Oracle APEX — Basic authentication for REST services

Biljana Jelić
4 min readOct 10, 2019

To prevent unauthorized access to the REST services, Oracle Apex is providing a few various security methods. One of the easiest methods to implement is First-Party Authentication also known as “Basic authentication” which will be covered in this article.

In order to protect the REST services, a role, privilege, and assigned privilege to the service we want to protect need to be created. All these segments must work together to provide security.

The starting point will be to check Oracle Apex for all the created users and groups they are associated with, as well as the privileges of the same users and groups. It can be managed in the “Manage user and groups” section. If there are no existing users or groups, a specific group for REST services can be created so the users can be assigned to the created group. If there are already existing groups and users, the RESTful Service grant, from the “Group Assignments” list, needs to be added to the group. After creating a group and assigning a user to the group, privilege needs to be created and assigned to the created group. The user must be the member of a group which already has the privileges assigned. Also, while creating the privilege, protected modules need to be picked and added to the privilege.

There can be multiple groups as a part of one privilege, but a single module can be associated with only one privilege.

1. Manage user and groups → add RESTful Services​​

2. SQL Workshop → RESTful Services → RESTFul Service Privileges → Create new​​ → Assign Groups and Protected Modules

3. That should be it! Access to Oracle REST data Services link. Link is in the format:

https:// <host>:<port>/ords/<schema>/<module>/<template>

If there is a “401 Unauthorized” error while opening the link, it means that the Rest Web Service is protected and the page can be accessed through the sing in form with the corresponding username and password.

What credentials do I need to enter?

Credentials associated to the ORDS user with privileges for RESTful Service role must be entered in the sign up form. If the user is already created, credentials can be found in the ORDS config folder as shown below

(ie. C:\Users\ords\config\ords\credentials)

User can also be created through CMD, as follows:

  • open cmd
  • navigate to ORDS directory:
cd C:\Users\ords
  • create a new user

For example, user HRADMIN will be created. Statement is:

java -jar ords.war user user_name user_ords_roles

java -jar ords.war user HRADMIN RESTful Services  //enterEnter a password for user HRADMIN:Confirm password for user HRADMIN:
INFO:Created user: HRADMIN in file: C:\Users\ords\config\ords\credentials
  • run ords (standalone) again through the command:
java -jar ords.war
  • log in to the page again with created credentials

If you encounter a “404 Error” while opening the sing-in form, RESTservice needs to be enabled through SQL Developer as shown on the image below. RESTservice can be enabled for a specific object, table, etc.

Roles, Privileges and Role-Privilege relationships can be checked through SQL commands as well:

SELECT * FROM user_ords_roles;SELECT * FROM user_ords_privileges;SELECT * FROM user_ords_privilege_mapping; 

Keep in mind that this is not the most secure method because if an ORDS role matches a database role, any users assigned to that role would have access to the REST service, so it is easy to accidentally let someone in without knowing. For an even greater level of security please explore other Oracle methods. (ie OAuth 2 method).

Applications being used in this article:

  • Oracle Application Express (Oracle APEX) version 5.2
  • Oracle REST Data Services (ORDS) version 3.0

Thank you for reading.

--

--