This content has been marked as final. Show 5 replies
I'm looking into exactly the same right now. My setup is 11gR2 using APEX 4 running in the APEX Listener on Weblogic.
Using the Oracle White Paper at Technet, I've set up my authentication scheme. The only trouble I'm having, is that I have no idea how to set the CGI environment variable in the APEX Listener or in Weblogic. Or if this is even necessary.
When I run my application using this setup, I get a popup asking for username/password, but anything I fill in will log the user in. And instead of <domain>/<username> the application shows <weblogic_server_name>/username.
Yes, I am aware of Jason's blog entry but from the long string of updates, it doesn't appear to be a very stable solution especially since a Microsoft hotfix/patch can break it without warning.
Update 08/14/2009: I also want to point out some text from the whitepaper based on this article to make it clear what this function does (decodes an NTLM token) and does not do (negotiate anything with any domain controller).
"This paper presents a pure PL/SQL code solution for decoding an NTLM token and using that decoded value as the authenticated user in APEX applications. The function will set the username to "nobody" if it detects that the browser prompted the user for their credentials instead of just silently negotiating them. You can then write authorization schemes that deny access to the "nobody" user. Note that unlike the mod_ntlm Apache module, this solution does not pass along credentials to a domain controller for authentication. This solution requests that the browser present an NTLM authentication token and decodes the username and domain from that token."More importantly, as per the last update (quoted above), it doesn't actually verify credentials with a domain controller like Apache mod_ntlm does. Assuming that the new Apex listener is the recommended "web server to proxy requests between the browser and the Apex engine", IMHO there should be a more robust NTLM authentication method that actually verifies credentials with the domain controller instead of a (very clever) hack.
"More importantly, as per the last update (quoted above), it doesn't actually verify credentials with a domain controller like Apache mod_ntlm does. Assuming that the new Apex listener is the recommended "web server to proxy requests between the browser and the Apex engine", IMHO there should be a more robust NTLM authentication method that actually verifies credentials with the domain controller instead of a (very clever) hack."
The lack of a robust 'Single Sign On' method with the apex listener is a virtual deal breaker for me and at least one other environment I'm aware of. Apex is a superb solution for many typical Forms/Reports applications running on corporate/large/normal intranets. These environements are going to be using Active Directory and the applications will be competing against Sharepoint and .NET applications that will probably be running with native windows authentication. It is a real bugbear to me when I'm forced to login to a Windows app and prompted for a password when I know it could have been configured to not to. When I'm on a Windows database I make extensive use of native (NTS) authentication as it is trivial to configure and then gives the massive security and convenience benefit of allowing passwordless database accounts. You immediately get all the built in auditing of knowing people aren't sharing accounts among other benefits.
I assumed that getting some kind of ntlm authentication would be easy to get running on Tomcat but I'm struggling to find something so currently I'm sticking to proxying via Apache using mod_auth_sspi (unfortunately needing a Windows host) or mod_ntlm (which is a bit unsupported currently, but does work.)
It would be a massive boost to the Apex project to have a working native Windows authentication method as that is the environment where most Apex applications are going to be running.
I have been looking into this a lot lately, and I have been able to only find one Java provider with NTLMv2 support: http://www.ioplex.com/jespa.html
I have been looking at doing basically a CAS service, call on a page sentry, which will forward out to the j2ee authentication portal app, which, if the NTLM is set and proper, which configure a proper CAS session and forward them back into APEX with the proper credentials. Just like normal CAS only it will pickup for NTLM.