Hi all,
I am one of the many people I've seen on the forums attempting to migrate an old mod_plsql application over to ORDS. The additions of jdbc.auth.enabled and security.requestValidationFunction in recent versions have been huge, as I've managed to get the old application working almost 100% using either standard HTTP Basic authentication or OWA custom authentication (using owa_sec routines for username/password prompting).
However, the one issue I'm running into is being able to logout of the application. With mod_plsql, you would set the WDB_GATEWAY_LOGOUT cookie to "YES", and then when mod_plsql saw that, it would unset the cookie and append the timestamp to the realm (DAD) name, effectively requiring you to login again.
I can't get this to work with ORDS - it seems to ignore the cookie altogether.
a) When using ORDS HTTP Basic by setting jdbc.auth.enabled to true, the cookie gets set, but ORDS doesn't care - the next time I try to login, it uses the same realm name and the same cached login credentials, so it lets me back in as the user I logged out as.
b) When using ORDS Custom authentication by setting security.requestValidationFunction to my OWA_CUSTOM.authorize function, I have similar issues. With mod_plsql, my authorize function would check for that WDB_GATEWAY_LOGOUT cookie, clear the username/password using OWA functions if it was set, and then call owa_sec.set_protection_realm to prompt for username and password again. mod_plsql would take care of unsetting the cookie and appending the timestamp to the realm, so it would work just like HTTP basic authentication. But since ORDS ignores the cookie and doesn't unset it, I just keep getting prompted for username/password (since my authorize function keeps unsetting them due to the presence of the cookie) until eventually I hit a 401.
I'm currently using a javascript hack where I submit an ajax request in the background with purposely bad login credentials to effectively force me to get prompted again upon login, but it's not very clean. There's a delay while the authorization failures are happening, and users will definitely notice.
Are there any plans to add support for the WDB_GATEWAY_LOGOUT cookie to future versions of ORDS? Or does anyone have an idea of how I can hack it together myself? Eventually we're going to completely re-design the authentication mechanism for this application, but since Oracle has already done so much to help us mod_plsql migrators, I'm hoping maybe they can do one more little thing and add this in. :-)
Thanks to anyone who has any ideas!
BJ