1 2 Previous Next 22 Replies Latest reply on Mar 20, 2015 3:39 PM by TexasApexDeveloper

    Get Windows username into APEX variable

    Pavel_p

      Hi all,

      please, is there any (reasonably simple and straightforward) way how to get currently logged in Windows username without installing any other software? I've googled a lot and also searched this forum back and forth with no success. Formerly I used to get the OS username with a Java applet that was able to read user's credentials (uploaded into static files) but it became really annoying after the new security restrictions (signing applets) that came with Java 7xx (exact version number is not really important). I also found here in posts that it should be somehow possible to read the CGI variable REMOTE_USER (or whatever), but my REMOTE_USER is always ANONYMOUS. In  this

      Re: How to get username from HTTP request headers in APEX

      post is mentioned that it should be possible after editing http.conf or dads.conf, but there are no such files in embedded plsql gateway.

      So please, if anyone has an idea how to get that damn windows username into the browser, I would be very grateful.

      Thanks a lot,

      Pavel

       

       

      owa_util.print_cgi_env;


      PLSQL_GATEWAY = WebDb
      GATEWAY_IVERSION = 2
      SERVER_SOFTWARE = Oracle Embedded PL/SQL Gateway/11.2.0.2.0
      GATEWAY_INTERFACE = CGI/1.1
      SERVER_PORT = 8090
      SERVER_NAME = XDB HTTP Server
      REQUEST_METHOD = GET
      QUERY_STRING = p=116:1:4730123570197
      PATH_INFO = /f
      SCRIPT_NAME = /apex
      REMOTE_HOST =
      REMOTE_ADDR = xx.24.68.xx
      SERVER_PROTOCOL = HTTP/1.1
      REQUEST_PROTOCOL = HTTP
      REMOTE_USER = ANONYMOUS
      ORACLE_SSO_USER =
      HTTP_CONTENT_LENGTH = 0
      HTTP_CONTENT_TYPE =
      HTTP_USER_AGENT = Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
      HTTP_HOST = xx.220.197.xx
      HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      HTTP_ACCEPT_ENCODING = gzip,deflate
      HTTP_ACCEPT_LANGUAGE = cs,en-us;q=0.7,en;q=0.3
      HTTP_REFERER = http://213.220.197.162/apex/f?p=4000:1500:4730123570197:::::
      WEB_AUTHENT_PREFIX =
      DAD_NAME = apex
      DOC_ACCESS_PATH = docs
      DOCUMENT_TABLE = wwv_flow_file_objects$
      PATH_ALIAS =
      REQUEST_CHARSET = AL32UTF8
      REQUEST_IANA_CHARSET = UTF-8
      SCRIPT_PREFIX =
      HTTP_SMUSER =
      HTTP_COOKIE = ORA_WWV_ATTRIBUTE_PAGE=4311%2C%23ALL; ORA_WWV_F4000_P4150_TREE=RenderingTree%3A2393424833662564_page_items%3A2395603733662589; LOGIN_USERNAME_COOKIE=testuser

        • 1. Re: Get Windows username into APEX variable
          TexasApexDeveloper

          Unless you use IE and an Active-X control (and I would NOT recommend this) you are NOT supposed to get this information from the browser.. It is part of the security features of the browser..

           

          What is the use case you have for needing this information?

           

          Thank you,

           

          Tony Miller
          LuvMuffin Software
          Ruckersville, VA

          1 person found this helpful
          • 2. Re: Get Windows username into APEX variable
            Pavel_p

            Hi Tony,

            thanks for your response. I'm aware of the Active-X option and I would probably use it if there wasnt (again) that annoying security warning no matter that it works only in IE. My usecase is quite simple - I work in a corporate environment (windows domain logons) and all the users have already provided their credentials = they are authorized when they want to access my application. They don't want to be bothered with another login prompt which is in fact a fair requirement (and they really don't care if I use APEX or another technology that provide such functionality out of the box like asp/sharepoint). So in my application I want to use authentication based on their windows domain logon names. It seems that setting the CGI variable AUTHORIZATION (which was according to many posts supposed to hold the logged in user) no longer works.

