Security issue with Web Services on Oracle SOA suite? (Serious?)

Hi,
I have recently installed and set up the SOA 10.1.3 on my local machine.
I created a simple test web service and deployed - worked ok.
I then added simple plain text security to the service, and again opened it up for testing using the test service function.
Initially, it returns with the expected message 'missing soap header security'.
However if you refresh the page / or test the service again, it is then invoked - seemingly bypassing the security !!!
Oddly the 3rd attempt then shows the security message again, and it seems to alternate between allowing access to the service and imposing the security?!?!
Has anyone else experience this ?
Is it a bug ? (if so, its a pretty nasty one that could quite possibly catch alot of people out !)

I have now created an independant client in Java to call the WS.
The security is still bypassed on ever other call?!?!
I have this over HTTPS also, and was hoping this would provide an adequate means of securing my web services.
How is everyone else securing web services that are exposed to general consumers? Maybe i should find a new approach !

Similar Messages

  • Integrating Oracle eBusiness Suite with banking services using Oracle SOA

    Hi ,
    I am working on a project for integrating Oracle eBusiness Suite with banking services using Oracle SOA. We have implemented Oracle SOA and trying to call bank's services using SOA.
    The bank has provided its web services over http which accepts XML data as string through HTTPS post invocation and provides response accordingly in string XML Data.
    For each service, specific format of request and response message has been provided.
    I am trying to call their web services using HTTP binding adapter.
    I would like to know whether my approach of calling bank's web service using HTTP binding adapter is correct or not.
    Looking ahead for your valuable insight and advice.
    Thanks

    Hi,
    Thank you for your reply.
    Is the usage of B2B not applicable for this project ?
    Thanks

  • Error invoking web service deployed in SOA Suite

    I have implemented a stateful web service in Jdeveloper 10.1.3.2.
    I can test succesfully an operation of the web service from the embedeed oc4j of jdeveloper, but i can not succes when i try do the same from the application server control of soa suite.
    The response of the web service in the second case, is the xml of the request.I can not understand.
    I implemented a web service proxy in jdeveloper that invokes the web service deployed in soa suite.When i run it, it gives me an exception like this:
    unexpected element name: expected={http://orclproject/types/}doLoginResponseElement, actual={http://orclproject/types/}doLoginElement
         at oracle.j2ee.ws.common.encoding.literal.LiteralObjectSerializerBase.internalDeserialize(LiteralObjectSerializerBase.java:231)
         at oracle.j2ee.ws.common.encoding.literal.LiteralObjectSerializerBase.deserialize(LiteralObjectSerializerBase.java:159)
         at klient7.proxy.runtime.OrclLoginWSSoapHttp_Stub._deserialize_doLogin(OrclLoginWSSoapHttp_Stub.java:1022)
         at klient7.proxy.runtime.OrclLoginWSSoapHttp_Stub._readFirstBodyElement(OrclLoginWSSoapHttp_Stub.java:891)
         at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:333)
         at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
         at klient7.proxy.runtime.OrclLoginWSSoapHttp_Stub.doLogin(OrclLoginWSSoapHttp_Stub.java:484)
         at orclproject.OrclLoginWSSoapHttpPortClient.doLogin(OrclLoginWSSoapHttpPortClient.java:65)
         at orclproject.OrclLoginWSSoapHttpPortClient.main(OrclLoginWSSoapHttpPortClient.java:28)
    where doLogin is the operation of the web service.
    any idea?
    thanks in advance...

    Hi,
    almost 8 months passed since this post, but if still actual then look at BUG: Request XML returned as response when result too large thread. It may be the same problem with large data sets.
    Regards,
    Patrik

