0 Replies Latest reply on Mar 23, 2011 4:05 PM by OlegS

    Identity tokens in Web Service Security.


      We need to create security mechanism for Oracle Fusion Middleware. Our project has a very big set of
      Web Services deployed on WebLogic server, also we have Composites which are created in SOA Suite.
      And there is a client application which uses all of these web services.

      So we need to create security mechanism for client application. There are main requirements:

      1. Client should enter user credentials (login/password) and send it to the server. Then these credentials should be validated and a client identification token should be generated and sent back to the client. We should implement our custom user validation mechanism, because users list are stored in the Siebel database. This token should be assigned to user permissions and Oracle roles.

      2. Client calls the web services only using this token.

      3. Token must be assigned to client ip address. To avoid intercepting the token and sent it from another client.

      4. All requests from/to server should be secured under ssl.

      5. All web services should be consolidated in one proxy service, which will be accessible from the Internet. As I understand this should be implemented using Oracle Service Bus.

      I've found that Oracle Fusion Middleware has a lot of security solutions. (Oracle Identity Management, Oracle Web Services Manager, Oracle Access Manager) But I can't understand which is more suitable for my requirements.

      Any Idea how to implement this?

      Thanks in advance for your time.

      Best Regards,