|APEX 5 deploy with WebLogic setting REMOTE_USER [message #655472]
||Wed, 31 August 2016 08:22
Registered: August 2016
Application Express 5.0.3 / Weblogic 12.1.3 integration|
We'd like to deploy application express v5 on Weblogic 12.1.3 with integration windows (Kerberos) authentication. We've got everything set up and (verified) working, except for the final step passing user IDs to the Application Express "ORDS" web application.
Just to summarize:
We have set up a weblogic domain for this exercise, with a security realm configured with:
Default Authenticator (OPTIONAL)
Active Directory (OPTIONAL, user and group lookups defined and working)
We have deployed the "ords" application and added a weblogic security policy that requires that users belong to an AD group, which triggers the HTTP negotiation handshake and Kerberos login. That's all working perfectly and users are signed in through IE without any problems (if they're in the relevant AD group). Weblogic creates the appropriate JAAS subjects/principals and the Servlet APIs are returning the correct windows domain login id.
We used the (more or less) standard "BasicAuthSimpleTestServlet" to test the Kerberos/weblogic/security policy setup before trying to pass credentials to Application Express.
See here for out test servlet: http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html
Tonight I've been trying to work out how to pass the authenticated user ID from Weblogic to Application Express. I've written a simple servlet request filter (and deployed it with ords.war) to examine what's happening. Here's what I've found:
The standard "REMOTE_USER" request variable seems to be overwritten by Application Express. Whatever I put into it, it's effectively ignored.
We've defined a "HTTP Header Variable" authentication scheme in Application Express, but I can't work out what it's supposed to be looking for in the request. We asked Apex to user "SSO_USER" and I've tried (using the servlet filter) adding a header "SSO_USER", also adding a request attribute "SSO_USER", but Apex doesn't seem to be even looking for them.
I've noticed Apex looking for some headers:
Are these relevant? If I define the second one, I get an error about the user not being in the correct domain. I assume that's something to do with Oracle Access Manager.
I'm stumped. The Application Express documentation seems to indicate that this should be possible, but I can't find any specifics online as to how. If this doesn't work, we're down to deploying Application Express on Tomcat, despite having licenses for the much more powerful (and expensive) Weblogic. Is this unavoidable?
Can you suggest anything?