            Thanks,

            Pavel

             

            APEX 4.x with APEX 4.x Listener and NTLM Authentication

             

            PLSQL_GATEWAY = WebDb
            GATEWAY_IVERSION = 2
            SERVER_SOFTWARE = Oracle Embedded PL/SQL Gateway/11.2.0.4.0
            GATEWAY_INTERFACE = CGI/1.1
            SERVER_PORT = 8084
            SERVER_NAME = XDB HTTP Server
            REQUEST_METHOD = GET
            QUERY_STRING = p=115:LOGIN_DESKTOP:11010553543123
            PATH_INFO = /f
            SCRIPT_NAME = /apex
            REMOTE_HOST =
            REMOTE_ADDR = 172.30.246.4
            SERVER_PROTOCOL = HTTP/1.1
            REQUEST_PROTOCOL = HTTP
            REMOTE_USER = ANONYMOUS
            ORACLE_SSO_USER =
            HTTP_CONTENT_LENGTH = 0
            HTTP_CONTENT_TYPE =
            HTTP_USER_AGENT = Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
            HTTP_HOST = odaapp:8084
            HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            HTTP_ACCEPT_ENCODING = gzip,deflate
            HTTP_ACCEPT_LANGUAGE = cs,en-us;q=0.7,en;q=0.3
            HTTP_REFERER = http://odaapp:8084/apex/f?p=4000:1500:7840991031436:::::
            WEB_AUTHENT_PREFIX =
            DAD_NAME = apex
            DOC_ACCESS_PATH = docs
            DOCUMENT_TABLE = wwv_flow_file_objects$
            PATH_ALIAS =
            REQUEST_CHARSET = AL32UTF8
            REQUEST_IANA_CHARSET = UTF-8
            SCRIPT_PREFIX =
            AUTHORIZATION =
            HTTP_AE_AUTHORIZATION =

             

            • 3. Re: Get Windows username into APEX variable
              Tim St. H.

              Pavel,

               

              If you are using Sharepoint and Active Directory - My guess is you are a MS server shop too.

               

              Take a look at this project:  waffle-parent – WAFFLE - Windows Authentication Framework

               

              It is an add-on to a J2EE server like Tomcat.  If running Tomcat on a MS server that is part of your domain - it can get access to your currently authenticated users and present them in the header variables like you are looking for.

               

              So the formula is:

              + Microsoft host server

              + Tomcat Web server

              + Waffle Authentication Framework

              + ORDS listener for APEX

              = You will be able to read the domain user logged in and enable the "Header Authentication"

               

              I am simplifying the setup here, but it is pretty well documented as part of the Waffle project.

              Team up with a Microsoft sever person to help you get the test running.  I used this about 2 years back and it was very easy.

               

              Sorry - but the user identity of the PC / Device you are running on is not easy to see unless either the browser or the web server have special software and rights.

               

              -- Tim St.

              1 person found this helpful
              • 4. Re: Get Windows username into APEX variable
                Kiran Pawar

                Hi Pavel,

                880780 wrote:

                     Please change your user handle from "880780" to something meaningful. Refer : Video tutorial how to change nickname available

                Hi Tony,

                thanks for your response. I'm aware of the Active-X option and I would probably use it if there wasnt (again) that annoying security warning no matter that it works only in IE. My usecase is quite simple - I work in a corporate environment (windows domain logons) and all the users have already provided their credentials = they are authorized when they want to access my application. They don't want to be bothered with another login prompt which is in fact a fair requirement (and they really don't care if I use APEX or another technology that provide such functionality out of the box like asp/sharepoint). So in my application I want to use authentication based on their windows domain logon names. It seems that setting the CGI variable AUTHORIZATION (which was according to many posts supposed to hold the logged in user) no longer works.

                Thanks,

                Pavel

                     Have you considered the option of Windows NTLM based SSO for Oracle APEX:

                     The above solution requires Oracle HTTP Server as your Middle Tier as it uses mod_ntlm.

                     Which Middle Tier/Web Server are you using?

                 

                     Hope this helps!

                 

                Regards,

                Kiran

                1 person found this helpful
                • 5. Re: Get Windows username into APEX variable
                  Paavo

                  Pavel, you might find these sso related threads amusing:

                  Glassfish - Windows Authentication SSO ?

                  Windows Integrated Authentication - HOWTO

                   

                  Let us know about your proceedings..

                   

                  rgrds Paavo

                   

                   

                  1 person found this helpful
                  • 6. Re: Get Windows username into APEX variable
                    Pavel_p

                    Hi guys,

                    thanks a lot for your responses.

                     

                    @Tim: As I mentioned, I work in a corporate environment where every single piece of software has to be approved by the security department and other guys (who certainly do not make things easier). If I came to admins&security guys with the requirement that I need to install and properly configure all the things mentioned above just to get windows username into the browser, they would probably think that I've just gone mad. And tbh, to have such a long chain of systems that have to cooperate together and if any of them didn't work properly, my users would not be able to log in to the application, would be a real nightmare. I just cannot imagine how I would be able to fix any problems if something went wrong (and time of the time anything/everything goes wrong). My current Java applet solution is a piece of cake compared to this.

