APEX Basic REST authentication

July 25, 2017 at 2:00 pm | Posted in Oracle Developement | 8 Comments

To prevent unauthorized access to your REST modules, APEX provides an easy, declarative way of adding basic authentication. This method utilizes APEX user accounts and RESTful Service Privileges. In order not to expose passwords, you should make sure to enable SSL/HTTPS!

First edit an existing APEX user account, and add the RESTful Services group to that user.  In our example we’ll edit the APEX user SCOTT. To do this, navigate to Manage Users and Groups in the workspace where your REST modules are, edit a user, and assign the group in the Group Assignments region:


Next create the RESTful Service Privilege by navigating to RESTful Services in the SQL Workshop. In the Tasks sidebar on the right, click the RESTful Service Privilege link.


Fill out the form and select the modules you want to protect, by shuttling them to the right in Protected Modules.


That’s it! Everything under the selected module now requires the username and password of the APEX user. You can test this with the following curl command (edit URI as needed):

curl -u scott:tiger http://servername/ords/workspace/hr/empinfo/

When testing with Postman, choose the Basic Auth from the authentication select list and enter the APEX user’s username and password.




RSS feed for comments on this post. TrackBack URI

  1. … providing you had register SCOTT previously as a user at ORDS level. This is what emerges from my tests.

    • Hi Patrick,
      in my example user SCOTT is an APEX account.

      • Christoph,
        are you using ORDS or embedded gateway? With standalone ORDS, I did again tests on my side, but I get a Unauthorized 401 If I just create a new user at APEX level, although I follow your cookbook.

  2. Hi Christoph,

    There should be a big warning at the top of this post: Only use basic authentication when SSL/HTTPS is enabled and enforced. Otherwise, you’re exposing passwords insecurely.


  3. Hi Christoph,

    I have installed:
    Tomcat 9.0.0.M26

    And I’ve followed all your steps but still getting 401… Am I missing some extra step?

    Best regards,

    • Jose,
      it is difficult to troubleshoot for me. 401 means there is something wrong with the authorization. I can only suggest double checking everything.

  4. Reblogged this on SimpleSQLDBA | Shadab Mohammad.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Entries and comments feeds.

%d bloggers like this: