2 Replies Latest reply on Sep 28, 2011 9:00 AM by Luis

    Apex Listener authentication.

    tullio0106
      I want to use Apex Listener for my pl/sql web application (now I use mod_plsql).
      How can I implement authentication in order to protect pages from unauthorized use (like OWA_CUSTOM does in nod_plsql)?
      Tks
      Tullio
        • 1. Re: Apex Listener authentication.
          Udo
          Hi Tullio,

          from your other post I assume you plan to use the APEX Listener in standalone mode, so you are limited to the features provided by the embedded Grizzly. If you consider using a "full-blown" JEE container, you could use means provided by that container. Of course you could add functionality, e.g. by adding a filter for Basic Authentication.

          -Udo
          • 2. Re: Apex Listener authentication.
            Luis
            Hi Udo and Tullio,

            I am testing the listener against APEX 4.1. I would like to integrate the APEX applications in our SSO system. We are using SAML2, so I have configured a Weblogic Server for working as a Service Provider. In this server I have deployed the apex.war and I have registered the /apex/* pattern in my Identity Provider (Active Directory Federation Services). In this way, when I make a request of any of my APEX applications (apex/f?p=123:...), if I have not a valid session I am redirected to the Identity Provider Login page. This is working fine, more or less, I have to do more testing...

            My question is, do you think that is this the best approach for securing the APEX applications? In order to everything works ok, I have to declare a security constraint in the web.xml...

            <security-constraint>
                 <web-resource-collection>
                      <web-resource-name>APEX Application Calls</web-resource-name>
                      <url-pattern>/*</url-pattern>
                      <http-method>GET</http-method>
                      <http-method>POST</http-method>
                 </web-resource-collection>
                 <auth-constraint>
                      <role-name>FederatedUsers</role-name>
                 </auth-constraint>
            </security-constraint>

            ...and in the weblogic.xml I just map the FederatedUsers against a principal:

            <security-role-assignment>
                 <role-name>FederatedUsers</role-name>
                 <principal-name>users</principal-name>
            </security-role-assignment>

            Also I have declared a filter for injecting some info in the headers request (needed for the APEX applications), but this is another story...

            Thanks in advance,

            Luis