2 Replies Latest reply on May 18, 2016 2:37 PM by PeeZu

    ORDS 3.x on Tomcat - Basic Auth.




      In order to secure my Restfull services with Tomcat, I need to :


      - update web.xml to add security-constraint

      - update tomcat-users.xml to add role/user mapping


      There is any other way to do these actions ?


      As Oracle said:


      Is it supported to modify the contents of ORDS / the APEX Listener ords,war / apex.war file and redeploy it?

      No. This is not supported by Oracle Support.


      So, How to configure Basic Auth ?



        • 1. Re: ORDS 3.x on Tomcat - Basic Auth.
          Kris Rice-Oracle

          Mark the REST calls in ORDS as needing security.  Then just setup your users in TomCat.  No need to hack the ords.war file.



          • 2. Re: Re: ORDS 3.x on Tomcat - Basic Auth.

            Hi Kris,


            Thank you for your response, unfortunately my issue  is not solved (or my understanding about authentication ).


            Here a concrete example, any help welcome:


            ORDS version:


            My ORDS definition:

              l_module       VARCHAR2(100);
              l_resource     VARCHAR2(100);
              l_roles        owa.vc_arr;
              l_privilege    VARCHAR2(100);
              l_module := 'MY-MODULE';
              l_roles(1) := 'my-role';
              l_privilege := 'all';
              -- delete all REST services and disable REST services for this schema
              -- enable REST for this schema
              -- delete module if exist
              ords.delete_module(p_module_name => l_module);
              -- define module
              ords.define_module(p_module_name    => l_module,
                                 p_base_path      => '/',
                                 p_items_per_page => 0,
                                 p_status         => 'PUBLISHED',
                                 p_comments       => NULL);
              -- define role
              ords.delete_role(p_role_name => l_roles(1));
              ords.create_role(p_role_name => l_roles(1));
              -- define privilege
              ords.create_privilege(p_name => l_privilege, p_roles => l_roles);
              -- define privilege mapping
              ords.set_module_privilege(p_module_name => l_module, p_privilege_name => l_privilege);
              l_resource := 'whoami/';
              -- define resource template   
              ords.define_template(p_module_name => l_module,
                                   p_pattern     => l_resource,
                                   p_priority    => 0,
                                   p_etag_type   => 'NONE',
                                   p_etag_query  => NULL,
                                   p_comments    => NULL);
              -- define resource handler
              ords.define_handler(p_module_name    => l_module,
                                  p_pattern        => l_resource,
                                  p_method         => 'GET',
                                  p_source_type    => ords.source_type_query_one_row,
                                  p_source         => q'[SELECT sys_context('USERENV', 'CURRENT_SCHEMA') AS "current_schema",
                                                                sys_context('USERENV', 'PROXY_USER') AS "proxy_user",
                                                                sys_context('USERENV', 'SESSION_USER') AS "session_user",
                                                                sys_context('USERENV', 'OS_USER') AS "os_user",
                                                                sys_context('USERENV', 'SESSIONID') AS "session_id",
                                                                sys_context('USERENV', 'SID') AS "sid",
                                                                USER AS "user"
                                                           FROM DUAL
                                  p_items_per_page => 0,
                                  p_mimes_allowed  => NULL,
                                  p_comments       => NULL);


            My tomcat-users.xml


            <tomcat-users xmlns="http://tomcat.apache.org/xml"
                          xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              <user username="ords" password="ords" roles="my-role"/>



            Try-it: http://your-server/your-context/whoami/


            Result is http 401 as expected but credential is not valid, from sign-in page nor by setting Basic Auth in HTTP request header.


            NB: Work fine with Stand-Alone application server  (credentials files).


            Any suggestion ?