26-2 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter

26.2 Performing Required Manual Configurations to Enable REST

The WebCenter REST services are not enabled by default. To enable the REST services to work, you must perform a manual configuration procedure. This procedure prepares the credential store to handle encrypted security tokens. For detailed information on the required configuration steps see Before Using REST: Perform This Required Manual Configuration in the Oracle Fusion Middleware Developers Guide for Oracle WebCenter.

26.3 Understanding Security Tokens

A user-scoped security token is embedded in the href and template attributes of every REST service URI. The token is both generated and validated by the server. The purpose of the security token is to prevent Cross-Site Request Forgery CSRF attacks. For example: link template=opaque-template-urime?startIndex={startIndex} itemsPerPage={itemsPerPage}token=generated-token resourceType=urn:oracle:webcenter:messageBoard href=opaque-urime?token=generated-token capabilities=urn:oracle:webcenter:read Security tokens are based on the authenticated user’s name. They do not expire, making it possible to both cache and bookmark the URIs. Security tokens are also salted, a cryptographic technique of adding extra characters to a string before encrypting it. Because of salting, if a security token is compromised, you will not have to change the user’s user name across the entire system to address the problem. This technique prevents cases where a user name is compromised and you don’t want to have to change the user name system wide to fix the problem. For more information on security tokens, see Security Considerations for WebCenter REST APIs in the Oracle Fusion Middleware Developers Guide for Oracle WebCenter.

26.4 Configuring a Proxy Server

This section explains how to set up a simple, response-rewriting reverse HTTP proxy on an Apache server. A proxy server is typically employed to avoid cross-domain request problems associated with making XMLHttpRequest XHR calls from a browser client. These calls are typically associated with the Ajax development technique for creating rich, interactive client-side interfaces. REST APIs are typically used within this kind of client-side development scenario. Note: The security token is not used for authentication or identity propagation. Managing REST Services 26-3 The basic steps for setting up a proxy server on Apache are: 1. Obtain access to an Apache server. Oracle recommends Apache 2.2.7 or a later version. 2. Make sure the server has the mod_substitute module installed. Note that Apache versions 2.2.7 and later include mod_substitute by default. It is also possible to use mod_sed or mod_line_edit, however these configurations are not supported by Oracle. 3. Open the httpd.conf or the virtual host config file, and add the following lines, substituting your server nameinformation where appropriate: ProxyRequests Off LoadModule substitute_module modulesmod_substitute.so SetOutputFilter SUBSTITUTE ProxyPass restapi http:myhost:8888restapi ProxyPassReverse restapi http:myhost:8888restapi Substitute s|myhost|yourhost|n ProxyPass rpolkrestapi http:myhost:8888restapi ProxyPassReverse rpolkrestapi http:myhost:8888restapi Substitute s|myhost:8888restapi|yourhostrpolkrestapi|n 4. Restart the Apache server. For example, on Linux, you could do this: sudo etcinit.dhttpd restart Note that on some configurations of Linux, proxying with Apache in this fashion requires you tell selinux to allow outbound connections from httpd. You can accomplish this by enabling the httpd_can_network_connect flag in selinuxs GUI or through the command line. Note: This section illustrates a simple example of setting up a proxy server on Apache. For more detailed information, refer to the Apache Server documentation available at http:httpd.apache.orgdocs . You can also use Oracle HTTP Server OHS for your proxy server. For more information, see Oracle Fusion Middleware Administrators Guide for Oracle HTTP Server. Note: Two servers are being proxied in this example scenario. Note that the following two calls are actually talking to these two different servers, but they appear to clients to be the same server host: http:myhostrestapiresourceIndex http:myhostrpolkrestapiresourceIndex Developer Tip: Set the UserDir permissions in httpd.conf to allow users to drop these files in their own public_html directory. For example, you might hit http:host~yournamesample.html to access your sample application, and then have the sample application make XHR calls to http:hostrestapiresourceIndex.