency for the provider application programmer?
  Any advise would be appreciated.
  Thank you,
  Suwandi C.

  Hi Suwandi,
  - Quoting the link The security profile "... form the metadata descriptions which influence the behavior during implementation of this service definition."
       => Does this mean the implementation should be handled by the application programmer?
  ----->>>> The service interface configuration needs to done by application developer and it should be as per given scenario. In most of the cases this configuration is same (unless a specific scenario).
  - The Security Profile section shows that there are some values available for the security profile and the default value when we create a new SI is Low.
  From the link above, it is stated that "Low - Basic Authentication using user ID and password and no transport security."
       => Does this mean I can configure the user ID and password to be used at the interface? If yes, where can I configure it?
  --->>> you do not need to configure the user id or password. this is for the consumer, when you expose your service interface as service and consumer needs to use the service with user id and password (for Low) and needs certificates for SSL connection.
  regards,
  Harish

• Creation of custom security profile

  Hi,
  During creation of the security profile, there is field 'internal name' .
  What is the significance of this field and how the internal name should be maintained. As this field becomes display once the security profile is created.
  Pointers will be appreciated.
  Rgds,
  Madhan

  Hi Madan
  Internal name is used by the system to identify a profile. While creating a new profile e.g. System Administrator_XYZ which is lets say based on the original system admin profile but with limited rights (to be given to a few users), you can extend the original internal name and extend it for e.g. fci.profile.admin.xyz
  Hope this helps!
  Regards
  Mudit Saini

• SQL Query in Custom Security when creating Security Profile

  Hello all,
  I've created a security profile with Custom security and provided a simple query in Custom Security tab-
  PERSON.PERSON_ID = FND_GLOBAL.EMPLOYEE_ID
  Custom security option is "Restrict the people visible to each user using this profile"
  I am not able to see the record as expected.
  If I Hardcode the person ID "PERSON.PERSON_ID = 13449" with "Restrict the people visible to each user using this profile", I am able to see the record.
  If I Hardcode the person ID "PERSON.PERSON_ID = 13449" with "Restrict the people visible to this profile", I am able to see the record after running PERSLM and same is in PER_PERSON_LISTS.
  Am I correct in checking with FND_GLOBAL.EMPLOYEE_ID?
  (This was mentioned in system administrator guide :
  "+Oracle HRMS assesses the custom security when the user signs on. In addition, the custom security code can include references to user specific variables, for example, fnd_profile.value() and fnd_global.employee_id.+"
  docs.oracle.com/cd/E18727_01/doc.121/e13509/T2096T2098.htm).
  I have tried with FND_GLOBAL.USER_ID / FND_PROFILE.VALUE('USER_ID') / :ASG_ID (seeded query has a join with this bind variable) - not happening.
  I've given options as below :
  Employees = None
  Contingent Worker = Restricted
  Applicant = None
  Contacts = All
  Candidates = All
  All other options - Defaulted
  Thanks,
  Sumanth

  Resolved this - One cannot see self's employee record in the form for which this is setup.
  Hence the below query though correct in syntax did not show any data.
  PERSON.PERSON_ID = FND_GLOBAL.EMPLOYEE_ID
  My original requirement was that all employees belonging to one's Organization should be displayed, and this is working fine with an updated query for the same.
  Thanks,
  Sumanth