  • Integration with PeopleSoft Applications Using Oracle SOA Suite 11g BPEL

    Hi,
    I'm integrating BPEL with Peoplesoft FSCM 9.0 Application on tools 8.49 using Oracle SOA Suite 11g. The BPEL invokes the web service method generated from Peoplesoft Component Interface in a synchronuos manner.
    I have deployed the BPEL in Oracle SOA Suite 11g using Jdeveloper successfully but I have problem in configuring the BPEL node in Peoplesoft side using Oracle SOA Suite 11g(FMW) . I had done the integration of BPEL with Peoplesoft FSCM 9.0 on tools 8.49 using Oracle SOA Suite 10g earlier successfully by configuring BPEL node properties as follows:
    BPEL CONSOLE : http://Host Name:8888/BPELConsole (System with Oracle SOA Suite 10g server for deployment)
    BPEL DOMAIN : default
    Using this BPEL node configuration, I was able to ping the BPEL console of Oracle SOA Suite 10g from peoplesoft and hence complete the integration successfully.
    Now in order to acomplish Business rules and other functionality, the BPEL application has been developed in Oracle SOA Suite 11g using Jdeveloper 11g. This time I'm not able to configure the BPEL node in Peoplesoft for this integration as I'm assuming there is no separate BPEL console in Oracle SOA Suite 11g. All the BPEL deployments are administered in console (11g console used for deployment of BEPL)
    http://Host Name:7001/em (System with Oracle SOA Suite 11g server - Fusion Middleware).
    So when I Configured the BPEL node property in Peoplesoft as :
    BPEL CONSOLE : http://Host Name:7001/em (System with Oracle SOA Suite 11g server for deployment)
    BPEL DOMAIN : default
    I'm not able to ping the Peoplesoft BPEL node to the Oracle SOA Suite 11g. Hence I'm not able to proceed with my integration.
    When I searched the OTN discussion forum on BPEL console for Oracle SOA Suite 11g, all threads point that there is no separate BPEL console unlike Oracle SOA Suite 10g. Also most of the articles for Integration with Peoplesoft Application using SOA 11g do not state any specific configuration setting for property of Peoplesoft BPEL node in order to integrate with BPEL 11g. The examples published in OTN still point towards screen shots of integration using SOA Suite 10g.
    So I'm not able to proceed in this regard.
    Any help in this regard is highly appreciated.
    Thanks in Advance,
    Girish
    Edited by: user11214154 on Nov 23, 2009 8:12 PM
    typo error

    Hi,
    I found this document from the Oracle Open World 2009 (maybe you have found it too) :
    "Integration with PeopleSoft applications using oracle soa suite 11g BPEL" --> [http://www.oracle.com/technology/tech/fmw4apps/peoplesoft/pdf/oow2009-bpel-psft.pdf]
    And this could be a little more simple, but have a good step-by-step tutorial.
    [http://www.oracle.com/technology/obe/fusion_middleware/fusion/soa/BPEL_PS848/OBE_PSFT_BPEL_848.htm]
    I think you must read this docs by now, but never come amiss.
    Hope this can help you,
    By the way, if you can help me with this I'll appreciate it a lot.
    Unable to access the following endpoint(s)

  • Can a dotnet application talk with unix os using Oracle SOA Suit?

    how can a dotnet application talk with unix operating system using Oracle SOA Suite? I have to automate a process on unix server like create user through dotnet application.. is it possible?
    My dotnet application is used for creating users, granting access on the servers. Some servers are 21C servers and some are legacy servers. In this dotnet application a user make certain request for the rights on those servers e.g. create user, give access rights, change password. This application is treated as user interface and maintaining tool of all this information and later on the basis of that request it generates the job-sheet. This job sheet is forwarded to responsible engineer who further provisions the request manually by going to that specific server in the request. So I want to automate this process that when user put any access or create user request then the moment he puts the request, that request should be provisioned without any human intervention i.e. automatically users must be created or password must be changed. I believe you will get an enough idea about my problem from all above information. So please help me.

    Post your query at "SOA Suite Discussion Forum"
    SOA Suite

  • Issue with Web Service Security

    Dear Forum Members and Readers,
    I am a beginner to Web Services, and facing an issue with WS-Security.
    My issue seemingly is quite specific to my projects though, It will be great if you can provide me your views.
    Context Description:
    I am developing a Java Web Service application that is deployed on JBoss Application Server.
    This application will communicate with two other applications those are not deployed in same JBoss Application Server.
    These 2 applications are third party applications, one is C++ based web services and other is Java based web services.
    My application gives a call to Third Party Application1 and receives the response back form it. It then passes this received response to Third Party Application 2.
    Issue Description:
    I now need to enable https paradigm among these 3 applications. (I need to implement web service security model here)
    I started with looking in to JBoss specific WS-Security but found it not suitable in my case, as it requires to configure both the client and server. I have the control over my application but not on other 2 third party applications.
    To this extent, I am unable to identify a solution that can address my issue.
    Can anybody please provide me with initial thoughts or any reference material that might help me to give this a start.
    Any clue will be highly appreciated!
    Thanks in advance
    Mukul

