1. Get rid of all advertisements and get unlimited access to documents by upgrading to Premium Membership. Upgrade to Premium Now and also get a Premium Badge!

Apex 5 on weblogic 12.1 how to set remote_user

Discussion in 'Oracle Application Express (APEX)' started by apt123, Aug 31, 2016.

  1. apt123

    apt123 Newly Initiated

    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    30
    Location:
    Canberra
    Application Express 5.0.3 / Weblogic 12.1.3 integration


    Hi there.


    We’d like to deploy application express v5 on Weblogic 12.1.3 with integration windows (Kerberos) authentication. We’ve got everything set up and (verified) working, except for the final step – passing user IDs to the Application Express “ORDS” web application.


    Just to summarize:


    We have set up a weblogic domain for this exercise, with a security realm configured with:


    Default Authenticator (OPTIONAL)

    Active Directory (OPTIONAL, user and group lookups defined and working)

    DefaultIdentityAsserter

    SpnegoNegotiateIdentityAsserter


    We have deployed the “ords” application and added a weblogic security policy that requires that users belong to an AD group, which triggers the HTTP negotiation handshake and Kerberos login. That’s all working perfectly and users are signed in through IE without any problems (if they’re in the relevant AD group). Weblogic creates the appropriate JAAS subjects/principals and the Servlet APIs are returning the correct windows domain login id.


    We used the (more or less) standard “BasicAuthSimpleTestServlet” to test the Kerberos/weblogic/security policy setup before trying to pass credentials to Application Express.


    See here for out test servlet: http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html


    Tonight I’ve been trying to work out how to pass the authenticated user ID from Weblogic to Application Express. I’ve written a simple servlet request filter (and deployed it with ords.war) to examine what’s happening. Here’s what I’ve found:


    The standard “REMOTE_USER” request variable seems to be overwritten by Application Express. Whatever I put into it, it’s effectively ignored.


    We’ve defined a “HTTP Header Variable” authentication scheme in Application Express, but I can’t work out what it’s supposed to be looking for in the request. We asked Apex to user “SSO_USER” and I’ve tried (using the servlet filter) adding a header “SSO_USER”, also adding a request attribute “SSO_USER”, but Apex doesn’t seem to be even looking for them.


    I’ve noticed Apex looking for some headers:


    X-APEX-IDENTITY-DOMAIN

    HTTP_OAM_REMOTE_USER


    Are these relevant? If I define the second one, I get an error about the user not being in the correct domain. I assume that’s something to do with Oracle Access Manager.


    I’m stumped. The Application Express documentation seems to indicate that this should be possible, but I can’t find any specifics online as to how. If this doesn’t work, we’re down to deploying Application Express on Tomcat, despite having licenses for the much more powerful (and expensive) Weblogic. Is this unavoidable?


    Can you suggest anything?

    Thanks!


    Matthew Wilson
     
  2. DTSIGuy

    DTSIGuy Forum Advisor

    Messages:
    402
    Likes Received:
    58
    Trophy Points:
    410
    Location:
    Texas
    I note you have multiple replies in the Oracle Community Forums...do you have plans to keep this thread updated as well, or just provide the link to the full discussion?

    CJ
     
  3. apt123

    apt123 Newly Initiated

    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    30
    Location:
    Canberra
    Here is the link to OTN community forum:
    https://community.oracle.com/thread/3967145
     
    Last edited: Sep 8, 2016