• REQIMPORT errors when security profile set using 12I

  I am submitting the purchase requisition import using the following script in release 12I. The request is submitted but completes with an error.
  declare
  l_request_id NUMBER;
  l_batch_id NUMBER := 1027;
  l_ou_count NUMBER;
  l_org_id NUMBER := fnd_global.org_id;
  l_ou_name VARCHAR2(200);
  BEGIN
  fnd_global.apps_initialize (1759 -- User ID
  ,50557 -- Responsibility ID
  ,201); --Application ID
  mo_global.init('PO');
  mo_global.set_policy_context('S', l_org_id);
  mo_utils.get_default_ou(l_org_id, l_ou_name, l_ou_count);
  dbms_output.put_line('OU Name: '||l_ou_name||' OU count: '||l_ou_count||' ORG ID: '||l_org_id);
  l_org_id := mo_utils.get_default_org_id;
  dbms_output.put_line('Default ORG ID: '||l_org_id);
  l_request_id := fnd_request.submit_request
  (application => 'PO'
  ,program => 'REQIMPORT'
  ,description => NULL
  ,start_time => SYSDATE
  ,sub_request => FALSE
  ,argument1 => 'CONSIGNED MANUAL'
  ,argument2 => l_batch_id
  ,argument3 => 'LOCATION' --'Location'
  ,argument4 => NULL
  ,argument5 => 'N'
  ,argument6 => 'Y');
  dbms_output.put_line('Request ID: '||l_request_id);
  END;
  The MO: Default Operating Unit and MO: Operating Unit profiles are setup for the given responsibility with an operating unit value. The MO: Security Profile profile is set to a given profile at the site and responsibility level.
  When I remove the MO: Security Profile at the site level the purchase requisition concurrent request completes successfully. Only when the MO: Security Profile is set at the site level is the purchase requisition concurrent program submitted using the attached script erroring out.
  I can submit the purchase requisition import using the submit request form without any errors. I believe this is because the operating unit field is being populated.
  Has anyone run into this issue? Am I missing any commands that define the operating unit used in the concurrent program submission in release 12I?
  Any help is greatly appreciated.
  Charles

  Hi,
  Only when the MO: Security Profile is set at the site level is the purchase requisition concurrent program submitted using the attached script erroring out.Please see if the guidelines about this profile option in the following documents help.
  Note: 784609.1 - How Does R12 MOAC Defaulting Rules and MO: Security Profile Work?
  Note: 397362.1 - Multi Org Access Control (MOAC) in Oracle Purchasing
  Note: 420787.1 - Oracle Applications Multiple Organizations Access Control for Custom Code
  Regards,
  Hussein

• Setting 'MO: Security Profile or MO: Operating Unit profile option' - Urgen

  All,
  Version: 12.0.4
  Module: Purchasing
  I'm trying to invoke the PO_CHANGE_API1_S.record_acceptance to send the Advance shipment Notice doc to Oracle R12. On invocation I'm getting the following error
  ORA-20001: APP-FND-02902: Multi-Org profile option is required+
  set either MO: Security Profile or MO: Operating Unit profile option+
  1. How do I set this profile option?
  2. Is it required to set both security and OU profile option?
  3. At what level(site,appln,resp,user,ou,...) should I set the profile?
  Please help me.
  Thanks,
  Sen

  Hi,
  You can set those profile options from System Administrator responsibility > Profile > System.
  Please see these docs for details.
  Note: 602141.1 - R12 - Error ORA-20001, APP-FND-02902 Accessing Profile Classes Form With Multi-Org Access Control (MOAC) Enabled
  Note: 338332.1 - App-Fnd:02902: Multi-Org Profile Option Is Required. Ora-20001
  Note: 393560.1 - How To Prevent the Profile Option MO: Operating Unit being set to NULL at Site Level?
  Regards,
  Hussein

• Lost Security Profile Password

  I'm using Acrobat Pro 7.0 and have misplaced the password on a security profile.  When I originally set it up, I checked the box that said "Save Passwords with Policy".  Is there a way I can retrieve the password from my Windows XP system?

  If the user account is associated with an Apple ID, and you know the Apple ID password, then maybe the Apple ID can be used to reset your user account password.
  Otherwise*, boot into Recovery mode. When the OS X Utilities screen appears, select
  Utilities ▹ Terminal
  from the menu bar. In the window that opens, type this:
  res
  Press the tab key. The partial command you typed will automatically be completed to this:
  resetpassword
  Press return. A Reset Password window opens. Close the Terminal window to get it out of the way.
  Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
  Select your username from the menu labeled Select the user account if not already selected.
  Follow the prompts to reset the password. It's safest to choose a password that includes only the characters a-z, A-Z, and 0-9.
  Select
   ▹ Restart
  from the menu bar.
  You should now be able to log in with the new password, but your Keychain will be reset (empty.) If you've forgotten the Keychain password (which is ordinarily the same as your login password), there's no way to recover it.
  *Note: If you've activated FileVault, this procedure doesn't apply. Follow instead these instructions.