I'm fairly new to Oracle and XDB, and was wondering if it's possible to use XDB Web Services with an application level or Custom Authentication scheme.
I'm using "Oracle Database 11g Release 184.108.40.206.0 - 64bit Production"
Currently I have written a Java Servlet, configured this successfully as per <http://docs.oracle.com/cd/E11882_01/appdev.112/e23094/xdb23jv1.htm#g1050187> and am using a DB id to access the web service using HTTP Basic Auth.
What I'd like to be able to do run this with an Application level credential, i.e. to avoid DB authentication upfront, authenticate within Servlet code and then connect into DB as a generic identity.
I'm currently struggling to achieve this:
1) Using JDBC server-side internal driver I read that connecting with a different id is not supported <http://docs.oracle.com/cd/B28359_01/java.111/b31224/ssid.htm> and other drivers are intended for other purposes.
2) It's not clear (to me) if anonymous access to Servlets is supported - this implies not <http://www.oracle-base.com/articles/11g/native-oracle-xml-db-web-services-11gr1.php#configure_anonymous_access>
Hence I'm wondering if there is an approved way of doing this.
As potential alternatives:
- I have seen reference to XDB Custom Authentication features <XML DB Repository Custom Security but:
a) can't find much documentation and
b) don't know if this is intended to work with servlets or just WebDAV style HTTP operations.
- I am aware that I could host the Java Servlet on another platform (e.g. Tomcat) and connect into Oracle DB with other driver, but I was hoping to do this "within the DB".
- would mod_plsql (and doing Web Services code in PL/SQL) give me a better option.
Thanks for the pointer. Yes, I had seen this, looked at the PDFs and tried to use the doAuthentcation() approach without success.
What isn't clear to me is whether this customAuth scheme is intended to cover Servlets - the docs reference the XDB Repository and mappings appear to refer to documents in the repository (pattern in addAuthenticationMapping()) rather than dynamic URIs (pattern in addServletMapping()).
I tried blending these together but always need an HTTP Basic Auth to access the servlet - even with the doAuthentication() always returning the positive custom_authenticate response as per the example.
If this approach is intended to work on Servlets it would be good to get a pointer to a worked example.
As per the post you linked, documentation is (still) not readily available - if I google "dbms_xdb.enableCustomAuthentication" I get 3 hits and two of which are the PDFs (and the other isn't useful) !.
Hi Can you confirm the return text that the XMLDB custom authentication function has to return?
I've got this:
create or replace function doAuthenticate(URL varchar2, AUTHINFO VARCHAR2) return varchar2
Just to fake a successful application authentication, but the webdav client and browser still says i'm not authenticated for the particular resource ive linked custom authentication to:
I'm running 220.127.116.11
I can confirm i've done:
grant all on doAuthenticate to public;
description=> 'Test authentication method',
exec dbms_xdb.addAuthenticationMapping( PATTERN=>'/repository/test/*', NAME => 'HTTP_REPO2');
When I delete the authentication mapping using exec dbms_xdb.deleteAuthenticationMapping( PATTERN=>'/repository/test/*', NAME => 'HTTP_REPO2') , my normal Oracle user based login works fine, so I know that Oracle is recognising that I want to use the custom auth for this folder, it just doesnt seem to like the response, or maybe it cant find the function, even though it exists and ive ran "grant all on doAuthenticate to public".