tag:blogger.com,1999:blog-6139250371277978964.post9208528174775975367..comments2023-06-25T04:23:18.275-04:00Comments on Application Express Nuggets: NTLM HTTP Authentication and Application ExpressJason Straubhttp://www.blogger.com/profile/12627913070109819002noreply@blogger.comBlogger98125tag:blogger.com,1999:blog-6139250371277978964.post-2952765701399247322015-08-12T15:43:30.814-04:002015-08-12T15:43:30.814-04:00Hi Sam,
Unfortunately, I do not even have an envi...Hi Sam,<br /><br />Unfortunately, I do not even have an environment anymore where I test this. It should be considered only as a proof of concept that my no longer work with newer APEX versions, browsers, and Windows OS. To do "real" Windows authentication one of the methods described in the following papers/posts should be followed:<br /><br />http://de.slideshare.net/nielsdb/mt-ag-howtosingle-signonforapexapplicationsusingkerberos-46435415<br /><br />https://community.oracle.com/thread/3637062<br /><br />Regards,<br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-17907855281455001072015-08-06T15:16:59.312-04:002015-08-06T15:16:59.312-04:00Hi,
I'm on Apex 4.2.2 and Internet Explorer...Hi,<br /> I'm on Apex 4.2.2 and Internet Explorer 9 on the client PC. After I've created the page sentry function and new authentication scheme as advised, when I login from the client PC, I see "nobody" in place of logged in user on the top right corner. Is there anything I need to change?<br /> I've tried with and without the two modifications Mark suggested, but getting the same results. Any help is greatly appreciated.<br /><br />Thanks,<br />SamAnonymoushttps://www.blogger.com/profile/04314030656656091893noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-49236423740286927912014-09-30T08:09:43.312-04:002014-09-30T08:09:43.312-04:00Hi Jason,
it is very strange that nobody else has ...Hi Jason,<br />it is very strange that nobody else has reported this problem. Maybe because the default setting for IE9 is "compatibility mode"="enabled" for the local intranet and the most user are using APEX in their local network.<br /><br />With some external support we found a solution for us. In the last ELSE-section we had to add two lines.<br />Right after the ELSE-line we set the mime_header to<br />OWA_UTIL.mime_header('text/html', false, 'utf-8');<br />and before the line <br />meta http-equiv="Refresh" content="0; URL="<br />we activate the compatibility-mode:<br />meta http-equiv="X-UA-Compatible" content="IE=8"<br /><br />I am not able to post the whole code because this is in this blog not possible.<br /><br />Kind regards,<br />MarkMarkhttps://www.blogger.com/profile/12036203469718379487noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-30092161902134098662014-09-29T11:03:42.329-04:002014-09-29T11:03:42.329-04:00Hi Mark,
I have not personally used or tested thi...Hi Mark,<br /><br />I have not personally used or tested this function since about IE8. I don't know of any workaround needing to have IE9 compatibility mode set to enabled.<br /><br />Regards,<br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-52234933404510943522014-09-29T03:01:39.692-04:002014-09-29T03:01:39.692-04:00Hello,
the NTLM_PAGE_SENTRY-function is not workin...Hello,<br />the NTLM_PAGE_SENTRY-function <b>is not working</b> if the compatibility-mode for the IE9 is disabled. Per default the compatibility-mode is enabled for the local intranet.<br /><br />Can you confirm that this is a problem in the NTML_PAGE_SENTRY-function?<br /><br />Kind regards,<br />MarkMarkhttps://www.blogger.com/profile/12036203469718379487noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-18940800291550229872014-02-05T12:37:01.431-05:002014-02-05T12:37:01.431-05:00Hi Phil,
It should work as long as Glassfish will...Hi Phil,<br /><br />It should work as long as Glassfish will pass through the HTTP Header named Authorization. In Oracle HTTP Server, you modify the dads.conf file to ensure that header is passed. I am not sure there is a way to do the same for Glassfish.<br /><br />Regards,<br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-20479065615999764272014-02-03T06:53:53.574-05:002014-02-03T06:53:53.574-05:00I have a fresh version of Apex (v4.2) running usin...I have a fresh version of Apex (v4.2) running using glassfish on linux. Ideally I would like to be able to grab the users "user id" from their browser session which is set using IWA/NTLM when they first log in to their machines. Whilst the solution posted here appears to work for the majority of users, it does not lend itself to explaining how one can set this up if traditional webservices are not underpinning apex anymore.<br />In my simple glassfish/apex environment, using a PLSQL REGION to dump CGI envs does not appear to bear any fruit about NTLM browser settings.<br /><br><br />declare<br />begin<br />owa_util.print_cgi_env;<br />end;<br /><br><br />Can this post be updated to guide people through this when using GF implementations?Anonymoushttps://www.blogger.com/profile/12312834919227940589noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-78346632020558082112013-11-15T07:03:32.038-05:002013-11-15T07:03:32.038-05:00Hi Jason and hi all!
