I'm working on setting up APEX to be integrated in to whatever authentication scheme we end up migrating to in a few months. Since it isn't yet determined, we've written our Java applications to utilize REMOTE_USER, which is passed via mod_jk. The Java applications work great.
I'm trying to do the same with APEX using the APEX Listener. I created a custom authentication scheme which grabs the REMOTE_USER variable and sets the logged in user to that user. It works, strangely enough, great using and OHS DAD secured by MOD_OSSO, but if I access the same APEX installation via the APEX Listener, my debug page that spits out the REMOTE_USER and :APP_USER variables spits out APEX_PUBLIC_USER for both.
It appears as though APEX Listener is overwriting REMOTE_USER, even when the variable is already set.
Any idea how I might troubleshoot or work around this?
APEX Listener sets the REMOTE_USER header value passed to OWA applications (including APEX) to the value returned by the HttpServletRequest.getRemoteUser() method, OR if that returns null to the value of the database user used to connect to the database.
You need to configure mod_jk to pass the authenticated user id to your servlet container so that getRemoteUser() will return this value (at the moment your environment is setting the REMOTE_USER header instead). To do this set the value of the mod_jk request.tomcatAuthentication property to false. How you do this depends on the version of mod_jk and the servlet container you are using, you'll have to research that for your specific environment.
BTW The APEX Listener server does this configuration automatically when running in standalone mode, so you just need to specify the AJP listen port when running it and the user identity will be propagated automatically:
java -Dapex.ajp=8009 -jar apex.war
Sorry for digging up an old thread.
Is it possible to access the result of getRemoteUser() in resource templates?
I'd like if this was bubbled up somehow.
Right now, I can't see a way to get the authenticated user from the container unless there is some way I'm not aware of.
I should have RTFM.
From the docs :
"When you configure either of these two options, Oracle Application Express Listener can honor any Security Constraint values specified in the Resource Template. Note that the identity of the authenticated user is available to the Resource Template using the X-APEX-USER header that is passed with the request"
The X-APEX-USER header is available even in standalone mode with no http server in front I've found out.
For instance,even if your browser is passing a Basic Authorization to a resource template, the user in that basic auth is available to the template in the X-APEX-USER header.