Forum Home » Database » Application Express

Thread: Error ERR-7621 when using NTLM Page Sentry Function

Reply to this Thread Reply to this Thread Search Forum Search Forum Back to Thread List Back to Thread List

Permlink Replies: 32 - Pages: 3 [ Previous | 1 2 3 | Next ] - Last Post: Jul 29, 2009 5:48 PM Last Post By: anupv
sspadafo

Posts: 16,581
Registered: 01/10/01
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 9, 2008 2:13 AM   in response to: Patrick Wolf in response to: Patrick Wolf
Click to report abuse...   Click to reply to this thread Reply
Patrick,

I haven't had time to digest this and understand it but thank you very much for this superb effort. Jason tells me he has updated his blog with this new information.

Again, thanks a bunch.

Scott
Soms

Posts: 45
Registered: 05/09/08
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 1:47 AM   in response to: Patrick Wolf in response to: Patrick Wolf
Click to report abuse...   Click to reply to this thread Reply
Hi Patrick,

Please let me know whether this NTLM page sentry function works in APEX3.0 and ORACLE XE with EPG...

Thx.

Som
Patrick Wolf

Posts: 1,812
Registered: 04/24/00
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 1:53 AM   in response to: Soms in response to: Soms
Click to report abuse...   Click to reply to this thread Reply
Hi Som,

have a look at Jasons original posting at http://jastraub.blogspot.com/2008/03/ntlm-http-authentication-and.html there he writes the following about NTLM and EPG.

Update 3/19/2008: I should mention that this solution only works with Apache/ Oracle HTTP Server and is not supported by the XDB HTTP Server with the embedded PL/SQL gateway (EPG), yet...

Update 4/17/2008: For more information on why this solution will not work with the embedded PL/SQL gateway, see the section titled "Configuring Static Authentication with DBMS_EPG" in the following document:

http://download.oracle.com/docs/cd/B28359_01/appdev.111/b28424/adfns_web.htm#BGBCFIIB

"The database rejects access if the browser user attempts to connect explicitly with the HTTP Authorization header."

So I don't see much hope that it will work in the near future with EPG.

Greetings
Patrick
Soms

Posts: 45
Registered: 05/09/08
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 2:14 AM   in response to: Patrick Wolf in response to: Patrick Wolf
Click to report abuse...   Click to reply to this thread Reply
Hi Patrick,

Thanks for the reply.
I have gone thru Jasons blog.. he also mentioned the same, that it wont work with EPG.
Actually my requirment is, i have 3 different application residing in different servers, 1 server is used for authentication purpose, other 2 application depends on this server for login auth.. Bascially user should not asked for username/password whenever he switches betwn application..

i do not want to SSO.. any other way to do this..

Som
Jes

Posts: 5,398
Registered: 06/19/04
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 2:19 AM   in response to: Patrick Wolf in response to: Patrick Wolf
Click to report abuse...   Click to reply to this thread Reply
Patrick,

A potential solution to this -

The database rejects access if the browser user attempts to connect explicitly with the HTTP
Authorization header.

Might be to put a front-end proxying Apache 2.0 server in-front of the DBMS_EPG, and then use the proxying server to rewrite the incoming AUTHORIZATION header into something else (for example APEXAUTHORIZATION) and remove the AUTHORIZATION header.

You could then adapt Jasons code to check the value of APEXAUTHORIZATION, so that -

l_auth := owa_util.get_cgi_env('AUTHORIZATION');

becomes

l_auth := owa_util.get_cgi_env('APEXAUTHORIZATION');

and the EPG shouldn't reject access since the AUTHORIZATION header is no longer present.

I haven't tested it, but in theory I think it stands a chance of working.

If there's sufficient interest, I can cook up some "Apache Header Rewrite Foo" rules to test it out.

Obviously a 'drawback' is having to have the proxying Apache server installed, however I know quite a few sites are already running running with Apache servers running infront of their EPG's anyway (so perhaps not so much of an issue).

John.
http://jes.blogs.shellprompt.net
http://apex-evangelists.com
Soms

Posts: 45
Registered: 05/09/08
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 2:33 AM   in response to: Jes in response to: Jes
Click to report abuse...   Click to reply to this thread Reply
Hi Patrick,

Thanks a lot..
I think this will solve my problem, i will try implementing this...
If u have any documents,codes or "Apache Header Rewrite Foo" rules please send it to me... and if possible let me how to configure apache server with DBMS_EPG..

Having Apache infront of EPG affects performance, any security issues??

Thanks once again..

Som.
Jes

Posts: 5,398
Registered: 06/19/04
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 2:59 AM   in response to: Soms in response to: Soms
Click to report abuse...   Click to reply to this thread Reply
Hello,

Hi Patrick, Thanks a lot..

Actually it was me (Jes) not Patrick ;)

Having Apache infront of EPG affects performance, any security issues??

Sure, when setting up any web based system there are security issues you should investigate.

Performance wise, there will be additional latency (due to the proxying), however I'd say a correctly configured and optimized Apache proxying solution would easily beat a non-optimized incorrectly configured 'direct' solution.

Optimizing and securing webservers is an art unto itself, it's difficult to summarize all the steps here into a simple checklist as much of it depends on your actual environment (expected number of requests etc).

Hope this helps,

John.
http://jes.blogs.shellprompt.net
http://apex-evangelists.com
Jes

Posts: 5,398
Registered: 06/19/04
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 3:20 AM   in response to: Jes in response to: Jes
Click to report abuse...   Click to reply to this thread Reply
Hello,

I couldn't resist....

