APEX Basic REST authentication

July 25, 2017 cruepprich

To prevent unauthorized access to your REST modules, APEX provides an easy, declarative way of adding basic authentication. This method utilizes APEX user accounts and RESTful Service Privileges. In order not to expose passwords, you should make sure to enable SSL/HTTPS!

First edit an existing APEX user account, and add the RESTful Services group to that user. In our example we’ll edit the APEX user SCOTT. To do this, navigate to Manage Users and Groups in the workspace where your REST modules are, edit a user, and assign the group in the Group Assignments region:

group_assignment

Next create the RESTful Service Privilege by navigating to RESTful Services in the SQL Workshop. In the Tasks sidebar on the right, click the RESTful Service Privilege link.

rsvc_priv

Fill out the form and select the modules you want to protect, by shuttling them to the right in Protected Modules.

rsvc_details

That’s it! Everything under the selected module now requires the username and password of the APEX user. You can test this with the following curl command (edit URI as needed):

curl -u scott:tiger http://servername/ords/workspace/hr/empinfo/

When testing with Postman, choose the Basic Auth from the authentication select list and enter the APEX user’s username and password.

postman

8 thoughts on “APEX Basic REST authentication”

Patrick Monaco

July 28, 2017 at 8:17 am

… providing you had register SCOTT previously as a user at ORDS level. This is what emerges from my tests.
Patrick
Christoph Ruepprich

July 28, 2017 at 8:36 am

Hi Patrick,
in my example user SCOTT is an APEX account.
Patrick Monaco

July 28, 2017 at 9:25 am

Christoph,
are you using ORDS or embedded gateway? With standalone ORDS, I did again tests on my side, but I get a Unauthorized 401 If I just create a new user at APEX level, although I follow your cookbook.
Dan McGhan

July 31, 2017 at 11:14 am

Hi Christoph,

There should be a big warning at the top of this post: Only use basic authentication when SSL/HTTPS is enabled and enforced. Otherwise, you’re exposing passwords insecurely.

Regards,
Dan
Christoph Ruepprich

July 31, 2017 at 12:07 pm

Indeed! I’ll add it.
Jose Rodríguez Aróstegui

September 24, 2017 at 4:44 pm

Hi Christoph,

I have installed:
Apex
ords.3.0.11.180.12.34
Apex 5.1.2.00.09
Tomcat 9.0.0.M26

And I’ve followed all your steps but still getting 401… Am I missing some extra step?

Best regards,
Jose.
Christoph Ruepprich

September 25, 2017 at 11:23 am

Jose,
it is difficult to troubleshoot for me. 401 means there is something wrong with the authorization. I can only suggest double checking everything.
Jose Rodríguez Aróstegui

September 26, 2017 at 1:00 am

Hi,
I found someone with the same issue:
https://community.oracle.com/thread/4083736, so I’ll try to move the service to ORDS like it’s explained here: https://oracle-base.com/articles/misc/oracle-rest-data-services-ords-using-sql-developer
Best regards,
Jose.

Comments are closed.