Different Response Code Headers Returned When Testing A SOAP Service As Opposed To A REST Service When Using OWSM Authorization Policies (Doc ID 2245279.1)

Last updated on FEBRUARY 06, 2024

Applies to:

Symptoms

Testing is being performed using two different applications in 12c.  One application uses a SOAP based service and the other uses a REST based service.

When testing these services with attached authentication and authorization OWSM policies with an invalid user (one that does not exist in the system at all), the SOAP service returns a response code in the raw response as : "HTTP/1.1 401 Unauthorized" as expected.  
When invoking the service with an unauthorized user, the response code is: "HTTP/1.1 500 Internal Server Error". 
Along with this header, a fault is returned indicating the user is forbidden.  Again, this would be what is expected.

When testing the REST service, the unauthorized user returns the "HTTP/1.1 401 Unauthorized" as expected as well, but the invalid user returns the same "HTTP/1.1 401 Unauthorized" response, which would not be correct.

Based on the HTTP response code, the SOAP message returns a signal that can be used to identify whether a user is invalid or unauthorized.  When invoking the REST service with an invalid user or an unauthorized user, the same response code is returned, so there is no way of distinguishing between the two in that scenario.

It is necessary to have the REST service act similar to the SOAP service in returning the signal for the unauthorized user.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.