oracle ords使用,OracleRESTDataServices(ORDS):Authentication认证
Oracle REST Data Services (ORDS) : Authentication 认证
OAuth : Client Credentials
The client credentials flow is a two-legged process that seems the
most natural to me as I mostly deal with server-server
communication, which should have no human interaction. For this
flow we use the client credentials to return an access token, which
is used to authorize calls to protected resources. The example
steps through the individual calls, but in reality it would be
automated by the application.
Remember to clean up the OAUTH metadata, as described in the
Deleting OAUTH Metadata section.
Create a client with the grant type of "client_credentials".
BEGIN
OAUTH.create_client(
p_name => 'emp_client',
p_grant_type => 'client_credentials',
p_owner => 'My Company Limited',
p_description => 'A client for Emp management',
p_support_email => 'tim@example.com',
p_privilege_names => 'emp_priv'
);
COMMIT;
END;
/
-- Display client details.
COLUMN name FORMAT A20
SELECT id, name, client_id, client_secret
FROM user_ords_clients;
ID
NAME CLIENT_ID CLIENT_SECRET
---------- -------------------- --------------------------------
--------------------------------
10316
emp_client 3NvJRo_a0UwGKx7Q-kivtA.. F5WVwyrWxXj3ykmhSONldQ..
SQL>
-- Display client-privilege relationship.
SELECT name, client_name
FROM user_ords_client_privileges;
NAME CLIENT_NAME
-------------------- ------------------------------
emp_priv emp_client
SQL>
Associate the client with the role that holds the correct
privileges for the resources it needs to access.
BEGIN
OAUTH.grant_client_role(
p_client_name => 'emp_client',
p_role_name =>
'emp_role'
);
COMMIT;
END;
/
-- Display client-role relationship.
COLUMN client_name FORMAT A30
COLUMN role_name FORMAT A20
SELECT client_name, role_name
FROM user_ords_client_roles;
CLIENT_NAME ROLE_NAME
------------------------------ --------------------
emp_client emp_role
SQL>
In order to access the web service, we must first retrieve an
access token using the CLIENT_ID and CLIENT_SECRET we queried from
the USER_ORDS_CLIENTS view.
CLIENT_ID : 3NvJRo_a0UwGKx7Q-kivtA..
CLIENT_SECRET : F5WVwyrWxXj3ykmhSONldQ..
OAUTH
URL : https://localhost:8443/ords/hr/oauth/token
The example below retrieves the access token. Notice the user
format of "CLIENT_ID:CLIENT_SECRET". It is easy to miss the ":"
when you look at this for the first time.
$ curl -i -k --user
3NvJRo_a0UwGKx7Q-kivtA..:F5WVwyrWxXj3ykmhSONldQ.. --data
"grant_type=client_credentials" https://localhost:8443/ords/hr/oauth/token
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 29 Jun 2016 12:07:02 GMT
{"access_token":"-zYl-sFyB2iLicAHw2TsRA..","token_type":"bearer","expires_in":3600}
$
We can now use the access token to call our web service. Notice the
"Authorization: Bearer {access-token}" entry in the header of the
call.
$ curl -i -k -H"Authorization: Bearer -zYl-sFyB2iLicAHw2TsRA.."
https://localhost:8443/ords/hr/employees/7788
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag:
"jtC17IXyetESUjSkxB2ani/a1TnFh28yfor+fLmxxUzGr6G9IFxQ77+/Gd71W4Qzz0rSxf90Qqbl+ICwezTayQ=="
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 29 Jun 2016 12:07:31 GMT
{"items":[{"empno":7788,"ename":"SCOTT","job":"ANALYST","mgr":7566,"hiredate":"1987-04-18T23:00:00Z","sal":3003,
"comm":null,"deptno":20}],"hasMore":false,"limit":0,"offset":0,"count":1,"links":[{"rel":"self",
"href":"https://localhost:8443/ords/hr/employees/7788"},{"rel":"describedby",
"href":"https://localhost:8443/ords/hr/metadata-catalog/employees/item"}]}
$
We successfully accessed the protected web service.
OAuth : Authorization Code
The authorization code flow is a three-legged process. The user
accesses a URL in a browser, which prompts for credentials. Once
authorized, the browser is redirected to a specified page with an
authhorization code as one of the parameters in the URL. That
authorization code is used in a call to generate an access token,
which is used to authorize calls to protected resources. With the
exception of the user confirmation, all the other steps in the flow
should be handled by the application. All the steps will be
presented separately in the example that follows.
This flow sounds complicated, but the important point to
remember is the calling application never sees the user
credentials. ORDS handles the user login and sends an authorization
code back to the application, so it can continue with the
authorization process.
Remember to clean up the OAUTH metadata, as described in the
Deleting OAUTH Metadata section. The first-party authentication
must be working for this flow to work.
Create a client using the grant type of "authorization_code".
The redirect and support URLs are not real, but we will be able to
follow the example through anyway.
BEGIN
OAUTH.create_client(
p_name => 'emp_client',
p_grant_type => 'authorization_code',
p_owner => 'My Company Limited',
p_description => 'A client for Emp management',
p_redirect_uri => 'https://localhost:8443/ords/hr/redirect',
p_support_email => 'tim@example.com',
p_support_uri => 'https://localhost:8443/ords/hr/support',
p_privilege_names => 'emp_priv'
);
COMMIT;
END;
/
-- Display client details.
COLUMN name FORMAT A20
SELECT id, name, client_id, client_secret
FROM user_ords_clients;
ID
NAME CLIENT_ID CLIENT_SECRET
---------- -------------------- --------------------------------
--------------------------------
10333
emp_client gxqNSyxPbLUJhSj1yBe8qA.. E-_mKJBlOTfTdHc_zISniA..
SQL>
We then attempt to request an authorization code. Notice we are
using the CLIENT_ID from the USER_ORDS_CLIENTS view along with a
unique string that will represent the state.
CLIENT_ID : gxqNSyxPbLUJhSj1yBe8qA..
State
https://localhost:8443/ords/hr/oauth/auth?response_type=code&client_id=gxqNSyxPbLUJhSj1yBe8qA..&state=3668D7A713E93372E0406A38A8C02171
You are presented with a 401 message, which includes a "sign in"
link. Click the link, sign in with the ORDS credentials you created
earlier (emp_user) and you will be directed to an approval page.
Click the "Approve" button, which will take you to the redirect
page you specified for the client.
The redirect page we specified for the client doesn't really
exist, but we can get the authorization code and state from the
URL.
https://localhost:8443/ords/hr/redirect?code=FF-APuIMukuBlrver1XU2A..&state=3668D7A713E93372E0406A38A8C02171
The application should check the state string matches the one used
in the initial call. We use the authorization code to retrieve the
access token.
CLIENT_ID : gxqNSyxPbLUJhSj1yBe8qA..
CLIENT_SECRET : E-_mKJBlOTfTdHc_zISniA..
User : CLIENT_ID:CLIENT_SECRET
Data : grant_type=authorization_code&code={authorization-code}
URL : https://localhost:8443/ords/hr/oauth/token
The following call retrieves the access token.
$ curl -i -k --user
gxqNSyxPbLUJhSj1yBe8qA..:E-_mKJBlOTfTdHc_zISniA.. --data
"grant_type=authorization_code&code=FF-APuIMukuBlrver1XU2A.."
https://localhost:8443/ords/hr/oauth/token
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 29 Jun 2016 12:38:52 GMT
{"access_token":"cOYb2hFK_SyxOh8o9n6R7A..","token_type":"bearer","expires_in":3600,"refresh_token":"RC33rvSwAfhguraOWlvgfA.."}
$
We can now access the protected resource using the access
token.
$ curl -i -k -H"Authorization: Bearer cOYb2hFK_SyxOh8o9n6R7A.."
https://localhost:8443/ords/hr/employees/7788
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag:
"jtC17IXyetESUjSkxB2ani/a1TnFh28yfor+fLmxxUzGr6G9IFxQ77+/Gd71W4Qzz0rSxf90Qqbl+ICwezTayQ=="
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 29 Jun 2016 12:40:34 GMT
{"items":[{"empno":7788,"ename":"SCOTT","job":"ANALYST","mgr":7566,"hiredate":"1987-04-18T23:00:00Z","sal":3003,
"comm":null,"deptno":20}],"hasMore":false,"limit":0,"offset":0,"count":1,"links":[{"rel":"self",
"href":"https://localhost:8443/ords/hr/employees/7788"},{"rel":"describedby",
"href":"https://localhost:8443/ords/hr/metadata-catalog/employees/item"}]}
$
As mentioned before, this looks complicated, but it allows a
calling application to authenticate to a web service without seeing
the user credentials. The application just has to know the
CLIENT_ID and SECRET that were registered for it, and go through
the user approval process to get the authorisation code.
OAuth : Implicit
The implicit flow is a two-legged process that requires user
interaction. The user accesses a URL in a browser, which prompts
for credentials. Once authorized, the browser is redirected to a
specified page with an access token as one of the parameters in the
URL. That access token is used to authorize calls to protected
resources. The example steps through the individual calls, but in
reality everything but the user interaction would be automated by
the application.
Remember to clean up the OAUTH metadata, as described in the
Deleting OAUTH Metadata section.
Create a client using the grant type of "implicit". The redirect
and support URLs are not real, but we will be able to follow the
example through anyway.
BEGIN
OAUTH.create_client(
p_name => 'emp_client',
p_grant_type => 'implicit',
p_owner => 'My Company Limited',
p_description => 'A client for Emp management',
p_redirect_uri => 'https://localhost:8443/ords/hr/redirect',
p_support_email => 'tim@example.com',
p_support_uri => 'https://localhost:8443/ords/hr/support',
p_privilege_names => 'emp_priv'
);
COMMIT;
END;
/
-- Display client details.
COLUMN name FORMAT A20
SELECT id, name, client_id, client_secret
FROM user_ords_clients;
ID
NAME CLIENT_ID CLIENT_SECRET
---------- -------------------- --------------------------------
--------------------------------
10325
emp_client 0docHbkL8__7Ic58n7GCBA..
SQL>
We then attempt to request an access token. Notice we are using the
CLIENT_ID from the USER_ORDS_CLIENTS view along with a unique
string that will represent the state.
CLIENT_ID : 0docHbkL8__7Ic58n7GCBA..
State
https://localhost:8443/ords/hr/oauth/auth?response_type=token&client_id=0docHbkL8__7Ic58n7GCBA..&state=3668D7A713E93372E0406A38A8C02171
You are presented with a 401 message, which includes a "sign in"
link. Click the link, sign in with the ORDS credentials you created
earlier (emp_user) and you will be directed to an approval page.
Click the "Approve" button, which will take you to the redirect
page you specified for the client.
The redirect page we specified for the client doesn't really
exist, but we can get the access token from the URL.
https://localhost:8443/ords/hr/redirect#token_type=bearer&access_token=5SVR_NVP5N_OnDQt6iSxJg..&expires_in=3600&state=3668D7A713E93372E0406A38A8C02171
The application should check the state string matches the one used
in the initial call. We can now access the protected resource using
the access token.
$ curl -i -k -H"Authorization: Bearer 5SVR_NVP5N_OnDQt6iSxJg.."
https://localhost:8443/ords/hr/employees/7788
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag:
"jtC17IXyetESUjSkxB2ani/a1TnFh28yfor+fLmxxUzGr6G9IFxQ77+/Gd71W4Qzz0rSxf90Qqbl+ICwezTayQ=="
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 29 Jun 2016 12:15:35 GMT
{"items":[{"empno":7788,"ename":"SCOTT","job":"ANALYST","mgr":7566,"hiredate":"1987-04-18T23:00:00Z","sal":3003,
"comm":null,"deptno":20}],"hasMore":false,"limit":0,"offset":0,"count":1,"links":[{"rel":"self",
"href":"https://localhost:8443/ords/hr/employees/7788"},{"rel":"describedby",
"href":"https://localhost:8443/ords/hr/metadata-catalog/employees/item"}]}
$
-- 刘轶鹤转
内容来自网络
oracle ords使用,OracleRESTDataServices(ORDS):Authentication认证相关推荐
- Oracle REST DataServices(ORDS):Authentication认证
Oracle REST DataServices(ORDS):Authentication认证 Oracle REST Data Services (ORDS) : Authentication 认证 ...
- Oracle REST Data Services(ORDS)-通过REST接口操作Oracle数据库
Oracle REST Data Services(ORDS)-通过REST接口操作Oracle数据库 https://blog.csdn.net/q499803363/article/details ...
- oracle OCP考点在哪,OracleOCP认证要通过哪些考试
Oracle OCP认证要通过哪些考试 Oracle OCP DBA认证是所有Oracle认证中最普及的一种认证,这一认证过程是专为那些想要从事Oracle管理的专业数据库管理人员设计的,适用于Ora ...
- 访问需要HTTP Basic Authentication认证的资源的各种语言的实现
原文地址为: 访问需要HTTP Basic Authentication认证的资源的各种语言的实现 无聊想调用下嘀咕的api的时候,发现需要HTTP Basic Authentication,就看了下 ...
- oracle用户登录的3种认证方式
url:http://www.cnblogs.com/ivictor/p/4213823.html Oracle对于普通账户和超级管理员(指sysdba和sysoper)的认证机制不一样,前者是通过数 ...
- 第七章 oracle的服务启动顺序、认证方式、
一 oracle的服务启动顺序 oracle服务启动 1,windows 服务器上 2,linux 服务器上 # lsnctl start # 一sysdb身份登录,启动oracle实例 至少需 ...
- kubernetes访问控制——Authentication认证、Authorization授权、服务账户的自动化
文章目录 1.kubernetes API 访问控制 2. Authentication(认证) 1.创建serviceaccount 2.添加secrets到serviceaccount 3.把se ...
- oracle 与赛门铁克,Oracle与赛门铁克认证Veritas数据中心解决方案
存储在线 7月25日消息:日前,为响应客户对 Oracle®坚不可摧Linux计划(Oracle Unbreakable Linux) 支持程序不断增长的需求,Oracle 与赛门铁克共同宣布对使用 ...
- Authentication认证和Authorization授权的作用
认证 (Authentication): 你是谁. 授权 (Authorization): 你有权限干什么. 认证意味着确认自己的身份,而授权意味着授予对系统的访问权限.简单来说,认证是验证身份的过程 ...
最新文章
- HDU5886 Tower Defence 【两遍树形dp】【最长链预处理】
- ResultMap和ResultType在使用中的区别
- jieba.cut与jieba.lcut的区别
- spring boot 初步学习
- 读者专属福利: Git面试宝典分享
- 配置的android版本,Android SDK配置(V3.0.0及以上版本)
- python selenium 关闭窗口_Selenium快速上手实战 | 上篇
- 可微偏导数一定存在_【数学】多元函数可微如何判断?
- SAP License:更改MM物料基本计量单位
- 【codevs3119】高精度开根号(二分答案)
- Jquery 取色器
- 民生银行java 面试_2019民生银行招聘面试试题及答案解析
- c++实现求梯形面积
- 数字电路中几种基本门电路
- Windows 默认以管理员身份运行批处理bat文件
- 【通信原理】实验七、基于Matlab的均匀量化和非均匀量化
- 安装Java并配置环境,安装eclipse,在GitHub中上传代码
- MATLAB找勾股数,一种寻找勾股数的方法
- java重置按钮功能函数_Bootstrap按钮功能之查询按钮和重置按钮
- Kibana基础:3:生成定制化的Dashboard