Last updated on MARCH 21, 2017
Applies to:Oracle Web Services Manager - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
Testing is being performed using two different applications in 12c. One application uses a SOAP based service and the other uses a REST based service.
When testing these services with attached authentication and authorization OWSM policies with an invalid user (one that does not exist in the system at all), the SOAP service returns a response code in the raw response as : "HTTP/1.1 401 Unauthorized" as expected.
When invoking the service with an unauthorized user, the response code is: "HTTP/1.1 500 Internal Server Error".
Along with this header, a fault is returned indicating the user is forbidden. Again, this would be what is expected.
When testing the REST service, the unauthorized user returns the "HTTP/1.1 401 Unauthorized" as expected as well, but the invalid user returns the same "HTTP/1.1 401 Unauthorized" response, which would not be correct.
Based on the HTTP response code, the SOAP message returns a signal that can be used to identify whether a user is invalid or unauthorized. When invoking the REST service with an invalid user or an unauthorized user, the same response code is returned, so there is no way of distinguishing between the two in that scenario.
It is necessary to have the REST service act similar to the SOAP service in returning the signal for the unauthorized user.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms