I am using Oracle Rest-Data-Services to export several PL/SQL-APIs as webservice using REST. Therefore every PL/SQL-Package is an ORDS-Module and should have a template ending with */private
that has to be secured so only admin users can call it.
I tryed to create the following privilege.
DECLARE
l_roles_arr OWA.vc_arr;
l_patterns_arr OWA.vc_arr;
l_modules_arr OWA.vc_arr;
BEGIN
ORDS.create_role(p_role_name => 'private_role');
l_roles_arr(1) := 'private_role';
l_patterns_arr(1) := '*/private';
-- select name bulk collect into l_modules_arr from user_ords_modules;
ORDS.define_privilege (
p_privilege_name => 'private_priv',
p_roles => l_roles_arr,
p_patterns => l_patterns_arr,
--p_modules => l_modules_arr,
p_label => 'private',
p_description => 'private');
COMMIT;
END;
This has no effect and unauthorized calls to */private
are still possible. When I uncomment the commented lines then all calls even to the other endpoints has to be authorized.
Is it posible to define a privilege pattern like this?
I found an answer in the api docs.
Glob Parameter
A Glob Parameter is denoted by the wildcard Modifier (the ‘*’ character). The wildcard Modifier MUST appear at the end of the pattern and MUST be preceded by the path separator. Only a single Glob Parameter is permitted in a pattern. A Glob Parameter MUST NOT occur in the same pattern as a Named Parameter.
Unfortunately the wildcard *
has to be at the end of the pattern.