                     

                    @Kiran: Thanks for a very useful link how to change my user handle to (hopefully) something more reasonable. I've tried to do it several times before but apparently never accomplished the mission.

                    Yes, of course, I'm familiar with both these documents. He adds there the CGI variable AUTHORIZATION (in dads.conf). The same (e.g.) to create a CGI variable AUTHORIZATION should be possible in my setup with the procedure DBMS_EPG.SET_DAD_ATTRIBUTE

                    http://docs.oracle.com/cd/B28359_01/appdev.111/b28419/d_epg.htm#BABIDDAI

                    and in this thread it seems that it worked for the OP (as he approved the proposed answer). Problem is that this solution doesn't seem to work anymore. I did the same, I created the CGI variable "AUTHORIZATION" but alas, it's empty and I really have no idea why. Problem is that all those posts are more than 5 years old... But to answer your question what we use:  Oracle Embedded PL/SQL Gateway/11.2.0.4.0

                     

                    @paavo: Again too complicated solution compared to my Java applet and I want to keep things as simple as possible.

                     

                    I just wonder why it used to be possilble to simply set one CGI variable and now we're supposed to install and configure tons of additional software to accomplish the very same basic task.

                    Maybe we're supposed to buy this: http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-090417.html

                     

                    Anyway, thanks a lot for your time and effort guys:-).

                    Regards,

                    Pavel

                    • 7. Re: Get Windows username into APEX variable
                      TexasApexDeveloper

                      Why in the name of all that is good, are you using the EPG setup in a production environment??  Oracle themselves does NOT recommend using it in any environment except development..  You should be looking at using Tomcat at a minimum with ORDS to service your application<s>..

                       

                      Using the EPG limits you dramatically in what you can and can not do with your APEX applications..

                       

                       

                      Thank you,

                       

                      Tony Miller
                      LuvMuffin Software
                      Ruckersville, VA

                      • 8. Re: Get Windows username into APEX variable
                        Tim St. H.

                        Pavel,

                         

                        I am guessing that the reason your stuff stopped working is due to security concerns.

                         

                        NTLM:

                        NT LAN Manager - Wikipedia, the free encyclopedia

                        Microsoft no longer recommends NTLM in applications:[6]

                        "Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy check (CRC) or message digest algorithms (RFC1321) for integrity, and it uses RC4 for encryption.

                        Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM."

                        I am guessing that it has been turned off in your corporate Active Directory environment.  It was in my previous life (over 5 years ago).

                         

                         

                        You need to talk to your corporate architecture group to get a proper setup.  Your Oracle Database already lives on a HOST (you have not mentioned what kind).

                        Host + Web server is not a complex setup.  ORDS and Waffle are just an applications on that web server.  They can be on the same machine for smaller / simple configurations.

                         

                        The option you point to of using OAM is good.. but you will be installing WAY MORE than just a web server.  There are MANY parts to that software  product (and cost) 

                        So if Web server + two apps is hard, then OAM is way more than you realize.

                         

                        There is more than one company that can help you do this if this is too complex for you.

                         

                        -- Tim St.

                        • 9. Re: Get Windows username into APEX variable
                          Pavel_p

                          Tony,
                          thx for your response. First of all - I'm not a DBA, so I just use what I had been given and for the admins I think this setup is the easiest one - that's why we have it. And in fact, I don't feel to be limited at all by this setup. Please, could you show me any official Oracle document where it's explicitly stated that such setup is not recommended for production environment and would you be more specific in what you mean how I am limited by the EPG setup (no offense - I'm just curious and I must have some real arguments if I wanted to force the DBA to change the current configuration). If you mean reporting, APEX lacks any decent reporting soultion and that's why I use Jasper reports anyway (BI publisher is a different story).

                          Regards,

                          Pavel

                          • 10. Re: Get Windows username into APEX variable
                            Pavel_p

                            Tim,

                            my DB+APEX lives on Oracle Linux (6.x) but I dont think it's too important what OS it runs on. Im not the Active Directory expert but all I know is that NTLM works for other guys who use jsp/jsf and that it somehow used to work in APEX as well.

                            Im not against complex setups if it makes any sense but my requirements are quite simple. All I want is to get the windows username - nothing more. Then I wrote my sentry function and thats all.