    mukul.object wrote:
    Actually, my SOAP messages contains some critical information that needs to be encrypted.You think that its critical information however your third party doesn't. If they would have had same thought they would have enabled the security. As I said earlier, you will have to discuss this with them.
    Another solution (however I don't know the viability in your case) could be to deploy one component before each third party service. Your web service will call this new component (Which is installed in their environment i.e. local to third party web service) and new component will forward the request to third party service. Now you can apply security/encryption/decryption between your web service and your component.
    I have had a look in to XMLEncrytion using that I can encrypt my SOAP messages but I wonder how would other tools decrypt that.My above comments answers this.
    Is there anyway I can encrypt my SOAP messages (without having to customize third party tools) in this scenario ??My above comments answers this.

  • Security issue with web server plug-in with Weblogic server

    Hi,
    I have a setup where I have an Microsoft IIS setup as the front facing web server and have the WLS IIS plug-in installed on it. At the backend, is two WLS11g managed servers in a cluster.
    I have a JAX-WS client running on HPUX hitting the web service via IIS but I observe a very strange thing. When the service request is rather small, it could pass through IIS and the managed servers could pick up the call and reply correctly. However, when I have a bigger request call (larger payload), it will error out, citing "Unsupported Content-Type: text/html Supported ones are: [text/xml]".
    I have also attempt to put in a TCP/IP Monitor between the client and IIS and it appears that regardless if the call gets through, it seems to consistently got hit with a HTTP error 401.2, follow by a 401.1, and then, the WSDL came back. I am pretty sure that the web services are not secured as I could get the WSDL without any authentication on the managed servers direct from my brower (it did pop the authentication window if I attempt to hit the web services via IIS)
    Anyone has any idea what is going on, the issue seems to be so contradicting...
    Thanks in advance.

    When you look at this link http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8feeaa51-c634-4de3-bfdc-e922d195a45e.mspx?mfr=true
    You can check the authentication method that is configured for that node in the metabase.

  • Problem with web service deployment Oracle AS 10.1.2

    Hi All!
    I have built a java web service using JDK 1.4 and J2EE 1.3 from Jdeveloper 10.1.3 and trying to deploy it on Oracle AS 10.1.2 (Unix). When I deploy it from Jdeveloper it gives me an error of DCM servlet and status code as (-1).
    But when i deploy it from the Enterprise manager using [b]EAR (WAR also tried), it deploys the service successfully but I am not able to access it. When I try to access it shows me "Page Can not be displayed".
    These are the details of my project
    My project name: TestWebserviceForDeployment
    webservice name: Testservice
    While deploying I gave the
    application name: Testservice
    url mapping :/test
    Now I am trying to access it from the browser as http://<host>:<port>/Testservice/test but it shows "Page can not be displayed". Am I doing right?
    Pl help!
    Thanx!
    Neeraj!

    Try http://<host>:<port>/test instead.

  • Issue with dns service in Oracle 6.4

    Hi. I have tried to do everything like here setting hostname,domainname and static IP address but it did not help me and i still have issue with resolving DNS names.
    [root@node1 etc]# ping 192.168.226.128
    PING 192.168.226.128 (192.168.226.128) 56(84) bytes of data.
    64 bytes from 192.168.226.128: icmp_seq=1 ttl=64 time=0.049 ms
    64 bytes from 192.168.226.128: icmp_seq=2 ttl=64 time=0.053 ms
    64 bytes from 192.168.226.128: icmp_seq=3 ttl=64 time=0.068 ms
    ^C
    --- 192.168.226.128 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2320ms
    rtt min/avg/max/mdev = 0.049/0.056/0.068/0.011 ms
    [root@node1 etc]# nslookup 192.168.226.128
    Server:         192.168.226.2
    Address:        192.168.226.2#53
    ** server can't find 128.226.168.192.in-addr.arpa.: NXDOMAIN
    [root@node1 etc]# nslookup node1.node.com
    Server:         192.168.226.2
    Address:        192.168.226.2#53
    Non-authoritative answer:
    *** Can't find node1.node.com: No answer
    [root@node1 etc]# nslookup node1
    Server:         192.168.226.2
    Address:        192.168.226.2#53
    Non-authoritative answer:
    *** Can't find node1: No answer
    [root@node1 etc]# nslookup node.com
    Server:         192.168.226.2
    Address:        192.168.226.2#53
    Non-authoritative answer:
    *** Can't find node.com: No answer
    Meanwhile:
    [root@node1 etc]# nslookup oracle.com
    Server:         192.168.226.2
    Address:        192.168.226.2#53
    Non-authoritative answer:
    Name:   oracle.com
    Address: 137.254.120.50
    [root@node1 etc]#
    my resolv.conf file is:
    [root@node1 etc]# cat /etc/resolv.conf
    # Generated by NetworkManager
    domain localdomain
    search localdomain node.com
    nameserver 192.168.226.2
    [root@node1 etc]#
    and
    [root@node1 etc]# cat /etc/hosts
    127.0.0.1   localhost.localdomain localhost
    192.168.226.128  node1.node.com node1
    [root@node1 etc]#
    [root@node1 etc]# hostname -a
    node1
    [root@node1 etc]# hostname -d
    node.com
    [root@node1 etc]# hostname
    node1.node.com
    DNS configuration RGhost — файлообменник
    [root@node1 etc]# rpm -q bind
    package bind is not installed
    but:
    [root@node1 etc]# rpm -q  bind-utils
    bind-utils-9.8.2-0.17.rc1.0.2.el6.x86_64
    and:
    [root@node1 etc]# ps -ef | grep -i bind
    rpc       1947     1  0 Dec21 ?        00:00:00 rpcbind
    nobody    2831     1  0 Dec21 ?        00:00:00 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/default.pid --conf-file= --except-interface lo --bind-interfaces --listen-address 192.168.122.1 --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases --dhcp-lease-max=253 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
    root      8237 19846  0 04:18 pts/2    00:00:00 grep -i bind
    so i can not understand why dns is not able to resolve ip or whole name for mentioned hostname?

    As I understand it..
    nslookup does a Name Server Lookup - which means asking the DNS to resolve a hostname to an IP address. Which it only can do if it has that hostname/IP mapping.
    In your case, that hostname/IP mapping only exists in /etc/hosts - not in the DNS. Thus the DNS cannot resolve it.

  • Possible issue with Web service connections in SP3

    Hello,
    I installed Xcelsius 2008 SP3 over SP2 and some of my input values for my web service connection were not being built into the XML request. I then rolled back to 2008 SP2 and all was fine. Not a thing i tried could fix it, and it was not all the input values just some of them and the same ones each time. Perhaps i installed different Xcesius suites: the SP2 one i have is trial version and has a black BO splash, the SP3 one has a yellow SAP splash. SP3 has some funky enhancements so i would certainly like to go that way. Any ideas? Or ideas as to how i could get this into BO support for troubleshooting?
    Regards,
    Gilbert

    By mistake I posted to this thread. Removing my message.
    Edited by: Anil Kumar on Dec 24, 2009 4:55 AM

