I'm looking for some advice regarding the consumption of REST services (from the users browser) in an environment that utilizes OAM security and the Oracle Service Bus. Let me set the stage.
We've configured an instance of OAM with OHS acting as a proxy to our applications. One of our apps wants to pull some data (using an AJAX call) from a service directly to the browser. The service is currently protected using HTTP Basic authentication. This works fine for Java apps that want to make those service calls directly, but not so well when it is the browser that wants to make the call.
My assumption (up to this point) had been that I would be able to utilize the OAM Identity Asserter on the service bus in much the same way that we have been using it to propagate identity to our application servers. After speaking with some of the service developers (guys more intimately familiar with the OSB than I am) we haven't tried to do this before and are unsure of the proper implementation to acheive our goal.
So, with all of that being said, am I barking up the wrong tree? Would it be incorrect to have a REST service written that is serviced by two different OSB proxies? One that enforces HTTP Basic, and one that (somehow) uses the OAM_REMOTE_USER and an appropriate identity asserter to pass identity in such a manner that the OSB would be able to enforce security in that manner?
Is there a better way to secure REST services being made from the browser?