9 Replies Latest reply on Mar 30, 2017 6:24 AM by unficyp

    Authenticate Access using APEX Session

    unficyp

      Hi,

      APEX 5.0.4 on 11.2.0.4 used.

       

      I have an application called KnowledgeBase, like a wiki, where users can upload (into blobs) and reference images in the text.

      The display function of the images is implemented using ORDS calls, which works really great.

      The problem: calls are allowed even if one does not have any valid APEX session.

      I know i can secure ORDS with OAuth2 and some ORDS roles/privileges.

      But is it possible to allow ORDS access only if there is a valid APEX Session ?

       

      regards,

      gerald

        • 1. Re: Authenticate Access using APEX Session
          Pollocks01

          This is supposed to be possible, yes, but I'm struggling to get it working right now:

           

          REST Data Services Developers Guide

           

          We're meant to create a RESTful Services Privilege and assign our given module(s) to that group:

           

          ..now I get the desired 401 unauthorized when I access it as-is (using Postman Chrome add-on):

           

           

          Note that per the documentation cited at beginning of this reply, I have the required Apex-Session http header specified, but that I still get the 401.

           

          I'm using Apex 5.1.0.00.45 running against 12c (R1)

          • 2. Re: Authenticate Access using APEX Session
            Pollocks01

            ..and the URI parameter method also doesn't seem to do the trick :-(

             

            • 3. Re: Authenticate Access using APEX Session
              Pollocks01

              I picked up on the mention of Cookies and wondered whether this'd work out of APEX (where the browser has the APEX auth cookie.....perhaps Postman was never goign to work).....same issue :-(

               

              • 4. Re: Authenticate Access using APEX Session
                Pollocks01

                interestingly, I see invalid username/password; login denied in my ords console window when - and only when - the rest endpoint is in the authentication group: when the rest service is unprotected, I don't see the error.

                 

                I have unlocked and reset pwd on  apex_listener, apex_public_user, apex_rest_public_user and ords_public_user.

                 

                I think I might of messed up the APEX 5.1 installation regarding container db etc

                 

                Jan 19, 2017 7:10:26 AM
                WARNING: *** jdbc.MaxLimit in configuration |apex|al| is using a value of 10, this setting may not be sized adequately for a production environment ***
                Jan 19, 2017 7:10:26 AM
                WARNING: *** jdbc.InitialLimit in configuration |apex|al| is using a value of 3, this setting may not be sized adequately for a production environment ***
                Jan 19, 2017 7:10:26 AM oracle.ucp.common.UniversalConnectionPoolBase initInactiveConnectionTimeoutTimer
                INFO: inactive connection timeout timer scheduled
                Jan 19, 2017 7:10:27 AM oracle.ucp.common.UniversalConnectionPoolBase initInactiveConnectionTimeoutTimer
                INFO: inactive connection timeout timer scheduled
                Jan 19, 2017 7:10:27 AM oracle.dbtools.rt.resource.templates.cache.MetadataCachesProvider activate
                INFO: Enabling metadata cache
                Jan 19, 2017 7:10:27 AM
                INFO: Configuration properties for: |apex|rt|
                cache.caching=false
                cache.directory=/tmp/apex/cache
                cache.duration=days
                cache.expiration=7
                cache.maxEntries=500
                cache.monitorInterval=60
                cache.procedureNameList=
                cache.type=lru
                db.hostname=10.140.100.99
                db.port=1521
                db.servicename=pdborcl
                debug.debugger=false
                debug.printDebugToScreen=false
                error.keepErrorMessages=true
                error.maxEntries=50
                jdbc.DriverType=thin
                jdbc.InactivityTimeout=1800
                jdbc.InitialLimit=3
                jdbc.MaxConnectionReuseCount=1000
                jdbc.MaxLimit=10
                jdbc.MaxStatementsLimit=10
                jdbc.MinLimit=1
                jdbc.statementTimeout=900
                log.logging=false
                log.maxEntries=50
                misc.compress=
                misc.defaultPage=apex
                security.crypto.enc.password=******
                security.crypto.mac.password=******
                security.disableDefaultExclusionList=false
                security.maxEntries=2000
                security.requestValidationFunction=wwv_flow_epg_include_modules.authorize
                security.validationFunctionType=plsql
                db.password=******
                db.username=APEX_REST_PUBLIC_USER
                