  • Web services Problem in SOA suite 10.1.3

    HI every body ,
    I have particular web service which opens fine with 10.1.3 jdeveloper using the partener but when I try to deploy the application with that particular webservice I get this error
    BUILD FAILED
    D:\downloads\jdevstudio10131\jdev\mywork\KveniApplications\TelematicsMeter\build.xml:79: A problem occured while connecting to server "localhost" using port "8888": bpel_TelematicsMeter_1.0.jar failed to deploy. Exception message is: ORABPEL-05215
    Error while loading process.
    The process domain encountered the following errors while loading the process "TelematicsMeter" (revision "1.0"): Failed to read wsdl.
    Error happened when reading wsdl at "http://drive-app1.drivesoftwaresolutions.com/oracle_telematics_integration/OTIIncomingWS?wsdl", because "Failed to read wsdl file at: "http://drive-app1.drivesoftwaresolutions.com/oracle_telematics_integration/OTIIncomingWS?wsdl", caused by: java.net.ConnectException. : Connection timed out: connect".
    Make sure wsdl exists at that URL and is valid.
    If you have installed a patch to the server, please check that the bpelcClasspath domain property includes the patch classes.
    at com.collaxa.cube.engine.deployment.CubeProcessHolder.bind(CubeProcessHolder.java:285)
    at com.collaxa.cube.engine.deployment.DeploymentManager.deployProcess(DeploymentManager.java:804)
    at com.collaxa.cube.engine.deployment.DeploymentManager.deploySuitcase(DeploymentManager.java:670)
    at com.collaxa.cube.ejb.impl.BPELDomainManagerBean.deploySuitcase(BPELDomainManagerBean.java:445)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.interceptor.system.JAASInterceptor$1.run(JAASInterceptor.java:31)
    at com.evermind.server.ThreadState.runAs(ThreadState.java:620)
    at com.evermind.server.ejb.interceptor.system.JAASInterceptor.invoke(JAASInterceptor.java:34)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.interceptor.system.TxRequiredInterceptor.invoke(TxRequiredInterceptor.java:50)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
    at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
    at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
    at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
    at DomainManagerBean_RemoteProxy_4bin6i8.deploySuitcase(Unknown Source)
    at com.oracle.bpel.client.BPELDomainHandle.deploySuitcase(BPELDomainHandle.java:317)
    at com.oracle.bpel.client.BPELDomainHandle.deployProcess(BPELDomainHandle.java:339)
    at deployHttpClientProcess.jspService(_deployHttpClientProcess.java:376)
    at com.orionserver.http.OrionHttpJspPage.service(OrionHttpJspPage.java:59)
    at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:453)
    at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:591)
    at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:515)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
    at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
    at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
    at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
    at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
    at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
    at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
    at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
    at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
    at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
    at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
    at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
    at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
    at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
    at java.lang.Thread.run(Thread.java:595)
    it asks me to install a patch and set the classpath to those patches
    whats the patch number i need to install so that this particular webservice starts working,
    This works fine with 10.1.2 BPEL.
    please help me in resolving this error
    Thanks
    Kveni

    Hi.
    I suspect you have a proxy server between your localhost and the
    drive-app1.drivesoftwaresolutions.com
    Probably in Jdev that proxy is setup nicely in Tools->Preferences->Web Browser and Proxy
    But maybe your OC4J container running BPEL on localhost does not have that proxy setup.
    You need to add startup parameters to the JVM. In 10.1.3 you can do this via the "AS Control" administration pages (there is a link on the SOA suite welcome page). Go to JVM, click on the container and switch to the "Administration" tab.
    The properties are proxySet, proxyHost, proxyPort and nonProxyHosts
    When deploying from JDev, the compilation in JDev works fine (uses the proxy). But when the JAR is transferred to the server, it is compiled again. This fails because the proxy is not used on the server side and it cannot read the wsdl.

  • Web Services Manager Control, SOA Suite, Retrieving Roles from OID

    I am a bit confused about mapping of groups and privileges when it comes to the LDAP (in my case oracle internet directory, OID) and groups defined by Web Services Manager Control.
    I am using Web Services Manager Control->Manage Policies to define a gateway (or agent) for my web services. Through      
    Policy Management > Manage Policies > Policies > Policy
    I have also defined some pipeline steps which require authorization by an LDAP provider.(OID)
    I need two things:
    - First I have such roles and groups here in Web Services Manager:
    Administration > Groups / Roles
    Group Name      Role Name      
    su1-grp      Super User      
    da1-grp      Domain Administrator      
    ca1-grp      Component Administrator      
    ca2-grp      Component Administrator      
    which could be set for view and modification of web services. What is the relation between these groups and user groups in Oracle Internet Directory which I authorize against?
    - Second, my web services are invoked from pages which access to them involves authentication and authorization against OID. I need the username/password to be propagated to the webservice automatically. If the web service is presented as a button on such pages, for example, I don't want the user to be forced to enter username/passwords for each call to the services/
    I appreciate any comments or reference to books and documents.
    Thank you in advance.
    Best Regards,
    Farbod

