5 Replies Latest reply: Jan 29, 2013 11:53 AM by 538929 RSS

    Application or Custom Authentication of Web Service requests in XDB Servlet

    949766
      Hello

      I'm fairly new to Oracle and XDB, and was wondering if it's possible to use XDB Web Services with an application level or Custom Authentication scheme.

      I'm using "Oracle Database 11g Release 11.2.0.1.0 - 64bit Production"

      Currently I have written a Java Servlet, configured this successfully as per <http://docs.oracle.com/cd/E11882_01/appdev.112/e23094/xdb23jv1.htm#g1050187> and am using a DB id to access the web service using HTTP Basic Auth.

      What I'd like to be able to do run this with an Application level credential, i.e. to avoid DB authentication upfront, authenticate within Servlet code and then connect into DB as a generic identity.

      I'm currently struggling to achieve this:
      1) Using JDBC server-side internal driver I read that connecting with a different id is not supported <http://docs.oracle.com/cd/B28359_01/java.111/b31224/ssid.htm> and other drivers are intended for other purposes.
      2) It's not clear (to me) if anonymous access to Servlets is supported - this implies not <http://www.oracle-base.com/articles/11g/native-oracle-xml-db-web-services-11gr1.php#configure_anonymous_access>

      Hence I'm wondering if there is an approved way of doing this.

      As potential alternatives:
      - I have seen reference to XDB Custom Authentication features <XML DB Repository Custom Security but:
      a) can't find much documentation and
      b) don't know if this is intended to work with servlets or just WebDAV style HTTP operations.
      - I am aware that I could host the Java Servlet on another platform (e.g. Tomcat) and connect into Oracle DB with other driver, but I was hoping to do this "within the DB".
      - would mod_plsql (and doing Web Services code in PL/SQL) give me a better option.

      Any advise appreciated.

      Thanks
      Dave

      Edited by: 946763 on Sep 10, 2012 6:54 AM

      Edited by: 946763 on Sep 10, 2012 6:54 AM
        • 2. Re: Application or Custom Authentication of Web Service requests in XDB Servlet
          949766
          Marco, hi

          Thanks for the pointer. Yes, I had seen this, looked at the PDFs and tried to use the doAuthentcation() approach without success.

          What isn't clear to me is whether this customAuth scheme is intended to cover Servlets - the docs reference the XDB Repository and mappings appear to refer to documents in the repository (pattern in addAuthenticationMapping()) rather than dynamic URIs (pattern in addServletMapping()).

          I tried blending these together but always need an HTTP Basic Auth to access the servlet - even with the doAuthentication() always returning the positive custom_authenticate response as per the example.

          If this approach is intended to work on Servlets it would be good to get a pointer to a worked example.

          As per the post you linked, documentation is (still) not readily available - if I google "dbms_xdb.enableCustomAuthentication" I get 3 hits and two of which are the PDFs (and the other isn't useful) !.

          Cheers
          David
          • 3. Re: Application or Custom Authentication of Web Service requests in XDB Servlet
            mdrake-Oracle
            CustomAuthentication is designed to work with Resources stored in the XML DB repository and protected by XML DB ACLS.. Anything else is not covered by the XML Custom Authentication scheme.
            • 4. Re: Application or Custom Authentication of Web Service requests in XDB Servlet
              949766
              Hi

              So, as I was suspecting. That's a pity - back to the other options!

              Thanks
              Dave
              • 5. Re: Application or Custom Authentication of Web Service requests in XDB Servlet
                538929
                Hi Can you confirm the return text that the XMLDB custom authentication function has to return?

                I've got this:

                create or replace function doAuthenticate(URL varchar2, AUTHINFO VARCHAR2) return varchar2
                is
                V_USERNAME VARCHAR2(300);
                V_PASSWORD VARCHAR2(300);
                begin
                return '<custom_authenticate><user>Marky</user></custom_authenticate>';
                end;

                Just to fake a successful application authentication, but the webdav client and browser still says i'm not authenticated for the particular resource ive linked custom authentication to:

                I'm running 11.2.0.3

                I can confirm i've done:

                exec dbms_xdb.enableCustomAuthentication;

                grant all on doAuthenticate to public;

                begin
                dbms_xdb.addAuthenticationMethod(
                NAME=>'HTTP_REPO2',
                description=> 'Test authentication method',
                implement_schema =>'FILER',
                implement_method =>'DOAUTHENTICATE',
                language =>'PL/SQL'
                );
                end;

                exec dbms_xdb.addAuthenticationMapping( PATTERN=>'/repository/test/*', NAME => 'HTTP_REPO2');

                When I delete the authentication mapping using exec dbms_xdb.deleteAuthenticationMapping( PATTERN=>'/repository/test/*', NAME => 'HTTP_REPO2') , my normal Oracle user based login works fine, so I know that Oracle is recognising that I want to use the custom auth for this folder, it just doesnt seem to like the response, or maybe it cant find the function, even though it exists and ive ran "grant all on doAuthenticate to public".

                I've written it up at my site:

                http://blucel.co.uk/index.php/2013/01/29/oracle-xmldb-custom-authentication-for-webdav-http/

                Any help would be much appreciated

                Thanks
                Mark