Skip to Main Content

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

ORDS 24.4 behind a reverse proxy show restful services links in apex as http rather than https

RaffyMartinJan 31 2025 — edited Jan 31 2025

I recently decided to run ords in stand-alone mode to decouple it from Weblogic 12.2.1.4 due to java requirements of the newer versions of ORDS. So, I set up a reverse proxy on OHS which is were the TLS support is setup for a secure connection, since ORDS is not exposed to the internet directly, this one is running in plain http and due to that the Full URL display on the Restful services section in APEX display http rather than https.

However, when you go to the About page in APEX you can see the request protocol is https. I also printing the whole cgi through an API and the X-APEX-BASE, REQUEST_SCHEME and they both show https. Part of that is due to the fact that I setup RequestHeader set X-Forwarded-Proto "https" as part of reverse proxy setup in OHS, and APEX is seeing this, while ORDS does not.

Not sure if this is a bug or maybe there's some other setting in ORDS like security.httpsHeaderCheck which I setup, maybe some other settings in jetty not implemented directly in ORDS.

I also setup https for ORDS and in that case, the Full URL displays the proper protocol https, however, I couldn't get it to work like that with the reverse proxy which is why I'm running http locally on ORDS.

Best regards,

Ralph Martin.

Comments

thatJeffSmith-Oracle Feb 13 2025

Your ENTRA users will get authenticated via JSON Web Tokens, and their Entra roles will determine which ORDS REST APIs they can hit.

When they hit an endpoint, it'll execute code in the database as the database user that owns the schema where the REST API is defined, not as Entra defiend end user. In fact, the Entra users won't have accounts in the database (they could, but wont' need to).

The :current_user field as far as ords is concerned would be the corresponding oauth2 client or JWT issued for the authorizied session.

Your prehook should be able to alter the session to set the context that would put your RLS/VPD security policy in play.

1 - 1

Post Details

Added on Jan 31 2025
0 comments
158 views