Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Future: APEX 4.0 + APEX Listener + Weblogic and Active Directory

Michel van ZoestJun 3 2010 — edited May 9 2012
Hello all,

One of my customers is looking into migrating his systems when APEX 4 and the APEX Listener will be released.
To make his decision, he is investigating some of the possibilities of this setup and has asked me to help.

His setup will be APEX 4 on the APEX Listener running on a Weblogic server. That won't be a problem. In fact, Oracle will love him for this setup ;-)
What might be a challenge is his authentication. My client would like his users to login to APEX using their MS Active Directory accounts. In other words: he would like to have his users sign in automatically into APEX if they are authenticated by Windows.

I currently haven't got the resources or environment to setup a test, so I'll have to do it with your help on the forum.
Has anyone ever setup an environment in which users login to APEX using their AD Windows account?
If not, does anyone know if this will be support in APEX 4/APEX Listener?

I did find some clues already that would suggest it is possible, but I haven't seen any examples yet.

Comments

734787
I'm in the same boat Michel. When I get some time I mean to try and get an AD Apex Listener/Tomcat up and running though currently don't have a handy AD/LDAP server to test against. It is a make or break feature for quite a few setups I've been involved with so would be a bonus if Oracle themselves could provide a solution to this. Technically I can't see any issues in getting this to work, but I thought I saw it mentioned earlier that is was a goal of the apex listener team to get something working for this.
610880
Hi,
I did implement a solution simular to what you are looking for. What I have is : a have a group "apex_users" in my AD and a function "check_ad_group" in DB, so the function is checking if this particular user belogs to the AD group, if yes than it will let this user to login into apex application. I don't have single sign on implemented, so you have to type you username and password to login into app. Is that what you are looking for?
Michel van Zoest
Hi Yasen,

That is almost what I'm looking for. At least I now know that logging into APEX using credentials from Active Directory is possible, but my client wants his users to login automatically. So that the users don't have to reenter their username and password.

I'm talking to APEX Development right now and they're trying to find the answer too.
610880
you will need to implement this function I was talking about ( I can post it here if you really need it) and SSO is a different story but I've seen some posts here that it is possible and it is in use by somebody, so just do more search on SSO here.
Sc0tt
The login part is really trivial - if you can get the CGI value for REMOTE_USER then you're golden. You already have your credentials.

It's really going to be up to the Listener team to provide some guidance on how to hook up NTLM with it. I've done it with the Oracle HTTP Server and mod_ntlm, but not sure how you would do it in web logic.

That probably doesn't help or answer your question - but i know it was on the list for the Listener to implement NTLM in some fashion.

If you want the Apache example, you can check out my implementation:
http://bahzzkillington.blogspot.com/
dsykes
We are implementing shibboleth for our reduced sign on effort. Our security/sys admin has configured our 11gR1 app server (weblogic based companion download for 11gR2 database) so that any request to /pls/apex gets redirected to the shibboleth authentication server for sign on. I don't believe this is supported by Oracle. After login you get redirected back to your apex app. This sets the REMOTE_USER cgi variable on the 11gR1 app server.

How do I use this ( owa_util.get_cgi_env('REMOTE_USER') ) in some pl/sql code to bypass my current custom authentication scheme/Page 101 login and create my session? As long as this is set (NOT to apex_public_user) the user is logged in.

Environment:

Apex 3.2
Oracle database 9.2.0.8 EE (solaris)
Oracle 11gR1 application server. (linux)

Dave
Dpeake-Oracle
A new dedicated OTN Forum has been set up for the APEX Listener: 3860

Please use this forum for all future APEX Listener posts.

Regards,
David
Sam.K
Well, I am also trying to do the same thing here. I already have LDAP/ AD authentication implemented , so users should use their windows credentials to access the APEX app, but there is a requirement to AUTOMATICALLY allow users to access the app without entering their username/pwd in the APEX login page... Does APEX4.0 does any better than previous versions regarding this ??


Thanks,
Sam
Sc0tt
I have a before header process on 101 that calls the same login code as the after submit process does - it is set to fire only when REMOTE_USER is populated. This way when you hit that page, it calls the standard login, sets variables and redirects you to whatever page you need to be on.

