Skip to Main Content

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback, please email oracle-forums_moderators_us@oracle.com

Pre Hook not called on protected pattern if user has not the required privilege

Im using ORDS with a JWT profile. And a Pre Hook function which reads the user and roles from the token.
The user is set via X-ORDS-HOOK-USER. This works perfectly fine.
For the roles, I set X-ORDS-HOOK-ROLES.

To set the roles (via X-ORDS-HOOK-ROLES) with the required privilege for accessing protected resources, I would need the hook to be called anyway. But the hook is only called if the user is allowed to access. Otherwise it returns 401. I'm sure it's not called as every call gets logged. This leads me to the assumption, that I can't set roles from the prehook for protected resources…. chicken&egg problem.

I currently see only two workarounds:

  • using “scope” claim of the token to set privileges. But this would make it impossible to use roles or privileges from a db table. This does not met my requirement to dynamically set roles from within the DB.
  • implement my own check for roles in the hook function and return true/false depending on that, which makes the whole priviledge/role feature of ORDS obsolet in this case.

I think it's the same problem a user had in the past: https://forums.oracle.com/ords/apexds/post/ords-prehook-function-problem-1846
The last comment confirms my theory with removing the pattern mapping (basically allow all authenticated users to access).

Did I miss something or did I not understand the purpose of X-ORDS-HOOK-ROLES?

Comments
Post Details
Added on Mar 1 2024
0 comments
122 views