APEX, ORDS 19.2+ in 12.2+ rdbms.
Apache-Tomcat(ords)-12.2+
sso -- prehook
Prerequisities working - based on this: https://www.doag.org/formes/pubfiles/11293573/2019-APEX-Dietmar_Aust-Oracle_ORDS_-New_Features_You_Need_to_Know_About-…
- ras configured + ras enabled apex application works with dynamic roles for SSO_USER via header variable from the Apache
- ords procedure.rest.preHook function works and I can log the environments the prehook function can see, especially interesting is the SSO_USER "leaks through" simply with OWA_UTIL.get_cgi_env('SSO_USER')
Now before starting furious rtfm-iterations with the RAS stuff, need to ask how to set the RAS properly and is there need to have some-sort-of posthook to clean the table?
And yes, I am looking sort of "ras enabled rest services on ords"-setup which I can easily toggle on by cloning ords setup for rest services from the ords serving apex and then prehooking it with the strict-ras.
Especially scheme with dynamic role style, where users are not managed inside the database but outside. In-case rbac would be needed then the prehook or the ras code could check the role if needed from external dir.serv..
nb. I sense that then RAS is trusting perhaps literally too much on Apache-sso and there will be need to add extra security on top-of the rest, but this sounds more like rtfm.
rgrds Paavo