09-08-2012, 12:38 PM
Web Services Security and Session Management
Web Services Security and Session Management.ppt (Size: 544 KB / Downloads: 42)
Module Objectives
After completing this module you will be able to:
Understand Web Services Security
Establish and manage the Web Services Session
Describe Server-Side Session Management
Describe Client-Side Session Management
Define Stateful Login Mechanisms
Describe Logging Out of the Web Services Session
Why you need to know:
A Web services-enabled client (that is, a client written in any language that interacts with the Web services framework), must establish a secure session with Oracle CRM On Demand
Web Services Security
Oracle CRM On Demand Web Services Integration framework includes the following security features:
All communications are encrypted with Secure Sockets Layer (SSL) for security (minimum 128-bit)
Access is session-based, requiring authorization with a valid Oracle CRM On Demand user name ,password / SSO Token
Inactive sessions are reused or closed automatically after a period of inactivity
Data visibility and access are restricted by the role that your company assigns. Permissions are checked for every data access
A full audit trail of Web services activity is available through Oracle CRM On Demand's Administration pages
WS-I Basic Security Profile Version 1.0
WS-I Basic Security Profile Version 1.0 describes the set of parameters used to authenticate a Web services transaction
Oracle CRM On Demand has implemented support for the Username and PasswordType parameters,which are part of the UserNameToken standards
This allows a username and password to be passed with a SOAP request, which removes the necessity for a separate login operation
Server-Side Session Management
Interactive applications can be developed such that a user's credentials are supplied within a request sent to Oracle CRM On Demand, eliminating the need for an explicit login request
If the request qualifies as a stateless request ,the Oracle CRM On Demand server checks to see whether a session has already been established for that user
If a session is found, it is re-used for the new request
If no existing session is found for the user, a new session is established
Each user is limited in the number of concurrent sessions that they can establish
Client-Side Session Management
Web services session management is HTTP-based and uses a session ID (also known as a JSESSIONID)
Oracle CRM On Demand Web Services enable session management by first creating a session using the login call, which is then referenced in any subsequent SOAP operations
In an Oracle SOAP session, after a session ID has been created in a login request, it can be referenced in one of these ways:
The session ID can be attached as a parameter to the URL request line
The session ID can be part of the cookie header line
Stateful Login Mechanisms
Following are the various mechanisms for logging in and making integration requests when making stateful Web services requests
Logging in Using HTTP GET
Login Input
Login Output
Logging in Using Single Sign-On
Outbound SSO Methods
Integration Requests for the Web Services Session
Logging in Using HTTP GET
An HTTPS request can be used to instantiate an Oracle CRM On Demand Web services session and obtain a valid session ID
Client invokes login by sending an HTTP GET request to a URL like the following:
https://secure-ausomx[ENV].crmondemandServices/Integration?command=login
Where [ENV] is the three-letter identifier for your company’s environment
Note: The login parameter value is case sensitive
Logging in Using HTTP GET - Login Input
There are different mechanisms for login depending on whether the login header contains URL encoding with the UTF-8 encoding system
The input to login is provided in the URL parameters and the HTTP headers, as follows:
Two URL parameters:
command, which has the value login
isEncoded, which is used if the HTTP headers are URL encoded using UTF-8.
Two HTTP headers, UserName and Password, must be set with the appropriate values for your system. For example:
UserName: johndoe[at]email.com
Password: mypass
The HTPP headers can be in clear text, or can be URL encoded
Logging in Using HTTP GET - Login Output
The login command returns the following items:
A session cookie, JSESSIONID
The client must use this cookie when submitting subsequent requests, including logoff requests
A status code of 200
If the session does not encounter any errors ,this indicates that the request succeeded
Single Sign-On
Single Sign-On (SSO) feature of CRM On Demand allows companies to integrate the hosted Oracle CRM On Demand service with other systems that have the ability to manage user credentials and authentication
Goals of SSO
Usability:
When users move between applications, they don’t need to signon at each site where they have an account
Security:
One identity management system for all applications means one security policy, one set of user credentials
Management:
IT departments prefer to manage only one user identity (credentials) per user
Logging in Using Single Sign-On
If your company has been set up to use SSO for Oracle CRM On Demand, the following steps are used to log in and retrieve the session ID
The Web service client makes a request with the following command specifying the SSO Company Identifier
https://server/Services/Integration?comm...any-sso-id
The server returns the SSO ITS URL in the "X-SsoItsUrl" HTTP header of the response
The Web service makes a request with the ITS URL and retrieves a session ID
Logging in Using Single Sign-On - Outbound SSO
Allows users who have signed into Oracle CRM On Demand using SSO to pass the SSO credentials from Oracle CRM On Demand to third-party sites such as corporate Web pages or intranets
This allows users to embed or access third-party sites from within Oracle CRM On Demand
Outbound SSO in Oracle CRM On Demand uses a proprietary method to generate a hashed message authentication code (HMAC) token that is passed to the third-party site
This third-party site makes a request back to Oracle CRM On Demand with the token
Oracle CRM On Demand then validates the token and provides a username back to the third-party site, or authenticates the token and provides a session ID to the user
Logging in Using Single Sign On - Outbound SSO Methods
Two methods are available as part of outbound SSO:
SSO Token Validation: Following steps are used to validate an SSO token:
The third-party application makes a request with the following command specifying the SSO token
https://server/Services/SSOTokenValidate?odSsoToken = "ssotoken value“
The server returns the username in the response
Logging in Using Single Sign-On - Outbound SSO Methods
Login using SSO Token:The following steps are used to obtain a session ID using the SSO token:
The third party application makes a request with the following command specifying the SSO token
https://server/Services/Integration?comm...odSsoToken="ssotoken value"
The server returns the session ID in the response, which is used for access to data within Oracle CRM On Demand
Integration Requests for the Web Services Session
An integration request is an HTTPS request to invoke a Web service to perform data creation, retrieval, update, and deletion operations
An integration request is made by an HTTP POST command to a URL like the following:
https://secure-ausomx[ENV].crmondemandServices/Integration/object
Integration request input:
The JSESSIONID returned to the client during login must be included with the request
https://secure-ausomx[ENV].crmondemandServices/Integration/object jsessionid=xyZ12489w3482413
Integration request output:
The properties returned by the HTTP server populate the response headers and the response body