I'm struggling to send a Rest API request to Oracle Database (using Postman).
first issue: there are three types of Autonomous Databases (ATP, ADW, AJS) that will help me. I already created all 3 types in my oracle cloud server.
what type of authentication do I need to use? It seems "Basic Auth" with user: ADMIN and password that I defined?
What API endpoints are available to use? it is a bit confusing, in the attached screenshot I reach different articles that I'm not sure which one to use!
ORDS and SODA for REST (3) supports many different authentication mechanisms. JSON document store REST services (you choose ADJ) are intended to be used in server-to-server interactions. Therefore, two-legged OAuth (the client-credentials flow) is the recommended authentication mechanism to use with the JSON document store REST services. However, other mechanisms such as HTTP basic authentication, are also supported.
The default when installing on Autonomous is HTTP basic authentication. Most of examples uses database schema ADMIN, which is REST-enabled by default.
A good first start point is :
If you are working with ADJ, https://docs.oracle.com/en/cloud/paas/autonomous-json-database/ajdug/create-applications-ords-autonomous-database.html
If you are working with other ADB flavors : https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/ords-autonomous-database.html#GUID-E2E921FF-2D80-4E32-9660-28506D10BADB
Those documentations provide links to the documentation referred in your image.
e.g to see the SODA collections availables, the endpoint is https://your-ords-uri/ords/admin/soda/latest/.
To find the URI (Service Console / Development / RESTful Services and SODA) :
As I said, the default is basic Auth. You can also disable security and allow anonymous access for Development and Testing
For relational tables, there is additional privileges to be managed using ORDS PLSQL package before using Postman. Follow the documentation
Hope that this can help
Related
I am working with Google Firestore in native mode and CRUD'ing data within it using the "cloud.google.com/go/firestore" api in Go. Access to the data is wide open as long as you know the project id and using the Firestore API on a server. I don't want to try the rules until I figure out how to secure the data from server attacks that. Again, all the API requires is the project id to access the data so I need to lock that down firstly before I move any further. Rules are only for mobile/web clients from what I read and Server side clients completely bypass the rules. Please help. I do not want to use the Firebase API because attackers can still use the Firestore api to access the data.
It's unclear from the limited information in your question but, your Firestore database is not open to anyone with the Project ID.
The service is only accessible to any thing (human|machine) that has valid credentials. Either humans with e.g. Gmail accounts or Service Account key holders.
In either case, only identities that you've explicitly added to the project will be able to access its resources and then only those with the appropriate IAM roles|permissions.
Google provides an elegant facility called Application Default Credentials (ADCs) that simplifies authenticating clients.
I suspect that your code is using ADCs to authenticate you to the project|service.
Access to the data is wide open as long as you know the project id and using the Firestore API on a server.
If that is a concern, consider disallowing all access in the Firebase security rules for your Firestore database.
Also have a look at my answer here to understand why sharing your project ID is not a security concern, and in fact is necessary if you want to allow direct access from client-side devices: Is it safe to expose Firebase apiKey to the public?. If you don't want to allow direct client-side access, closing down the security rules (as they are by default, unless you choose test mode when creating the database) is the way to go.
My enterprise application is developed in .net framework 4.5 and is using windows authentication. In which case, as we all understand, it is the underlying AD(active directory) that authenticates the user.
I have to replace windows authentication with token based authentication, keeping the .net framework 4.6 and AD(active directory). I guess oAuth is a possible solution, could you please share some thoughts on other possible solutions and as how could I get started.
HISTORY
It was common some years ago for apps to be developed for a corporate intranet, in which case Windows Authentication was a good solution. When token based authentication came along the benefits typically were:
Extend reach so that apps could be used over the internet
Support cross domain scenarios, eg APIs in a different domain
Support multiple authentication methods / policies depending on user location and device type
Write less security code and make new security features available to multiple apps
IMPLEMENTATION
An OAuth migration is a major architectural change and needs to be managed in terms of costs and benefits, though once done your apps will be quite cutting edge. Here is how Windows Authentication typically works in an OAuth 2.0 / Open Id Connect world, which requires a more complex setup:
Your UI redirects to a Cloud Authorization Server (AS), such as Azure Access Control
The AS redirects to an identity provider - such as an on premise version of ADFS (Active Directory Federation Services) - that is configured to use Windows authentication
When in the corporate intranet the user is automatically signed in and ADFS posts tokens to the AS
The AS posts different tokens to your UI
Your UI calls the API with the AS token and the API validates it
GETTING STARTED
If you decide that the effort is worthwhile then there are 2 parts to the job. Note that your application code will only ever interact with the AS and doesn't need to know or care about the authentication method:
Infrastructure migration
Updating the code in your UIs and APIs
If it helps, my blog and code samples are designed to help people deal with some of the challenges of OAuth tech. Maybe have a look at my first tutorial to get set up.
Me and a team built a small "meet people" app last semester that used Spring linked to a MySQL database as the backend. I am working on my own app now and I'm worried about security because all of our user information was sent over HTTPS GET requests to the server. It seems weird to me that we were able to hop on google chrome, type in xxx.xxxxx.xx:xxx/user/2 and get back a JSON with all of a specific users information. If anyone knew our url/port, they would be able to access this information themselves.
I'm sure this is a basic question, but what steps do I need to take to create a Spring backend that isn't as easy to access? I'm basically a total beginner in this, but I did write the service in Spring last semester so I know the basics.
You can use Spring Security which is a very good project and easy to integrate.
There are many types of security features it provides :
Basic Spring Security
Role Based Spring Security
baeldung.com and howtodoinjava has a very good series on it.
You can also use jwt-authentication-on-spring-boot which is also a good way to secure the APIs.
I need quick help regarding Identity server.
There is a client requirement to not allow any public hosted application to directly talk to the database. In Identity server's case, the Identity server will be hosted publicly for token endpoint, and it queries the database for operational data (went for Db approach with reference tokens because IDsrv will be on NLB). Is there any workaround for this? or is this standard practice?
Thanks
If you don't want IdentityServer to talk directly to the database, you will need to implement & register custom implementations of ICorsPolicyService, IAuthorizationCodeStore, IClientStore, IConsentStore, IRefreshTokenStore, IScopeStore, and ITokenHandleStore, that call off to some an external app that can talk to the database.
Normal operating procedure is to have IdentityServer talk directly to the database. I don't see much merit in separating the two.
FYI: You don't need to use reference tokens if you are using load balancing. Check out the deployment docs.
can Shibboleth work without a LDAP, but directly based on oracle database?
It can if you're willing to implement your own JAAS module for the UsernamePassword authentication, or you can write your own code for External Authentication for the IdP.
However, if you're using just the code that ships with the IdP, then even if you want to use Oracle or another database for your user attributes in attribute-resolver.xml, then you'll still need some kind of authentication mechanism like LDAP or Kerberos.
It's a total pain, especially for test or proof-of-concept systems.