Search This Blog
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Monday, 14 September 2009

Web Services Security in OFM 11g R1

I ran 2 good blog entries for securing web services from JDeveloper 11g onto WLS 11g R1. Both these are great starting points for that and worked well. Saves a lot of time when it's all laid out step by step.

http://one-size-doesnt-fit-all.blogspot.com/2009/08/one-way-ssl-with-jax-ws-using.html

http://kingsfleet.blogspot.com/2009/01/security-policy-worked-example.html

I always create my WLS domains adding Fusion Middleware Control and that then gives you the ability to test the web service from a browser as well as view some runtime statistics for the web service itself when logging into the "/em" application installed into the admin server.

The blog entry showing how to install Fusion Middleware Control into a WLS 11g R1 domain is as follows. I even started deploying from that application rather then using the traditional console application.

http://theblasfrompas.blogspot.com/2009/07/installing-adf-runtime-on-oracle-fusion.html

So in short

1. Log into em using an url as follows

http://{server}:{adminserverport}/em

2. Click on your web service application
3. If indeed web services exist in the application you will see a web services table and "Java EE Web Services" tab as shown below.














4. Click on the "Test" icon to test your web service.
Posted by at No comments:
Labels: , , ,

Wednesday, 25 March 2009

Providing logout functionailty for Secure OC4J Apps in 10.1.3.x

I recently had to determine how to logout of an OC4J 10.1.3.x application which was secured against a 3rd party LDAP server, using HTTP Basic authentication. Normally for web based applications you can control when to logout calling invalidate() from the HTTPSession object as shown below or wait until the session times out which it will then do for you automatically.

HttpSession.invalidate()

The problem here is when using HTTP basic authentication browsers typically 'cache' HTTP basic authentication credentials and re-send them when necessary.

Specifying FORM as the authentication scheme in web.xml (along with HttpSession.invalidate()) will address this issue of provinding a logout link which gives you control of when your user wants to logout. The authentication scheme chosen is depending on your requirements so if logout isn't important then HTTP basic will do, but typically I would expect HTTP basic to be used very rarely.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)