The objective of this blog is to demonstrate how to invoke secured RestFul web services from Fusion Cloud using Oracle Service Oriented Architecture (SOA) as an Integration hub for real time integration with other clouds and on-premise applications. SOA could be on-premise or in the cloud (PAAS). The SOA composites deployed in on-premise SOA can be migrated to SOA in cloud.

What is REST?

REST stands for Representational State Transfer. It ignores the details of implementation and applies a set of interaction constraints. The web service APIs that adhere to the REST Architectural constraints are called RestFul. The HTTP based RESTFul APIs area defined with the following aspects:

Exactly one entry point – For example: http://example.com/resources/
Support of media type data – JavaScript Object Notation (JSON) and XML are common
Standard HTTP Verbs (GET, PUT, POST, PATCH or DELETE)
Hypertext links to reference state
Hypertext links to reference related resources

Resources & Collections

The Resources can be grouped into collections. Each collection is homogeneous and contains only one type of resource. For example:

<tbody>
<tr style="border-color: #000000;">
<td>URI</strong></td>
<td><strong>Description</strong></td>
<td><strong>Example</strong></td>
</tr>
<tr>
<td>/api/</td>
<td>API Entry Point</td>
<td>/fusionApi/resources</td>
</tr>
<tr>
<td>/api/:coll/</td>
<td>Top Level Collection :coll</td>
<td>/fusionApi/resources/department</td>
</tr>
<tr>
<td>/api/:coll/:id</td>
<td>Resource ID inside Collection</td>
<td>/fusionApi/resources/department/10</td>
</tr>
<tr>
<td>/api/:coll/:id/:subcoll</td>
<td>Sub-collection</td>
<td>/fusionApi/resources/department/10/employees</td>
</tr>
<tr>
<td>/api/:coll/:id/:subcoll/:subid</td>
<td>Sub Resource ID</td>
<td>/fusionApi/resources/department/10/employees/1001</td>
</tr>
</tbody>


Invoking Secured RestFul Service using Service Oriented Architecture (SOA)

SOA 12c supports REST Adapter and it can be configured as a service binding component in a SOA Composite application. For more information, please refer to this link. In order to invoke a secured RestFul service, Fusion security requirements must be met. These are the following requirements: Fusion Applications Security

All external URLs in the Oracle Fusion Cloud, for RESTful Services, are secured using Oracle Web Security Manager (OWSM). The server policy is “oracle/http_jwt_token_client_policy” that allows the following client authentication types:

HTTP Basic Authentication over Secure Socket Layer (SSL)
Oracle Access Manager(OAM) Token-service
Simple and Protected GSS-API Negotiate Mechanism (SPNEGO)
SAML token


JSON Web Token (JWT) is a light-weight implementation for web services authentication. A client having valid JWT token is allowed to call the REST service until it expires. The OWSM existing policy “oracle/wss11_saml_or_username_token_with_message_protection_service_policy” has the JWT over SSL assertion. For more information, please refer to this.

The client must provide one of the above policies in the security headers of the invocation call for authentication. In SOA, a client policy may be attached from Enterprise Manager (EM) to decouple it from the design time.

Fusion Security Roles
The user must have appropriate Fusion Roles including respective data security roles to view or change resources in Fusion Cloud. Each product pillar has respective roles. For example in HCM, a user must have any role that inherits the following roles:

HCM REST Services Duty – Example: “Human Capital Management Integration Specialist”
Data security Roles that inherit “Person Management Duty” – Example: “Human Resource Specialist – View All”

Design SOA Code using JDeveloper
In your SOA composite editor, right-click the Exposed Services swimlane and select Insert > REST. This action adds REST support as a service binding component to interact with the appropriate service component.
This the sample SOA Composite with REST Adapter using Mediator component (you can also use BPEL):