Skip to Main Content

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Problem accessing APEX through Apache proxy

joraraJan 27 2025 — edited Jan 27 2025

I don't know if this is the right place to ask, so I hope you'll bear with me if it's not.

I'm trying to get a new server with Oracle Linux 9 and WebLogic 14.1.2 up and running.

The server has the following software installed:

  • Oracle Linux 9.5 (fully updated)
  • WebLogic 14.1.2 patched with WLS PATCH SET UPDATE 14.1.2.0.250102
  • JDK 17.0.14
  • Apache 2.4.62 with WebLogic Server Plugin version 14.1.2.0.0
  • APEX 24.2
  • ORDS 24.4

I want to use Apache as proxy and SSL handler for WebLogic. I can access https://servername.domainname/ords/ without problems, but when I try to access https://servername.domainname/ords/apex I get these messages in the Apache log files:

==> /var/log/httpd/ssl_error_log <==
[Sun Jan 26 10:36:01.449135 2025] [weblogic:error] [pid 8504:tid 8635] [client 192.168.10.235:61067] <850417378841617> ******PROTOCOL ERROR: no CR in final 2 bytes of CTE: avail=23, size=4096 1st=6 last=29 hexdump to follow:, referer: https://servername.domainname/ords/_/landing
[Sun Jan 26 10:36:01.449224 2025] [weblogic:error] [pid 8504:tid 8635] [client 192.168.10.235:61067] <850417378841617> *******Exception type [PROTOCOL_ERROR] (no CR in final 2 bytes of CTE) raised at line 1139 of URL.cpp, referer: https://servername.domainname/ords/_/landing
[Sun Jan 26 10:36:01.449265 2025] [weblogic:error] [pid 8504:tid 8635] [client 192.168.10.235:61067] ap_proxy: trying GET /ords/apex at backend host 192.168.10.213/8001, client 192.168.10.235/61067, total tries 1; got exception 'PROTOCOL_ERROR [line 1139 of URL.cpp]: no CR in final 2 bytes of CTE'; state: reading response body from WLS; not failing over, referer: https://servername.domainname/ords/_/landing
[Sun Jan 26 10:36:01.449309 2025] [weblogic:error] [pid 8504:tid 8635] [client 192.168.10.235:61067] <850417378841617> request [/ords/apex] did NOT process successfully.................., referer: https://servername.domainname/ords/_/landing
==> /var/log/httpd/ssl_access_log <==
192.168.10.235 - - [26/Jan/2025:10:36:01 +0100] "GET /ords/apex HTTP/1.1" 500 181
==> /var/log/httpd/ssl_request_log <==
[26/Jan/2025:10:36:01 +0100] 192.168.10.235 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /ords/apex HTTP/1.1" 181
==> /var/log/httpd/error_log <==
[Sun Jan 26 10:36:01.452757 2025] [weblogic:debug] [pid 8504:tid 8637] ap_proxy.cpp(1002): BEFORE acquire_lock
[Sun Jan 26 10:36:01.452913 2025] [weblogic:debug] [pid 8504:tid 8637] ap_proxy.cpp(1012): AFTER acquire_lock
[Sun Jan 26 10:36:01.452924 2025] [weblogic:debug] [pid 8504:tid 8637] ap_proxy.cpp(1015): List size is 1
[Sun Jan 26 10:36:01.452928 2025] [weblogic:debug] [pid 8504:tid 8637] ap_proxy.cpp(1022): Cleaning up the list node 'servername.domainname:8001'list Length '1''

I have set "WebLogic Plug-In Enabled" to On in WebLogic for both managed servers.

In my ssl.conf I have this configuration:

<VirtualHost _default_:443>
 DocumentRoot "/var/www/html"
 ServerName servername.domainname:443
 RequestHeader set WL-Proxy-SSL true
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyTimeout 900
 KeepAliveTimeout 900
 Timeout 900
 <Location /console>
   WLSRequest On
   WebLogicHost servername.domainname
   WebLogicPort 7001
   Order deny,allow
   Deny from all
   Allow from 10.0.0.0/8
 </Location>
 <Location /ords>
   WLSRequest On
   WebLogicHost servername.domainname
   WebLogicPort 8001
 </Location>
 <Location /i>
   WLSRequest On
   WebLogicHost servername.domainname
   WebLogicPort 8001
 </Location>
</VirtualHost>
(and of course some ssl settings)

If I bypass Apache and go directly to http://servername.domainname:8001/ords/apex everything is also working fine.

What am I doing wrong?

Comments

thatJeffSmith-Oracle Feb 13 2025

Your ENTRA users will get authenticated via JSON Web Tokens, and their Entra roles will determine which ORDS REST APIs they can hit.

When they hit an endpoint, it'll execute code in the database as the database user that owns the schema where the REST API is defined, not as Entra defiend end user. In fact, the Entra users won't have accounts in the database (they could, but wont' need to).

The :current_user field as far as ords is concerned would be the corresponding oauth2 client or JWT issued for the authorizied session.

Your prehook should be able to alter the session to set the context that would put your RLS/VPD security policy in play.

1 - 1

Post Details

Added on Jan 27 2025
6 comments
255 views