Skip to Main Content

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Tomcat running ORDS - Warning about locked user when receiving REST calls

Hi,
We have an internet facing APEX application that communicates to our corporate database via ORDS / REST.
In the tomcat logs for our corporate ORDS we are getting heaps of the following (every second or two) - something like 10000 a day:
20-Jul-2022 14:35:05.489 WARNING [https-openssl-apr-8443-exec-401] org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt was made to authenticate the locked user [#clientIdString#]

I have removed our client ID string above (replaced with #clientIdString# so I am not sharing this with the world). We use that Client ID plus Client Secret from ORDS to get a token before making our REST calls. I don't think warning is normally indicating any issues, our APEX application is working fine most of the time.

We had a 5 minute outage (ORDS returning 503 errors) about a week ago where there was no communication going between our application server and our database - which is why I am investigating this.. Apparently the default timeout when tomcat thinks it needs to lockdown is 5 minutes - so wondering if it reached a threshold (max number of attempts to authenticate using a locked user per minute) and stopped any REST calls for 5 minutes.
This was the ORDS error during that outage:
ServiceUnavailableException [statusCode=503, logLevel=SEVERE, reasons=[ORDS was unable to make a connection to the database. This can occur if the database is unavailable, the maximum number of sessions has been reached or the pool is not correctly configured. The connection pool named: |default|lo| had the following error(s): Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: Universal Connection Pool internal error: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource: java.sql.SQLRecoverableException: IO Error: Connection closed

So my question is how best to prevent this warning
Could maybe let Tomcat know the ORDS Client ID and Secret, so it doesn't think we are trying to brute force hack our way into it?
Or is there some other configuration we should have in place to stop this warning from being thrown?
I thought about removing the LockOutRealm from our configuration but doesnt seem sensible unless ORDS already has its own methods for preventing brute force?

Regards,
Ben

Comments

thatJeffSmith-Oracle Feb 13 2025

Your ENTRA users will get authenticated via JSON Web Tokens, and their Entra roles will determine which ORDS REST APIs they can hit.

When they hit an endpoint, it'll execute code in the database as the database user that owns the schema where the REST API is defined, not as Entra defiend end user. In fact, the Entra users won't have accounts in the database (they could, but wont' need to).

The :current_user field as far as ords is concerned would be the corresponding oauth2 client or JWT issued for the authorizied session.

Your prehook should be able to alter the session to set the context that would put your RLS/VPD security policy in play.

1 - 1

Post Details

Added on Jul 20 2022
4 comments
1,638 views