7 Replies Latest reply on Apr 20, 2017 9:58 AM by Pavel_p

    Invoke REST service protected by Required Privilege

    Pavel_p

      Hello everybody,

      this is a followup to this thread Apply Authentication on RESTful (GET, POST) resource handlers .

      Please, does anybody know how invoke a REST service that requires a privilege? I created a showcase on apex.oracle.com

      workspace: testing

      user: test (workspace admin)

      pwd: test

      There is a REST service "secured_emp" that requires a privilege. I created a Privilege (secemp_priv), secemp_svc_caller group  and my app user test is a member of the secemp_svc_caller.

      Then I created an application Application 105217 - sec_emp and in the shared components there is a web service reference to my protected endpoint. Then I created a page 2 based on this web service reference and I'm able to invoke the service until I secure it by assigning Required Privilege.

      Please, is anybody able to tell me what I'm missing and make it running? I'm getting 401 Unauthorized no matter what I try.

      Thanks a lot,

      Pavel

        • 1. Re: Invoke REST service protected by Required Privilege
          Peter de Vaal

          If you try the REST URL from a browser you should get a login page.

          Note however that you cannot use the authentication when the RESTFul service is in APEX. You should move it to ORDS (by enabling a schema for REST, create the RESTful module in that schema, and then use the schema name instead of the workspacename in the URL).

          And of course it depends on how you run ORDS. If it is on GlassFish or WebLogic you should create the user through the administration console of the application server, and assign the privilege name explicitly to that user.

          • 2. Re: Invoke REST service protected by Required Privilege
            Pavel_p

            Hi Peter,

            I created a simple and clear showcase on apex.oracle.com and shared developer/admin credentials, so if you can invoke the protected service, I would be more than grateful. I mean really really grateful because I've already lost quite a lot of time with absolutely no result. I don't want to move my service anywhere. I have an option to define (protected) REST services in APEX, so I would prefer to keep everything at one place.

            Unfortunately I'm not sure if I fully understand your statement "Note however that you cannot use the authentication when the RESTFul service is in APEX.". So you are saying that "Required Privilege" in the service definition in APEX is just to make developers confused and in fact it does not work?

            Thank you,

            Pavel

            • 3. Re: Invoke REST service protected by Required Privilege
              Peter de Vaal

              Pavel,

               

              I have been wrestling with the same problem. I have read somewhere (though I cannot find the reference anymore) that the basic authentication can not be used when the RESTful module is defined in APEX (you can use OAUTH authentication though), so I moved it to ORDS.

               

              Moving to ORDS is not very difficult. If you use SQL Developer 4.2 then it is easy. Just enable a schema for REST, then define the module from the REST Dataservices node in the object browser, just as you did in APEX. In my opinion this is a better place, because the REST services have little to do with APEX after all. It is more on the level of definition of database packages, and I do not maintain these in APEX either.

               

              Peter

              1 person found this helpful
              • 4. Re: Invoke REST service protected by Required Privilege
                Pavel_p

                Hi Peter,

                I know there are some options in SQL Developer and it probably somehow works, I just wanted to know how it works (or how it's supposed to work) in APEX. In fact since I need xml support, I cannot use ORDS for anything more serious and I just wanted to define few service endpoints in APEX for very basic data exchange. But I don't (and cannot) expose it freely, so I was curious how it works in APEX.

                This question was mainly intended to be clarified by the APEX team since there seem to be no one who can make things clear.

                Regards,

                Pavel

                • 5. Re: Invoke REST service protected by Required Privilege
                  Pavel_p

                  Hello APEX team,

                  please, could anybody make things clear how it works in APEX? joelkallman-Oracle, Patrick Wolf-Oracle, I'm sorry for addressing you directly this way, I understand that you have other things to do but there seem to be a lack of documentation and examples, so this question does not seem to be possible to solve without APEX team support.

                  Thanks a lot,

                  Pavel

                  • 6. Re: Invoke REST service protected by Required Privilege
                    Patrick Wolf-Oracle

                    Hi Pavel,

                     

                    you might want to have a look at REST Data Services Developers Guide

                     

                    Please be aware that if you use First Party Authentication (done be using the current APEX session) you have a number of restrictions you have to be aware of.

                    1. The logged in application user has to be assigned to the SAME usergroup as the secured REST module
                    2. The REST module has to be defined in the SAME workspace as your running application
                    3. For each REST call you have to specify the Apex-Session HTTP header variable as described in the link above
                    4. As part of the REST call, the current APEX session cookie has to be sent. PLEASE NOTE: This is only done automatically if you perform an Ajax call from the browser, if you perform server side REST calls this is NOT automatically included and would have to be done manually

                     

                    May I ask what your goal is? Because what is the benefit of calling a REST module from your APEX application which is defined in the same workspace and not just query the data as part of your APEX application? That's a lot faster, more secure, ...

                     

                    If you want to read data from a remote server you can't use First Party Authentication and have to go for OAUTH authentication.

                     

                    Regards

                    Patrick

                    1 person found this helpful
                    • 7. Re: Invoke REST service protected by Required Privilege
                      Pavel_p

                      Hi Patrick,

                      thank you for a comprehensive answer and a link to the right document (I must have missed this one). However the sad truth is that I'm still missing something and getting 401 Unauthorized.

                      Step by step verification:

                      1. The logged in application user has to be assigned to the SAME usergroup as the secured REST module

                      I created a group secemp_svc_caller and my user TEST has a secemp_svc_caller group assignment. The REST service module is assigned the secemp_priv privilege that has Assigned Groups secemp_svc_caller.

                      2. The REST module has to be defined in the SAME workspace as your running application

                      Application 105217 - sec_emp and the REST module are both defined in my TESTING workspace on AOC.

                      3. For each REST call you have to specify the Apex-Session HTTP header variable as described in the link above

                      In Shared Components => Web Service References I added an Apex-Session HTTP Request Header. This header is being computed as a PL/SQL expression :app_id || ', ' || :app_session (on page 5 that was created using the Wizard Form&Report on Web Service)

                      4. As part of the REST call, the current APEX session cookie has to be sent. PLEASE NOTE: This is only done automatically if you perform an Ajax call from the browser, if you perform server side REST calls this is NOT automatically included and would have to be done manually

                      I'm not sure what this exactly means and probably this is the point what I'm still missing. Please, could you be a bit more specific about this point? Also I'm not sure what exactly means in this context "Ajax call from the browser".

                      Please, could you take a brief look at my app? I must be missing something obvious but I really have no idea what it is.

                       

                      And what my goal is... I just wanted to figure out how service protection works, so I created a REST service and a client with tools offered on AOC. I completely agree that it has no real benefit since querying data the standard way has all the advantages you've already named. So my goal was to invoke the service with APEX client first (because I expected it would be the easiest method) and then try to do the same with different clients.

                      But if I get it right (and please, correct me if I'm wrong), it's not possible to use this kind of authentication from third party clients and also we both agreed that it does not make sense to call such service from local APEX application, so what's the purpose of the service protection?

                      Thanks a lot,

                      Pavel