4 Replies Latest reply: Feb 27, 2014 11:13 PM by Rapid Value Solutions RSS

    User authentication for webservices

    Rapid Value Solutions

      Hi,

       

      I am using Oracle R12.

      I want to know how oracle handles user authentication when calling custom APIs through Integrated SOA Gateway.

      I know that we are using security headers to do this.  The header part is given below.

       

         <soapenv:Header>

           <xx:SOAHeader>

              <xx:Responsibility>INVENTORY_VISION_OPERATIONS</xx:Responsibility>

              <xx:RespApplication>INV</xx:RespApplication>

              <xx:SecurityGroup>STANDARD</xx:SecurityGroup>

              <xx:NLSLanguage>AMERICAN</xx:NLSLanguage>

              <xx:Org_Id>204</xx:Org_Id>

           </xx:SOAHeader>

           <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

              <wsse:UsernameToken wsu:Id="UsernameToken-1">

                 <wsse:Username>uname</wsse:Username>

                 <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>

                 <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">rerr6et6eHFV</wsse:Nonce>

                 <wsu:Created>2013-02-13T08:58:50.649Z</wsu:Created>

              </wsse:UsernameToken>

           </wsse:Security>

        </soapenv:Header>

       

       

      But when a person is simply logging in to the application how can we choose a responsibility without know what responsibilities a person has?

      The  <xx:SOAHeader></xx:SOAHeader> is not mandatory. So can i simply not pass this header? Or is there a default responsibility that can be specified for all users?

       

      Also in what scenarios is the <wsse:Security> header not required? I recently checked and found that even without providing the Security header, it is possible to execute service in ISG. Hence the question.

       

       

      Thanks,

       

      Anoop

        • 1. Re: User authentication for webservices
          Mihai-Oracle

          Hi,

           

          Ok, so you want to know for an user , what responsibility you should use in order to be able to perform the invocation?

           

          Here is an example for Sysadmin user

           

          Select usr.user_name,usr.user_id, resp.RESPONSIBILITY_NAME ,
          resp.RESPONSIBILITY_KEY, grp.SECURITY_GROUP_KEY, grp.SECURITY_GROUP_ID,
          APP.APPLICATION_SHORT_NAME ,APP.APPLICATION_ID
          From FND_USER_RESP_GROUPS furg, FND_USER usr, fnd_responsibility_vl
          resp,FND_SECURITY_GROUPS grp,FND_APPLICATION APP
          where furg.user_id=usr.user_id
          and furg.RESPONSIBILITY_ID=resp.RESPONSIBILITY_ID
          and furg.SECURITY_GROUP_ID=grp.SECURITY_GROUP_ID
          and furg.RESPONSIBILITY_APPLICATION_ID=APP.APPLICATION_ID
          and usr.user_name='SYSADMIN'

           

          regards

          Mihai

          • 2. Re: User authentication for webservices
            Rapid Value Solutions

            Hi Mihai,

             

            The query that you provided retrieves the entire set of responsibilities that  a user has. But during the call to a login API, the user wont be having any responsibilities to specify in the header part of the soap request. In that case, should we be omitting the responsibility header during the login API call?

             

            Thanks,

            Anoop Ramachandran

            • 3. Re: User authentication for webservices
              Mihai-Oracle

              No,

               

              There should be the Header part and you should assign at least one valid responsibility.

              The responsibility you are using to set the context and run the API from sqlplus , the same should be assign to the user when you invoke the API from WS

               

              regards

              Mihai

              • 4. Re: User authentication for webservices
                Rapid Value Solutions

                Hi Mihai,

                 

                Thanks for the reply. I have one more doubt regarding the subject. Its about the user Login.

                During login, user willnot or cannot have any responsibilities right? Also when logging in, we are logging in using default parameters as given below

                 

                function_id=1032925    resp_id=-1            resp_appl_id=-1              security_group_id=0

                 

                So when writing a login API, i was not able to find the responsibility with id = -1. Can you suggest how oracle is handling this scenario? In this case, what should be the header responsibility?

                 

                Thanks,

                 

                Anoop