                
                Jan 19, 2017 7:10:27 AM
                WARNING: *** jdbc.MaxLimit in configuration |apex|rt| is using a value of 10, this setting may not be sized adequately for a production environment ***
                Jan 19, 2017 7:10:27 AM
                WARNING: *** jdbc.InitialLimit in configuration |apex|rt| is using a value of 3, this setting may not be sized adequately for a production environment ***
                Jan 19, 2017 7:10:27 AM oracle.ucp.common.UniversalConnectionPoolBase initInactiveConnectionTimeoutTimer
                INFO: inactive connection timeout timer scheduled
                Jan 19, 2017 7:11:31 AM oracle.dbtools.rt.authentication.apex.ApexSessionVerifier verify
                WARNING: The username or password for the connection pool named apex, are invalid, expired, or the account is locked
                oracle.dbtools.common.jdbc.ConnectionPoolConfigurationException: The username or password for the connection pool named apex, are invalid, expired, or the account is locked
                        at oracle.dbtools.common.jdbc.DataSourceConnection.getConnection(DataSourceConnection.java:54)
                        at oracle.dbtools.common.pools.DataSourceTargetImpl.connection(DataSourceTargetImpl.java:41)
                        at oracle.dbtools.common.jdbc.JDBCPrincipalImpl.connection(JDBCPrincipalImpl.java:64)
                        at oracle.dbtools.common.jdbc.BaseJDBCCallProvider.connection(BaseJDBCCallProvider.java:149)
                        at oracle.dbtools.common.jdbc.BaseJDBCCallProvider.transaction(BaseJDBCCallProvider.java:93)
                        at oracle.dbtools.rt.authentication.apex.ApexSessionVerifier.verify(ApexSessionVerifier.java:270)
                        at oracle.dbtools.rt.authentication.apex.ApexSessionVerifier.verify(ApexSessionVerifier.java:118)
                        at oracle.dbtools.auth.SessionAuthenticatorBase.authenticate(SessionAuthenticatorBase.java:29)
                        at oracle.dbtools.rt.authentication.AuthenticationService.authenticate(AuthenticationService.java:65)
                        at oracle.dbtools.rt.authentication.AuthenticationService.verify(AuthenticationService.java:94)
                        at oracle.dbtools.rt.web.RequestDispatchers.authenticate(RequestDispatchers.java:183)
                        at oracle.dbtools.rt.web.RequestDispatchers.dispatch(RequestDispatchers.java:110)
                        at oracle.dbtools.rt.web.ETags.checkPrecondition(ETags.java:59)
                        at oracle.dbtools.rt.ResourceTemplatesServlet.restfulServices(ResourceTemplatesServlet.java:271)
                        at oracle.dbtools.rt.ResourceTemplatesServlet.service(ResourceTemplatesServlet.java:126)
                        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
                        at oracle.dbtools.http.servlet.DispatchableServletBase.service(DispatchableServletBase.java:58)
                        at oracle.dbtools.http.entrypoint.Dispatcher.dispatch(Dispatcher.java:125)
                        at oracle.dbtools.http.entrypoint.EntryPoint$FilteredServlet.service(EntryPoint.java:240)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:73)
                        at oracle.dbtools.http.forwarding.QueryFilteringRewrite.doFilter(QueryFilteringRewrite.java:90)
                        at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.http.forwarding.ForwardingFilter.doFilter(ForwardingFilter.java:68)
                        at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.http.cors.CORSPreflightFilter.doFilter(CORSPreflightFilter.java:66)
                        at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.http.cookies.auth.CookieSessionCSRFFilter.doFilter(CookieSessionCSRFFilter.java:77)
                        at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.http.auth.AuthenticationFilter.authenticate(AuthenticationFilter.java:87)
                        at oracle.dbtools.http.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:62)
                        at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.url.mapping.RequestMapperImpl.doFilter(RequestMapperImpl.java:125)
                        at oracle.dbtools.url.mapping.URLMappingBase.doFilter(URLMappingBase.java:103)
                        at oracle.dbtools.url.mapping.filter.URLMappingFilter.doFilter(URLMappingFilter.java:124)
                        at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.http.cors.CORSResponseFilter.doFilter(CORSResponseFilter.java:83)
                        at oracle.dbtools.http.filters.HttpResponseFilter.doFilter(HttpResponseFilter.java:45)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.http.errors.ErrorPageFilter.doFilter(ErrorPageFilter.java:94)
                        at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.http.auth.ForceAuthFilter.doFilter(ForceAuthFilter.java:44)
                        at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
                        at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
                        at oracle.dbtools.http.filters.Filters.filter(Filters.java:47)
                        at oracle.dbtools.http.entrypoint.EntryPoint.service(EntryPoint.java:82)
                        at oracle.dbtools.http.entrypoint.EntryPointServlet.service(EntryPointServlet.java:49)
                        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
                        at oracle.dbtools.rt.web.HttpEndpointBase.dispatchableServices(HttpEndpointBase.java:116)
                        at oracle.dbtools.rt.web.HttpEndpointBase.service(HttpEndpointBase.java:81)
                        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
                        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:751)
                        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:566)
                        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:219)
                        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1111)
                        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:498)
                        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
                        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1045)
                        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
                        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)
                        at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
                        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:98)
                        at org.eclipse.jetty.server.Server.handle(Server.java:461)
                        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:284)
                        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:244)
                        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:534)
                        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
                        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
                        at java.lang.Thread.run(Unknown Source)
                Caused by: oracle.dbtools.common.ucp.ConnectionLabelingException: Error occurred when attempting to configure url: unknown with labels: {oracle.dbtools.jdbc.label.schema=ATS}
                        at oracle.dbtools.common.ucp.LabelingCallback.handle(LabelingCallback.java:147)
                        at oracle.dbtools.common.ucp.LabelingCallback.proxyToSchema(LabelingCallback.java:210)
                        at oracle.dbtools.common.ucp.LabelingCallback.configure(LabelingCallback.java:76)
                        at oracle.ucp.common.UniversalConnectionPoolImpl.getAvailableConnectionHelper(UniversalConnectionPoolImpl.java:649)
                        at oracle.ucp.common.UniversalConnectionPoolImpl.getAvailableConnection(UniversalConnectionPoolImpl.java:595)
                        at oracle.ucp.common.UniversalConnectionPoolImpl.borrowConnectionWithoutCountingRequests(UniversalConnectionPoolImpl.java:197)
                        at oracle.ucp.common.UniversalConnectionPoolImpl.borrowConnectionAndValidate(UniversalConnectionPoolImpl.java:145)
                        at oracle.ucp.common.UniversalConnectionPoolImpl.borrowConnection(UniversalConnectionPoolImpl.java:120)
                        at oracle.ucp.jdbc.JDBCConnectionPool.borrowConnection(JDBCConnectionPool.java:170)
                        at oracle.ucp.jdbc.oracle.OracleJDBCConnectionPool.borrowConnection(OracleJDBCConnectionPool.java:849)
                        at oracle.ucp.jdbc.oracle.OracleConnectionConnectionPool.borrowConnection(OracleConnectionConnectionPool.java:82)
                        at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:1103)
                        at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:1074)
                        at oracle.dbtools.common.jdbc.DataSourceConnection.getConnection(DataSourceConnection.java:46)
                        ... 74 more
                Caused by: java.sql.SQLException: ORA-01017: invalid username/password; logon denied
                