    Hi Farbod
    Your problem is not new and i have posted in couple of other threads before.
    Roles in OID are for you to authorize the web service message itself. In your case when the user logins to your web application and calls the web service, you have to do two things:
    a) Extract Credentials
    b) AUthenticate against LDAP
    c) Perform authorization against LDAP
    Now the trick part is, you have to have the same username and password. You have to capture and store in session( ugly ugly..from security point of view) and then when you call the web service, you then invoke with the username and password.
    There are other better options available but might require additonal work or infrastructure.
    If your web application is protected by Oracle Access Manager or siteminder, you can pass those cookies.
    Next option is using SAML. You can generate SAML token on behalf of the user, and attach the SAML token to the web service messsage. In OWSM you then configure to validate SAML token and then you have to write custom step to extract the user name and perform any authorization.
    Since anyway you have to write custom step, third option is you can send encrypted cookie ( You web application can create a login session cookie -encrypted after the user signed in ). In OWSM you can write custom step to decrypt the cookie and then perform any validation.
    You have the easiest option of sending the same username and password with a security risk, or a custom development approach.
    Thanks
    Ram

  • Help!! Security Issues with web site

    Whenever we start our webservices, web visitors can view our folder list. The option is disabled on the server and the web folder is not being shared.
    Any ideas? One of my sites was hacked into.
    thanks!!

    Without an index.html file, the directory structure is shown by default in Apache.
    The easiest thing to do is have an index.html file in every folder. Nothing elaborate, just a simple html page will do.
    Hope this helps
    -Gregg

  • Certificate Issue in web services Using j2ee in oracle apps 11i

    Hi all,
    I am working with web services integration in oracle apps 11i. I used j2ee technology. I installed j2eesdk-1_4_03 and test with j2eetutorial. I have to integrate third party payment system with web services in oracle apps 11i. I run following commands in putty
    build: asant build
    packing: asant create-war
    deploy: asant deploy-war
    client java:
    compile: asant build
    run: asant run
    While i run the "asant run" command, i got below the error
    sun.security.validator.ValidatorException: No trusted certificate found
    I added third party certification but i got same error which i mentioned above.
    Is any certification or settings need for run the web services in ebs.
    Thanks
    Edited by: 910361 on Nov 1, 2012 7:09 AM

    Hi,
    I do the settings according to your advice, i got below error when i run below command to add certificate to keystore.
    command:
    keytool -import -keystore /usr/j2ee/jdk/jre/lib/security/cacerts -file /usr/Class3G2.cer
    Error:
    keytool error: java.lang.Exception: Input not an X.509 certificate
    Thanks
    Edited by: 910361 on Jan 27, 2012 4:38 AM
    Edited by: 910361 on Jan 27, 2012 4:39 AM
    Edited by: 910361 on Jan 27, 2012 4:39 AM
    Edited by: 910361 on Jan 27, 2012 5:29 AM
    Edited by: 910361 on Nov 1, 2012 7:09 AM

  • Web Service Best and Worst Practices within Oracle SOA Suite

    Hi All,
    Has anybody got a single document that concisely details the best and worst practices around the design of web services for oracle SOA and BPEL.
    I'm interested the following aspects
    1. Level of Granularity
    2. Level of Reuse
    3. BPEL orchestration. numbers of BPEL process vs services
    4. Transport choices...SOAP vs REST vs Big Services etc
    5. Activity Monitoring with BAM
    6. Future proofing of signatures and ongoing maintenance and process change
    I'm constructing a document myself to share on this forum, but i'd be very interested to use the wisdom of others if somebody has done this before...
    Thanks in advance :)

    This is a question best answered by your Oracle reseller or Oracle account manager to give you all the details but I hope this brief answer helps:
    - The Unified Business Process Management Suite (BPM Suite 11g) includes: BPM Studio, BPM Composer, BPMN Service Engine and Workflow Extensions, BPM Process Spaces, and BPM Process Analytics.
    - BPM Suite 11g requires the licensing of SOA Suite 11g for Oracle Middleware which requires a license for WebLogic Suite.
    - You can license SOA Suite 11g now and license BPM Suite 11g later.
    Since the products are layered, I don't see this cutting into SOA sales at all. My personal view is that BPM on top of SOA is brilliant since it provides easy integration between human and automated tasks, builds on many of the SOA concepts that are key for a successful BPM implementation (functional, not the Oracle product), and uses the same IDE. The synergies extend past easy use of services; the same business rules and human workflow components are used between both products.

Maybe you are looking for