oracle-databaseplsqloracle-apexoracle-rest-data-services

Secure every endpoint ending with */private in Oracle REST-Data-Services


I am using Oracle Rest-Data-Services to export several PL/SQL-APIs as webservice using REST. Therefore every PL/SQL-Package is an ORDS-Module and should have a template ending with */private that has to be secured so only admin users can call it.

I tryed to create the following privilege.

DECLARE
  l_roles_arr    OWA.vc_arr;
  l_patterns_arr OWA.vc_arr;
  l_modules_arr  OWA.vc_arr;
BEGIN
  ORDS.create_role(p_role_name => 'private_role');
  l_roles_arr(1)    := 'private_role';
  l_patterns_arr(1) := '*/private';
  --  select name bulk collect into l_modules_arr from user_ords_modules;
  ORDS.define_privilege (
    p_privilege_name => 'private_priv',
    p_roles          => l_roles_arr,
    p_patterns       => l_patterns_arr,
    --p_modules        => l_modules_arr,
    p_label          => 'private',
    p_description    => 'private');
  COMMIT;
END;

This has no effect and unauthorized calls to */private are still possible. When I uncomment the commented lines then all calls even to the other endpoints has to be authorized.

Is it posible to define a privilege pattern like this?


Solution

  • I found an answer in the api docs.

    https://docs.oracle.com/en/database/oracle/oracle-rest-data-services/21.3/ordjv/doc-files/route-patterns.html

    Glob Parameter
    A Glob Parameter is denoted by the wildcard Modifier (the ‘*’ character). The wildcard Modifier MUST appear at the end of the pattern and MUST be preceded by the path separator. Only a single Glob Parameter is permitted in a pattern. A Glob Parameter MUST NOT occur in the same pattern as a Named Parameter.

    Unfortunately the wildcard * has to be at the end of the pattern.