Here's a relatively simple bit of Header-Foo (as I like to call it):

<VirtualHost *>

ServerName headertest.dbvm.com

ServerAlias headertest.dbvm.com

ProxyPreserveHost On

RewriteEngine On

RewriteRule ^/$ /pls/apex/f?p=HEADERAPP:1 R=301

ProxyPass /pls/apex http://localhost:7777/pls/apex

ProxyPassReverse /pls/apex http://localhost:7777/pls/apex

ProxyPass /i http://localhost:7777/i

ProxyPassReverse /i http://localhost:7777/i

RewriteRule .* - E=AE_AUTHORIZATION:%{HTTP:Authorization}

RequestHeader set AE_AUTHORIZATION %{AE_AUTHORIZATION}e

RequestHeader unset HTTP_AUTHORIZATION

RequestHeader unset AUTHORIZATION

</VirtualHost>

You will also need to allow the new header to be passed through, using the OHS you'd add the following line to the DAD -

PlsqlCGIEnvironmentList    AE_AUTHORIZATION

Using the EPG, you'd run this bit of code -

DBMS_EPG.SET_DAD_ATTRIBUTE (  

   dad_name    => 'APEX',  

   attr_name   => 'cgi-environment-list',  

   attr_value  => 'AE_AUTHORIZATION');

This creates a new header (called AE_AUTHORIZATION) which contains the original values of the HTTP_AUTHORIZATION header, which is done in these lines:

RewriteRule .* - E=AE_AUTHORIZATION:%{HTTP:Authorization}

RequestHeader set AE_AUTHORIZATION %{AE_AUTHORIZATION}e

The next couple of lines remove the original AUTHORIZATION (HTTP_AUTHORIZATION) headers:

RequestHeader unset HTTP_AUTHORIZATION

RequestHeader unset AUTHORIZATION

I gave this a quick test, first without the above rules in place:

jes@AEMBP$ GET -H "AUTHORIZATION: FOO" headertest.dbvm.com | grep AUTHORIZATION

HTTP_AUTHORIZATION = FOO

AE_AUTHORIZATION =

Note that 'headertest.dbvm.com' is the VirtualHost entry for my application.

Notice that the HTTP_AUTHORIZATION header is set and the AE_AUTHORIZATION header is present (but empty).

Now trying the test with the rules in place -

jes@AEMBP$ GET -H "AUTHORIZATION: FOO" headertest.dbvm.com | grep AUTHORIZATION

AE_AUTHORIZATION = FOO

Notice how the AE_AUTHORIZATION header now contains the value of 'FOO' and the original AUTHORIZATION headers have gone.

This works for me, so it should work for you too (do let me know).

DISCLAIMER: PLEASE PLEASE (PLEASE!) don't try this on your production system without testing it out first on something you don't mind breaking. I am in no way responsible for any problems you hit if you choose to ignore this advice!

John.
http://jes.blogs.shellprompt.net
http://apex-evangelists.com
Soms

Posts: 45
Registered: 05/09/08
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 3:46 AM   in response to: Jes in response to: Jes
Click to report abuse...   Click to reply to this thread Reply
Hi Jes,

Thank you very much....

I will definently try this and let u know......

what is OHS??

Som
Jes

Posts: 5,398
Registered: 06/19/04
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 3:54 AM   in response to: Soms in response to: Soms
Click to report abuse...   Click to reply to this thread Reply
Hello,

OHS = Oracle HTTP Server (essentially an Apache server modified and supplied by Oracle to work with APEX via the mod_plsql handler).

You can ignore the reference as you are using the Embedded PL/SQL gateway...I just left it there for 'completeness'.

Do definitely let us know if this solution works for you too, as if it does then we've just opened the doors to have NTLM working with the EPG.

John.
http://jes.blogs.shellprompt.net
http://apex-evangelists.com
jstraub

Posts: 225
Registered: 01/10/01
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 5:55 AM   in response to: Jes in response to: Jes
Click to report abuse...   Click to reply to this thread Reply
John:

Nice work! I have updated my blog and linked back to this post.

Thanks,

Jason
Jes

Posts: 5,398
Registered: 06/19/04
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 14, 2008 6:10 AM   in response to: jstraub in response to: jstraub
Click to report abuse...   Click to reply to this thread Reply
Jason,

No problem, this is all to everyone's advantage (including mine!).

John.
http://jes.blogs.shellprompt.net
http://apex-evangelists.com
prasanna_anbu

Posts: 20
Registered: 04/16/08
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 28, 2008 6:06 AM   in response to: jstraub in response to: jstraub
Click to report abuse...   Click to reply to this thread Reply
hi jason
can you updated these informations?if so please tell me the link
jstraub

Posts: 225
Registered: 01/10/01
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: May 29, 2008 5:38 AM   in response to: prasanna_anbu in response to: prasanna_anbu
Click to report abuse...   Click to reply to this thread Reply
The link to the blog article is:

http://jastraub.blogspot.com/2008/03/ntlm-http-authentication-and.html
Postie

Posts: 65
Registered: 05/13/08
Re: Error ERR-7621 when using NTLM Page Sentry Function
Posted: Sep 10, 2008 2:01 PM   in response to: Jes in response to: Jes
Click to report abuse...   Click to reply to this thread Reply
John

Your apps using NTLM authentication.. what is the NLS_CHARACTERSET on the database itself?

What is the most common NLS_CHARACTERSET you use when creating Apex databases

tx
Dean
Pages: 3 [ Previous | 1 2 3 | Next ]
Back to Thread List Back to Thread List
Legend
Guru Guru : 2500 - 1000000 pts
Expert Expert : 1000 - 2499 pts
Pro Pro : 500 - 999 pts
Journeyman Journeyman : 200 - 499 pts
Newbie Newbie : 0 - 199 pts
Oracle ACE Director
Oracle ACE Member
Oracle Employee ACE
Helpful Answer (5 pts)
Correct Answer (10 pts)

Point your RSS reader here for a feed of the latest messages in all forums