How Does Node Authentication Work in Conjunction with Basic Authentication for REST Service Operatio
edited Dec 5, 2013 5:02PM in PeopleTools and Lifecycle Management - PSFT (MOSC) 8 commentsAnswered ✓
A pain point for implementing WS-Security (when using the UsernameToken option) has always been that IB is not secure by default for inbound SOAP based integrations.
Specifically, if you try to secure inbound SOAP based web services using WS-Security, password is considered optional. A consequence of this design is that if an inbound message hits a web service endpoint (and this request message contains an invalid ID), the request can be reformatted to exclude the password element, and if the corresponding user ID exists in the system (and is authorized to the Service Operation), the request is honoured. To further complicate how authentication works, if the user ID associated with the ANONYMOUS Node is also authorized to the Service Operation, the request is honoured -regardless of whether
Specifically, if you try to secure inbound SOAP based web services using WS-Security, password is considered optional. A consequence of this design is that if an inbound message hits a web service endpoint (and this request message contains an invalid ID), the request can be reformatted to exclude the password element, and if the corresponding user ID exists in the system (and is authorized to the Service Operation), the request is honoured. To further complicate how authentication works, if the user ID associated with the ANONYMOUS Node is also authorized to the Service Operation, the request is honoured -regardless of whether
0