11g AJAX Authentication for WebCenter Portals Rest API and Content

WebCenters Portals REST API and WebCenter Content provide a great set of  web services enabling you to create rich interactive JavaScript components. You can see an example of this here – http://www.fishbowlsolutions.com/mobile via jQuery and UCM – Client Side Ajax UCM Interaction blog post.

An issue you may have come across if you don’t have SSO enabled is the ability to interact against these services. This can be a problem if you are writing Javascript Widgets or hybrid mobile applications for WebCenter Portal that require authentication to access them.

You could present a popup requesting the user to re authenticate; however this isn’t ideal if the user has already authenticated with the portal to access your new JS Components.

Read on to see the options available to you –

There are two options available if you don’t use SSO:

1) Enabling AJAX pre-authentication on the WebCenter portal login page; which will store the authenticated session.
2) Setting up a trust service token and passing the authentication request with the token when you need to access the services once the user has authenticated.


1. Pre-authenticating against the REST API. 

1.1 Updating the login template for pre-auth.

On the login page disable the submit event on the form to authenticate against WebCenter Portal.
Instead when the user selects the login button –

1. Pass a base64 authentication request to the REST API via AJAX.
2. On a success response (store the REST API security token if needed)
3. Trigger the submit request to enable the form post to authenticate on WebCenter.

Here are some code samples for authenticating with either WebCenter Portal or Content via AJAX using JQuery –

WebCenter Portal AJAX REST API Authentication
(with OIT or Username & Password)


 WebCenter Content AJAX Authentication
(with OIT or Username & Password)

The WebCenter Content Secure Token Auth requires authentication on http://domain.com/adfAuthentication.

You can also use this to authenticate against the Inbound Refinery (Conversion Server)


And Universal Records Management


Where as User/Pass Auth on the content server is requested via http://domain.com/cs/login/j_security_check.

Here is a simple example of a webcenter login page that makes an Authentication request first to the REST API before posting the form and logging into WebCenter Portal.



2. Setting up the the trust service security token
(Info to setup OIT).

I would recommend setting up the trust token; however the base64 authentication pre login above is easier and quicker to setup.

The trust token will be generated once the user has logged in.

2.1. Create keystore

a) cd /opt/oracle/jrmc-4.0.1-1.6.0/bin/
b) keytool -genkeypair -keyalg RSA -dname “cn=spaces,dc=domain,dc=com” -alias orakey -keypass myKeyPassword -keystore /opt/oracle/keystore/default-keystore.jks -storepass myKeyPassword -validity 1064
c) keytool -exportcert -v -alias orakey -keystore /opt/oracle/keystore/default-keystore.jks -storepass myKeyPassword -rfc -file /opt/oracle/keystore/orakey.cer
d) keytool -importcert -alias webcenter_spaces_ws -file /opt/oracle/keystore/orakey.cer -keystore /opt/oracle/keystore/default-keystore.jks -storepass myKeyPassword

2.2. Update jps-config.xml




2.3. Update credential store

a) in WLST: /opt/oracle/middleware/Oracle_WC1/common/bin/wlst.sh
b) connect()
c) updateCred(map=”oracle.wsm.security”, key=”keystore-csf-key”, user=”owsm”, password=”myKeyPassword “, desc=”Keystore key”)
d) updateCred(map=”oracle.wsm.security”, key=”enc-csf-key”, user=”orakey”, password=”myKeyPassword “, desc=”Encryption key”)
e) updateCred(map=”oracle.wsm.security”, key=”sign-csf-key”, user=”orakey”, password=”myKeyPassword “, desc=”Signing key”)

2.4. Add TrustServiceIdentityAsserter.

a) Console -> Security Realms -> myrealm -> Providers -> New
b) Restart all

2.5. Configure Credential Store

a) in WLST: /opt/oracle/middleware/Oracle_WC1/common/bin/wlst.sh
b) connect()
c) createCred(map=”o.webcenter.jf.csf.map”, key=”keygen.algorithm”,user=”keygen.algorithm”, password=”AES”)
d) createCred(map=”o.webcenter.jf.csf.map”, key=”cipher.transformation”,user=”cipher.transformation”, password=”AES/CBC/PKCS5Padding”)

2.6. Test it against the rest api

a) http://www.domain.com/rest/api/resourceIndex

Once setup create a bean to output the token into the page template  ie ${fb_rtc_bean.trustServiceToken} JS object so that your JS AJAX request can reuse it.

You can then use one of the AJAX authentication methods above with ${fb_rtc_bean.trustServiceToken} reading the JS Obj FB.restInfo.trustServiceToken;


Leave a Reply