I found this method to be far superior to using the page sentry functions.
557616
This is for dsykes question regarding shibboleth or anyone else who can get a REMOTE_USER or any other cgi environment variable set. If I recall REMOTE_USER is not cross-platform so we set our user id CGI variable name to HTTP_SAM_ACCOUNT_NAME in our shibboleth system.

Then you create your own Apex authentication scheme and use the page sentry function below. We use shibboleth and our page sentry function looks like this:
create or replace FUNCTION                     "UM_SHIBBOLETH_PAGE_SENTRY" 
(p_apex_user in VARCHAR2 default 'APEX_PUBLIC_USER')
return BOOLEAN
is
-----------------------------------------------------------------------------------------------------
-- ABM 052307 - Created. This is a trivial modification of the NTLM authentication function and others
--              as posted to otn.oracle.com (search Apex forums for NTLM authentication)
-- See also sspadafo code at: 
--              787774
-- 
-- Discussion: Function is to be called as a page sentry function in APEX. 
--             Page sentry functions fire before each page of an application. If they fail
--             the authentication scheme usually refers the user to a "public" error page 
--             that is not protected by a page sentry.
--             This page sentry is not designed to control authorization. It only checks to 
--             see if there is a credential held in the local Apache environment. Authorization
--             must be done in the Apache layer or lower down in the Apex environment.
--             To use this page sentry function, the local HTMLDB/APEX environment must have
--             access to the local CGI environment variable HTTP_SAM_ACCOUNT_NAME. 
--             The University of Missouri's shibboleth implementation is capable of 
--             populating this environment variable when properly configured.
--             THIS FUNCTION DOES NOT SUBSTITUTE FOR APEX DEVELOPER AUTHENTICATION.
--             IT ONLY WORKS WHEN RUNNING THE APPLICATION AS AN APPLICATION. 
--             FOR BEST RESULTS WHEN DEVELOPING AN APPLICATION, MAKE SURE YOUR APEX AUTHENTICATION
--             USERID IS THE SAME AS YOUR SHIBBOLETH AUTHENTICATION USERID.
--  
-- Input: p_apex_user - page sentries seem to take a single input var. In this case
--                      we only care that we are being called by apex and that the 
--                      apex username matches the PARSE as schema name. For APEX the default is
--                      APEX_PUBLIC_USER.
--
-- Output: returns boolean. True if user is authenticated, false if not.
-- 
-- Usage: To use this function...
-- 1) Open your applications shared components. Click Authentication Schemes.
-- 2) Click Create..Then select From Scratch..Next>
-- 3) Name and describe your authentication scheme. Next>
-- 4) Put this function name in the "Page Sentry Function.." text box. 
--    return UM_SHIBBOLETH_PAGE_SENTRY;
--    Click Next>
-- 5) Click Next> for session verification function
-- 6) Chose URL radio box for "When the page sentry function..." Type in a URL
--    that is not protected by a page sentry. Next>
-- 7) Leave pre-authentication process blank. Next>
-- 8) Credentials verification method: "Do not verify credentials". Next>
--    Note: this function assumes the credentials are already good. This is not authorization.
-- 9) Post authentication Process. Leave blank. Next>
-- 10) Cookie setting. Leave blank. Next>
-- 11) Logout URL. Not very useful as this layer cannot affect the base credentials for the
--     external authentication method. Set to something like:
--     wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=&APP_ID.:1
--     to take the user back to the intro page.
-----------------------------------------------------------------------------------------------------
l_current_sid NUMBER;

usr VARCHAR2(100);

-- We will be using the local environment variable HTTP_SAM_ACCOUNT_NAME, 
-- use another var like HTTP_URN as required in your Apache environment.
l_authenticated_username VARCHAR2(256) := UPPER(owa_util.get_cgi_env('HTTP_SAM_ACCOUNT_NAME'));


BEGIN
    -- Remove for debugging
    -- insert into debug_log(msg) values ('started UM_SHIBBOLETH_PAGE_SENTRY');
    -- commit;
    
    -- Check to ensure that we are running as the correct database user
    -- This keeps the function from being called outside APEX. Notice that p_apex_user 
    -- is defined as the default input parameter.
    IF USER <> UPPER(p_apex_user) THEN 
       -- remove for debugging
       -- insert into debug_log(msg) values ('Not running as APEX_PUBLIC_USER');
       -- commit; 
       RETURN FALSE; 
    END IF;

