Skip to Main Content
Forums

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Can tomcat-users.xml be used as identity store?

Patrick MonacoSep 25 2017 — edited Oct 3 2017

If I use ORDS in standalone mode, I know that I can add new users by type a command like

java -jar ords.war user XXX  "XXXX"

Now, if i'm using ORDS with Tomcat, even if I add new users in tomcat-users.xml file, I can't log in with these entries.

Does that mean that the tomcat-users.xml file is not honored by ORDS ?

If no, does that mean that the file credentials continues to be the only identity store for ORDS ?

The documentation says that authentication process can user APIs from WebLogic Server or Glassfish but no mention is given about Tomcat.

Thanks in advance,

Patrick
This post has been answered by Kiran Pawar on Sep 26 2017
Jump to Answer

Comments

thatJeffSmith-Oracle

the Tomcat user needs to have the same role as the protected ORDS resource requires

1 person found this helpful
Patrick Monaco

Hi Jeff,

thank you for your answer.

After supplemental tests, I confirm that I can't manage to authenticate with a regular tomcat user (a user declared with the appropriate role in tomcat-users.xml)

I get the message: An invalid user name or password was supplied.

Steps to reproduce:

(ORDS is under Tomcat 9 on windows 2010 platform)

  • Create a privilege : demo
  • Create a role: testrole
  • Create a module: demo
  • protect the module demo with the demo privilege
  • In tomcat-users.xml, add the user demodev with the previous role
    • <role rolename="testrole"/>
    • <user username="demodev" password="xxxxxxxx" roles="testrole"/>
  • Test the authentication with Tomcat by calling a pure tomcat app: http://localhost:8080/manager/html
  • Add a user at ORDS level with a different name
    • java -jar ords.war user hr_admin testrole
  • Launch http://localhost:8080/ords/ordstest/demo/emp/
  • sign-in with hr_admin : OK     <-- ORDS user
  • sign-in with demodevAn invalid user name or password was supplied.   <-- TOMCAT user

So the question is: How instruct ORDS to retrieve users from Tomcat Identity Store instead of Credentials file?

Thank you in advance,

Patrick

Kiran Pawar
Answer

Hi 3440044,

3440044 wrote:

Please change your user handle from "3440044" to something meaningful. Refer: Video tutorial how to change nickname available

If I use ORDS in standalone mode, I know that I can add new users by type a command like
java -jar ords.war user XXX "XXXX"
Now, if i'm using ORDS with Tomcat, even if I add new users in tomcat-users.xml file, I can't log in with these entries.
Does that mean that the tomcat-users.xml file is not honored by ORDS ?
If no, does that mean that the file credentials continues to be the only identity store for ORDS ? 
The documentation says that authentication process can user APIs from WebLogic Server or Glassfish but no mention is given about Tomcat.

I don't think that tomcat user repository is supported for this feature of Oracle REST Data Services as the Oracle Documentation mentions it only for Weblogic and Glassfish user repositories.

Refer: https://docs.oracle.com/cd/E56351_01/doc.30/e87809/developing-REST-applications.htm#AELIG90058

You can raise this as a new feature request for ORDS to @"Kris Rice-Oracle" and @"thatJeffSmith-Oracle".

Oracle Team for ORDS: We should have feature request application same as for Oracle Application Express where we can log these requests.

Regards,

Kiran

Marked as Answer by Patrick Monaco · Sep 27 2020
Patrick Monaco

Hi Kiran,

it was what I suspected, given the documentation.

Glassfish will be deprecated,  and It would be nice to have a cheap alternative with Tomcat.

Thank you for your answer.

(for the name, I followed the tuto, changed three times my display name without success, unless changes occur in a minute. Next time, I'll pass the dedicated certification for this task, before  :-)

Patrick

thatJeffSmith-Oracle

>>I get the message: An invalid user name or password was supplied.

That's from Tomcat, not us.

>>So the question is: How instruct ORDS to retrieve users from Tomcat Identity Store instead of Credentials file?

Nothing, there is literally no config. Tomcat handles all of the authentication before ORDS even gets the request. Once it's let through, all ORDS will do is make sure the user has the role that the protected module requires.

I don't think that tomcat user repository is supported for this feature of Oracle REST Data Services as the Oracle Documentation mentions it only for Weblogic and Glassfish user repositories.

We 100% support Tomcat. The reason we have docs for Glassfish and WebLogic are because THOSE are Oracle products, and we have access to their resources. Tomcast is not ours, so we do not offer guidance on how to do things in Tomcat. That's not the same as not supporting it.

Oracle-Base has some nice articles on REST and covers Tomcat in detail.

1 person found this helpful
Patrick Monaco

Hi Jeff,

What I would like you to be right !!

I'm fighting with this supposed feature but, given my recent tests, I do think that ORDS does'nt delegate authentication to Tomcat.

If somebody wants to reproduce the test case and invalidate my conclusions, I'd be glad.

Patrick Monaco 3440044

1 person found this helpful
thatJeffSmith-Oracle

It appears we have a problem - stay tuned. And thanks for your patience.

1 person found this helpful
Kiran Pawar

Hi thaJeffSmith-Oracle,

thatJeffSmith-Oracle wrote:
I don't think that tomcat user repository is supported for this feature of Oracle REST Data Services as the Oracle Documentation mentions it only for Weblogic and Glassfish user repositories.
We 100% support Tomcat. The reason we have docs for Glassfish and WebLogic are because THOSE are Oracle products, and we have access to their resources. Tomcast is not ours, so we do not offer guidance on how to do things in Tomcat. That's not the same as not supporting it.
Oracle-Base has some nice articles on REST and covers Tomcat in detail.

I am not saying that ORDS is not supported over Apache Tomcat. What i am saying is particular feature of Apache Tomcat is not supported/not documented (if there is a workaround) in ORDS.

What the thread owner posted is how to use Tomcat Users repository in ORDS as it supported to use Oracle Weblogic Server and Oracle Glassfish Server user repositories in ORDS.

Please SEE the ORDS documentation provided for Oracle Weblogic Server and Oracle Glassfish Server user repositories in ORDS:

Refer: https://docs.oracle.com/cd/E56351_01/doc.30/e87809/developing-REST-applications.htm#AELIG90058

The thread owner wants the same feature to be implemented for ORDS deployed over Apache Tomcat.

Regards,

Kiran

thatJeffSmith-Oracle

Yes and it should be working. This is a bug.

2 people found this helpful
Patrick Monaco

Thank you Jeff.

If this is a bug, hope exists at least that it be fixed.

Patrick Monaco

thatJeffSmith-Oracle

bug is logged, cause is known, solution will be delivered...soon

2 people found this helpful
Patrick Monaco

Bravo !

Thank you Jeff.

Kris Rice-Oracle

Not that it helps but this is broken due to a change in Tomcat and how they do the user login/roles.

Patrick Monaco

Ok, thank you Kris.

1 - 14
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Oct 31 2017
Added on Sep 25 2017
14 comments
817 views