                
                        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:450)
                        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:392)
                        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:385)
                        at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:1018)
                        at oracle.jdbc.driver.T4CTTIoauthenticate.processError(T4CTTIoauthenticate.java:501)
                        at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:522)
                        at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:257)
                        at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:437)
                        at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1063)
                        at oracle.jdbc.driver.T4CConnection.doProxySession(T4CConnection.java:2029)
                        at oracle.jdbc.driver.PhysicalConnection.openProxySession(PhysicalConnection.java:3053)
                        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                        at java.lang.reflect.Method.invoke(Unknown Source)
                        at oracle.ucp.jdbc.proxy.JDBCConnectionProxyFactory.invoke(JDBCConnectionProxyFactory.java:325)
                        at oracle.ucp.jdbc.proxy.ConnectionProxyFactory.invoke(ConnectionProxyFactory.java:50)
                        at com.sun.proxy.$Proxy37.openProxySession(Unknown Source)
                        at oracle.dbtools.common.ucp.LabelingCallback$ProxySchemaTask.call(LabelingCallback.java:282)
                        at oracle.dbtools.common.ucp.LabelingCallback$ProxySchemaTask.call(LabelingCallback.java:271)
                        at oracle.dbtools.common.concurrent.RetryStrategy.execute(RetryStrategy.java:45)
                        at oracle.dbtools.common.ucp.LabelingCallback.proxyToSchema(LabelingCallback.java:206)
                        ... 86 more
                
                • 5. Re: Authenticate Access using APEX Session
                  Pollocks01

                  I completely removed all versions of APEX from the CDB and the PDB and then reinstalled apex 5.1 into a PDB; removed and reinstalled ORDS; verified that I can log into the PDB as each of apex_listener, apex_public_user, apex_rest_public_user, ords_public_user and still get the same behaviour: i.e. can access the rest service from APEX only when the rest service remains unprotected.

                  • 6. Re: Authenticate Access using APEX Session
                    unficyp

                    Yes, seems like there is no possibility to combine ORDS with APEX authentication. Maybe this could be a new feature ?

                    • 7. Re: Authenticate Access using APEX Session
                      Pollocks01

                      Nope - that's not correct. It is SUPPOSED to be supported. I actually have an SR (3-14074354121) open with them right now: this has been passed to the APEX development team and I'm "Awaiting Internal Feedback".

                       

                      I will update this post with outcome of my SR when they respond. I replicated the issue on apex.oracle.com meaning it's not an issue with my configuration.

                      • 8. Re: Authenticate Access using APEX Session
                        Pollocks01

                        Confirmed by Oracle Support as a bug: See MOS document Doc ID 2245846.1

                        • 9. Re: Authenticate Access using APEX Session
                          unficyp

                          Thanks for the info and thanks for reporting the SR !