This discussion is archived
5 Replies Latest reply: Jan 29, 2013 9:53 AM by 538929 RSS

Application or Custom Authentication of Web Service requests in XDB Servlet

949766 Newbie
Currently Being Moderated
Hello

I'm fairly new to Oracle and XDB, and was wondering if it's possible to use XDB Web Services with an application level or Custom Authentication scheme.

I'm using "Oracle Database 11g Release 11.2.0.1.0 - 64bit Production"

Currently I have written a Java Servlet, configured this successfully as per <http://docs.oracle.com/cd/E11882_01/appdev.112/e23094/xdb23jv1.htm#g1050187> and am using a DB id to access the web service using HTTP Basic Auth.

What I'd like to be able to do run this with an Application level credential, i.e. to avoid DB authentication upfront, authenticate within Servlet code and then connect into DB as a generic identity.

I'm currently struggling to achieve this:
1) Using JDBC server-side internal driver I read that connecting with a different id is not supported <http://docs.oracle.com/cd/B28359_01/java.111/b31224/ssid.htm> and other drivers are intended for other purposes.
2) It's not clear (to me) if anonymous access to Servlets is supported - this implies not <http://www.oracle-base.com/articles/11g/native-oracle-xml-db-web-services-11gr1.php#configure_anonymous_access>

Hence I'm wondering if there is an approved way of doing this.

As potential alternatives:
- I have seen reference to XDB Custom Authentication features <XML DB Repository Custom Security but:
a) can't find much documentation and
b) don't know if this is intended to work with servlets or just WebDAV style HTTP operations.
- I am aware that I could host the Java Servlet on another platform (e.g. Tomcat) and connect into Oracle DB with other driver, but I was hoping to do this "within the DB".
- would mod_plsql (and doing Web Services code in PL/SQL) give me a better option.

Any advise appreciated.

Thanks
Dave

Edited by: 946763 on Sep 10, 2012 6:54 AM

Edited by: 946763 on Sep 10, 2012 6:54 AM
  • 2. Re: Application or Custom Authentication of Web Service requests in XDB Servlet
    949766 Newbie
    Currently Being Moderated
    Marco, hi

    Thanks for the pointer. Yes, I had seen this, looked at the PDFs and tried to use the doAuthentcation() approach without success.

    What isn't clear to me is whether this customAuth scheme is intended to cover Servlets - the docs reference the XDB Repository and mappings appear to refer to documents in the repository (pattern in addAuthenticationMapping()) rather than dynamic URIs (pattern in addServletMapping()).

    I tried blending these together but always need an HTTP Basic Auth to access the servlet - even with the doAuthentication() always returning the positive custom_authenticate response as per the example.

    If this approach is intended to work on Servlets it would be good to get a pointer to a worked example.

    As per the post you linked, documentation is (still) not readily available - if I google "dbms_xdb.enableCustomAuthentication" I get 3 hits and two of which are the PDFs (and the other isn't useful) !.

    Cheers
    David
  • 3. Re: Application or Custom Authentication of Web Service requests in XDB Servlet
    mdrake Expert
    Currently Being Moderated
    CustomAuthentication is designed to work with Resources stored in the XML DB repository and protected by XML DB ACLS.. Anything else is not covered by the XML Custom Authentication scheme.
  • 4. Re: Application or Custom Authentication of Web Service requests in XDB Servlet
    949766 Newbie
    Currently Being Moderated
    Hi

    So, as I was suspecting. That's a pity - back to the other options!

    Thanks
    Dave
  • 5. Re: Application or Custom Authentication of Web Service requests in XDB Servlet
    538929 Newbie
    Currently Being Moderated
    Hi Can you confirm the return text that the XMLDB custom authentication function has to return?

    I've got this:

    create or replace function doAuthenticate(URL varchar2, AUTHINFO VARCHAR2) return varchar2
    is
    V_USERNAME VARCHAR2(300);
    V_PASSWORD VARCHAR2(300);
    begin
    return '<custom_authenticate><user>Marky</user></custom_authenticate>';
    end;

    Just to fake a successful application authentication, but the webdav client and browser still says i'm not authenticated for the particular resource ive linked custom authentication to:

    I'm running 11.2.0.3

    I can confirm i've done:

    exec dbms_xdb.enableCustomAuthentication;

    grant all on doAuthenticate to public;

    begin
    dbms_xdb.addAuthenticationMethod(
    NAME=>'HTTP_REPO2',
    description=> 'Test authentication method',
    implement_schema =>'FILER',
    implement_method =>'DOAUTHENTICATE',
    language =>'PL/SQL'
    );
    end;

    exec dbms_xdb.addAuthenticationMapping( PATTERN=>'/repository/test/*', NAME => 'HTTP_REPO2');

    When I delete the authentication mapping using exec dbms_xdb.deleteAuthenticationMapping( PATTERN=>'/repository/test/*', NAME => 'HTTP_REPO2') , my normal Oracle user based login works fine, so I know that Oracle is recognising that I want to use the custom auth for this folder, it just doesnt seem to like the response, or maybe it cant find the function, even though it exists and ive ran "grant all on doAuthenticate to public".

    I've written it up at my site:

    http://blucel.co.uk/index.php/2013/01/29/oracle-xmldb-custom-authentication-for-webdav-http/

    Any help would be much appreciated

    Thanks
    Mark

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points