                            So my current solution for this very simple requirement is: I wrote a very small Java applet (just few lines of code), uploaded it into static files and then I'm able to invoke it's methods from JavaScript. Problem is that after some Java update it started to "shout" all the time that it's a "huge security risk" and my users are no longer able to just simply check the option not to show this message again which bothers them everytime they run my app (unless I buy a software signing certificate from some trusted certification authority or the other option is to import my self-signed certificate to all the client machines). So this is the only one reason why I'm looking for some other (simpler) solution. All the solutions proposed here are way more complex than the current one (I mean to buy a trusted certificate to get rid of that annoying security warning).

                            Regards,

                            Pavel

                            • 11. Re: Get Windows username into APEX variable
                              TexasApexDeveloper

                              Understood, here is a posting from Mike Hichwa who is a member of the Oracle Development tools development team, from 2010 talking about the EPG and Apex Listener: Oracle Database Development Tools (ODDT): Oracle APEX Listener

                               

                              One of the main problems with using the EPG is the app server is running INSIDE your database, thus for security purposes there is no real separation between your database and app server.. Also for every request you process you are burning more database activity since it has to process the request and then act on the request inside the database..

                               

                              I would hope that you have a setup with some sort of DBA who knows Oracle and server setup, they should now to atleast use the http server in a production environment, and be looking at using ORDS with a j2ee container for the future..

                               

                              Thank you,

                               

                              Tony Miller
                              LuvMuffin Software
                              Ruckersville, VA

                              • 12. Re: Get Windows username into APEX variable
                                Pavel_p

                                Tony, whole this theme is for a longer discussion. I'm not sure if one (five years old) article would be a strong enough argument for changing our (working) configuration and not at least, Joel Kallman states there "I'm not sure what is meant by "Support discussions". However, APEX Listener is not supported by Oracle Support on Tomcat nor Jetty nor JBoss, etc. It should probably work on those other J2EE containers, but you can't call up Oracle Support with a question about the APEX Listener and those other containers.". So the conclusion for me is something like in order to be an Oracle supported solution, the middleware should have been Fusion middleware (since glassfish is also no longer supported).

                                Security concerns... Everytimes I hear about security just drives me crazy. This particular app runs on intranet, behind the firewall and so on. From my point of view it's secured more than enough and there is no need to secure it even more. And regarding performance... This app serves to up to 150 clients. As non of them complain because of slow responses, there is no reason to make it even faster. The same app used to run for several years on a server with 1/10 of computing capacity of the current one and no need to keep hardware idle all the time.

                                On the other hand, current solutions (in general) tend to be overcomplicated and the result is that they very rarely work well, there has to be an army of people who maintain them, bug/issue tracking is pretty tough and every upgrade/update of such system is a nightmare. That's why we want to keep things as simple as possible and I spent the last half of the year replacing "advanced" pieces of code with out of the box APEX provided functionality.

                                Regards,

                                Pavel

                                • 13. Re: Get Windows username into APEX variable
                                  TexasApexDeveloper

                                  Your information about Tomcat is invalid.. ORDS IS support on Tomcat..

                                   

                                  All that is being suggested is that you LOOK at the capacities that come with the newer technologies with APEX.. Security in mind is just ONE reason to NOT use the EPG in a production environment, another would be for the reasons you are outlining now that you can not do any customizations with the EPG since it runs INSIDE the database..

                                   

                                  If you are not wanting to use ORDS or even the http server then you are resigned to building your java applets that MIGHT break when new versions of Java are introduced..

                                   

                                  'nuff said from me here, you seem to have it well in hand. Keeping it simple..

                                   

                                  .Thank you,

                                   

                                  Tony Miller
                                  LuvMuffin Software
                                  Ruckersville, VA

                                  • 14. Re: Get Windows username into APEX variable
                                    Pavel_p

                                    Yes, to make things as simple as possible and keep them that way. Btw, that's why I was hired as the original sw vendor was not able to migrate this app to the new hardware&APEX version for more than a year. I don't care if it runs on one or another server/technology or whatever - my only concern is to keep things up and running with minimal effort. Why would one want to make any customizations if the original solution works? I dont get the idea behind. That's not about "not wanting or capable" to configure&run apache+ords+iis+tomcat+jboss+glassfish+php+adf+jsp+jsf+spring+asp+bunch_of_other_messy_technologies, it just has to bring some real benefits that I can't see yet (but maybe I'm just blind). And I'm not going to pull out my hair whenever anything from this long chain breaks. People should keep in mind the first Murphy's law: If anything can go wrong, it will. And another rule as well - never touch the running system.

                                    Regarding Tomcat support... I just copied the sentence Joel Kallman wrote in the discussion below the article you pointed me at. It's also 5 years old, so things may have changed.

                                    1 2 Previous Next