3 Replies Latest reply on Feb 26, 2017 9:13 AM by Filip Huysmans

    ORDS and data security

    Simon Roggeman

      When building a three tier web application (Oracle RDBMS - ORDS - HTML5 + CSS + JS based UI), where and how would you implement an RBAC security model? Is it easily possible, or would you have to introduce a 4th tier above or below ORDS?

        • 1. Re: ORDS and data security
          Gordon Smith-Oracle

          You need to use an Application Server like Weblogic to provide authentication services and provide the users' roles to ORDS.     See ORDS installation manual.

          - gordon

          1 person found this helpful
          • 2. Re: ORDS and data security
            Filip Huysmans

            Hi Gordon,


            thx for the feedback.

            We used the following documentation: https://docs.oracle.com/cd/E37099_01/doc.20/e25066/install.htm#AELIG7185

            Then only thing mentioned was to add the tag "enforce-valid-basic-auth-credentials".

            Adding the tag to the config.xml result in an error during startup:


            <Feb 22, 2017 7:54:18 AM EST> <Error> <Management> <BEA-141244> <Schema validation errors while parsing /u01/app/oracle/middleware/user_projects/domains/irelate_domain/config/config.xml<46:5> - Element not allowed: enforce-valid-basic-auth-credentials@http://xmlns.oracle.com/weblogic/domain in element security-configuration@http://xmlns.oracle.com/weblogic/domain.>

            <Feb 22, 2017 7:54:18 AM EST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: [Management:141245]Schema validation error in /u01/app/oracle/middleware/user_projects/domains/irelate_domain/config/config.xml. See the log for details. Schema validation can be disabled by starting the server with the command line option: -Dweblogic.configuration.schemaValidationEnabled=false.>


            Is there other documentation needed for this configuration?


            We are using WLS and ORDS 309


            Thx in advance.


            Filip Huysmans

            • 3. Re: ORDS and data security
              Filip Huysmans

              With all the information we have gathered through PM's and Belgium presales, we decided for the following solution:

              • Oracle JET Application running on WLS
              • ORDS running on WLS, but will not be reached directly
              • Writing a small java proxy class to proxy the ORDS REST API's and provide container based security.  In this way we actually add security to the standard ORDS REST solution.

              Any feedback is welcome.