    -- if the l_authenticated_username is null then the local username environment variable
    -- hasn't been set, which means that someone has somehow gotten around our shibboleth
    -- protected environment. This condition should NEVER occur unless something is very wrong
    -- with the local Apache/Shibboleth environment. If that has happened, fail.
    IF l_authenticated_username IS NULL THEN
       -- insert into debug_log(msg) values ('l_authenticated user is null');
       -- commit;
       RETURN FALSE; 
    END IF;     
	
    -- Now we must check session state to make sure our APEX session info matches
    -- info in the shibboleth environment.
    -- Get the current apex session id from cookies	
    l_current_sid := wwv_flow_custom_auth_std.get_session_id_from_cookie;
    IF wwv_flow_custom_auth_std.is_session_valid THEN
       -- remove for debugging
       -- insert into debug_log(msg) values ('wwv_flow_custom_auth_std.is_session_valid = true');
       -- commit;
    
        
        apex_application.g_instance := l_current_sid;
        
        -- if our external authentication username matches the username recorded 
        -- in our apex session environment, then we know we are back again from a 
        -- previous page visit. Simply re-assert our apex session user name.
        -- If you don't do this right, you'll get a new session every time the user hits
        -- an apex page, that's not good.
        IF l_authenticated_username = wwv_flow_custom_auth_std.get_username THEN
            wwv_flow_custom_auth.define_user_session(
                p_user=>l_authenticated_username,
                p_session_id=>l_current_sid);      
            RETURN TRUE;
        ELSE -- username mismatch. Unset the session cookie and redirect back here to take other branch
            wwv_flow_custom_auth_std.logout(
                p_this_flow=>v('FLOW_ID'),
                p_next_flow_page_sess=>v('FLOW_ID')||':'||NVL(v('FLOW_PAGE_ID'),0)||':'||l_current_sid);
            apex_application.g_unrecoverable_error := TRUE; -- tell apex engine to quit            
            RETURN FALSE;
        END IF;
        
    ELSE -- application session cookie not valid; we need a new apex session
    
        -- create a new apex session with our external username
        wwv_flow_custom_auth.define_user_session(
            p_user=>l_authenticated_username, 
            p_session_id=>wwv_flow_custom_auth.get_next_session_id);
        apex_application.g_unrecoverable_error := TRUE; -- tell apex engine to quit
        
        -- if we came in with a GET request then save the requested URL so we can call it
        -- again after the authentication routines finish
        IF owa_util.get_cgi_env('REQUEST_METHOD') = 'GET'  THEN
            wwv_flow_custom_auth.remember_deep_link(p_url => 'f?'|| wwv_flow_utilities.url_decode2(owa_util.get_cgi_env('QUERY_STRING')));
        ELSE
           -- the request was not GET so parse the application link info differently
           wwv_flow_custom_auth.remember_deep_link(p_url=>'f?p='||
                TO_CHAR(apex_application.g_flow_id)||':'||
                TO_CHAR(NVL(apex_application.g_flow_step_id,0))||':'||
                TO_CHAR(apex_application.g_instance));
        END IF;
        
        -- register session in apex sessions table,set cookie,redirect back
        wwv_flow_custom_auth_std.post_login( 
            p_uname     => l_authenticated_username,
			p_session_id =>nv('APP_SESSION'),
            p_flow_page => apex_application.g_flow_id||':'||NVL(apex_application.g_flow_step_id,0)); 
        RETURN FALSE;        
    END IF;    
END UM_SHIBBOLETH_PAGE_SENTRY;
Hope this helps, at least a little. Regarding the windows single-sign-on portion of the question. Search for NTLM in the forums, it is possible.
934570
Hi Scott,
This is Ramesh P.
I haveing trouble configuring the apex authentication on the following setup.
Can you please help me a bit in this, that would be great,
APEX 4.0 + APEX Listener + Weblogic and Active Directory .

We have Weblogic server installed and on the top of it, we have apex listener deployed.
Once the users are authenticated against the weblogic (LDAP credentials or Active Directory) then we donot want users to be authenticated for apex.

Do you haev any idea on this type of setup.

Thanks,
Ramesh P.
1 - 11
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Jun 6 2012
Added on Jun 3 2010
#apex, #apex-discussions, #listener, #weblogic, #windows
11 comments
4,994 views