1 person found this helpful
yes, the best approach would certainly involve setting up some sort of SSO, either using a login server or even using a reverse proxy with Apache / IIS or something to authenticate against AD with kerberos (what I use frequently with APEX) and forward all requests to a J2ee app server behind it.
But for a "poor man" scenario I would shoot for a token based implementation.
I assume that the ADF application and your pl/sql based reporting application use the identical database in the background. Therefore when clicking on a report (link or button) in your ADF application the following flow will be started:
- the current adf session id and a random request id will be registered in a reporting request table. Each reporting request will only be valid for a few seconds / minutes.
- the adf application redirects the user to the reporting pl/sql app and passes the adf session id and the reporting request id as parameters.
- the reporting pl/sql application will check the valid entry in the reporting request table (time not expired and entry exists).
- the entry in the reporting table will be deleted or invalidated
- the report will be rendered successfully
This approach should make sure that the current ADF session is used and that the request is executed only ONCE. So even if anybody "saw" the url and the tokens the report cannot be run again, thus a replay is not possible.
Hope that helps,
Interesting idea, Dietmar. Take a little work to implement, but certainly doable. I wonder if the boss would consider it an acceptable solution. I'm still hoping that one of the ORDS developers or product managers will respond to the question about ORDS as a servlet,