Skip to Main Content

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Use of ORDS Plugin API to implement a filter

sam.pipeJun 27 2022

Hi All,
We have a simple requirement to slightly manipulate the inbound HTTP POST parameters that come into a ORDS standalone instance. The reason is that we have had to migrate from mod_plsql over to ORDS and found a specific scenario in our ageing application where a form post doesn't match the POST params the same way to the PLSQL function inputs... We are trying to avoid redeveloping the thousands of forms that use this type of post.
We identified that Oracle provide the ability to create and load a plugin in which we have successfully been able to add a java filter to intercept the request.
i.e. https://docs.oracle.com/en/database/oracle/oracle-rest-data-services/21.1/ordjv/doc-files/developer-guide.html
BUT.. (I wouldn't be here if there wasn't a but... )... even though we are modifying the inbound POST variables they do not seem to be being passed through to the PLSQL modified.
I am wondering if anyone has ever done this before?? Oracle support say "the custom plugin and filter related issues are best addressed in community. If it is documented mean it should work".... so here I am.. I have SR 3-29801050661 raised.
=========================
Here are some more details:
In https://docs.oracle.com/en/database/oracle/oracle-rest-data-services/21.1/ordjv/doc-files/developer-guide.html
the guide states under Extension points "Plugins can plug in additional logic at the following extension points: Manipulating HTTP requests and responses by implementing the servlet Filter interface."
I implemented a filter to alter the HttpServletRrequest to resolve the issue using the @Provides(Filter.class) and @Priority(ring = FilterOrder.STREAMING, value = 50) annotations.
The filter jar was built and installed with the "plugin" command and logging confirmed the filter was called and altered the request as expected.
Note: I tried altering the request in 3 different ways (HttpServletRequestWrapper, Proxy and introspection editing of immutable private request data), but none of the variants worked.
Eventually I debugged- to view the request entering ModApex.handleRequest() and despite my filter being executed and the order of calls being as expected the request passed to ModApex was a completely different (and unchanged) instance from that passed to and returned from the filter.
So the question: is there something else I need to configure so the pl/sql gateway gets the filtered request, or is there another supported way of doing this, or can they fix this behaviour.
1. why does the request object instance passed to the filter (and passed along by the filter) get seen by all other filters, but NOT by the ModApex pl/sql gateway which seems to get a completely separate instance without the changes?
2. is there some special config we are missing that would allow it to work?

Comments

thatJeffSmith-Oracle Feb 13 2025

Your ENTRA users will get authenticated via JSON Web Tokens, and their Entra roles will determine which ORDS REST APIs they can hit.

When they hit an endpoint, it'll execute code in the database as the database user that owns the schema where the REST API is defined, not as Entra defiend end user. In fact, the Entra users won't have accounts in the database (they could, but wont' need to).

The :current_user field as far as ords is concerned would be the corresponding oauth2 client or JWT issued for the authorizied session.

Your prehook should be able to alter the session to set the context that would put your RLS/VPD security policy in play.

1 - 1

Post Details

Added on Jun 27 2022
13 comments
559 views