4 Replies Latest reply: Sep 20, 2013 2:49 PM by 911738 RSS

    REST Security


      I am using the listener 2.0 and are trying to apply some security to my REST webservices. I am using the seeded "hr" sample webservice, and have created a restfull security privilege which is attached by the Application Express group "RESTful Services".

      My testuser (rest1) has been granted the role RESTful Services.

      Without the "Required privilege" for the restfull service module, it works fine.
      When I apply the security by filling in the "Required privilege" I get the 401 error (which is fine when not logged into APEX).

      However being logged in as an Application Express user (rest1), I still get the HTTP 401 error.

      Have I misunderstood the security concept of the REST services or can anybody help concerning this issue ?

      Note: I have tried calling the REST service using Javascript ($.ajax(...)), and also using the link to the webservice in and iframe on the first APEX page. But no luck (HTTP 401).

      Best Regards
      Martin Nielsen

      Edited by: martinbn on Apr 7, 2013 8:24 PM
        • 1. Re: REST Security

          I've been trying to find an answer for this very same question.


          I've set up the correct RESTful Service Privilege which is selected in the "Required privileges" drop down, the user used for testing is assigned to the group belonging to this same Service Privilege. (Basically what the post above explained)


          What authentication scheme does the RESTful Service module uses with a set-up like this? I cannot get past the 401 page. How exactly are we supposed to pass on authentication data when consuming RESTful Service with 'Required privilege' enabled? There seems to be no documentation for this particular case.



          • 2. Re: REST Security


            I have the same problem ... did someone find a solution?


            • 3. Re: REST Security

              This is documented in restful_services_devguide.html that apparently isn't available online. It comes with apex listener installation I believe.


              The gist of it is:


              - Create a user belonging to OAuth 2.0 Client Developer group

              - That user can now register a 3rd party application at the url http(s)://server:port/apex/<workspace>/ui/oauth2/clients/

              - Once registered one can obtain an access token at https://server:port/apex/<workspace>/oauth2/auth?response_type=token&client_id=CLIENT_IDENTIFIER&state=STATE - the application is responsible for providing the state string which should be randomly generated to prevent CSRF

              - Once you have the token you can query the protected webservice by supplying the request header "Authorization: Bearer ACCESS_TOKEN"

              • 4. Re: REST Security

                Ok i just want to secure restful services. How to achieve this?


                I have 400 users. Using custom login.


                We want to create native mobile app who has access to restful services