I've been using this fin...Hi Jason and hi all!<br /><br />I've been using this fine script for a long time and on over 350 computers and until today.<br /><br />did anyone found a way to work around the 14th byte issue?<br />I know the managing the 14th byte isn't secure but it would be a workaround for the time being?<br /><br />Ty for good function!Vemphttps://www.blogger.com/profile/15824448230656028476noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-50437486704086300262012-03-15T05:43:37.940-04:002012-03-15T05:43:37.940-04:00Hi Jason,
the workaround by setting the Cookie-Nam...Hi Jason,<br />the workaround by setting the Cookie-Name is also working for me in APEX 4.1.1.<br /><br />Are you working on a fix for this problem so we can use the ntlm_page_sentry function without a workaround?<br /><br />Still I cant believe that there is no function from Oracle to use the windows-user in the APEX-application. Thank you for the good work with the ntlm_page_sentry function!<br /><br />Kind Regards,<br />MarkMarkhttps://www.blogger.com/profile/12036203469718379487noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-80406795320849063692012-02-24T09:44:23.044-05:002012-02-24T09:44:23.044-05:00Christian:
As you have probably already seen, Chr...Christian:<br /><br />As you have probably already seen, Christian posted a possible work-around. I verified the fix myself, and it worked for me. I used F105 as my cookie name.<br /><br />https://forums.oracle.com/forums/thread.jspa?threadID=2350625<br /><br />Regards,<br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-2929949514238040922012-02-23T02:48:23.427-05:002012-02-23T02:48:23.427-05:00hello!
first thank you for the post, was really h...hello!<br /><br />first thank you for the post, was really helpful.<br /><br />anyone tested the authentication with apex 4.1.1? after upgrading our testsystem from 4.1 to 4.1.1 the function "apex_custom_auth.get_session_id_from_cookie" (used in ntlm_page_sentry) returns null for the session and so authentication is not possible. i also tried "apex_custom_auth.get_session_id_from_cookie", but this doesn't change the behaviour.<br /><br />best regards,<br />christianChristian Ropposchhttps://www.blogger.com/profile/11302504039180588298noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-18126527567002544172012-01-24T09:01:06.800-05:002012-01-24T09:01:06.800-05:00Didier:
Thanks for posting the workaround.
Regar...Didier:<br /><br />Thanks for posting the workaround.<br /><br />Regards,<br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-48056006877115937422012-01-24T04:12:25.881-05:002012-01-24T04:12:25.881-05:00I used you ntlm code and it works fine in IE but I...I used you ntlm code and it works fine in IE but I had a small bug in Google Chrome: at first attempt, I get a 401 error. and I found the solution <a href="https://kr.forums.oracle.com/forums/thread.jspa?threadID=1121679" rel="nofollow">here</a>(apparently this occur also in FF). <br /><br />the solution is to replace <br /> -- See http://www.nabble.com/Empty-POST-requests-on-IE-td15332680.html<br /> -- We have to trick IE that he thinks the authentication fails, otherwise<br /> -- he doesn't send any data when issueing a POST because he wants to<br /> -- do the NTLM stuff again<br /> owa_util.status_line<br /> ( nstatus => 401,<br /> creason => 'Unauthorized',<br /> bclose_header => FALSE<br /> );<br /><br />by this:<br />IF WWV_Flow.get_browser_version != 'NSCP'<br /> THEN<br /> -- See http://www.nabble.com/Empty-POST-requests-on-IE-td15332680.html<br /> -- We have to trick IE that he thinks the authentication fails, otherwise<br /> -- he doesn't send any data when issueing a POST because he wants to<br /> -- do the NTLM stuff again<br /> owa_util.status_line<br /> ( nstatus => 401,<br /> creason => 'Unauthorized',<br /> bclose_header => FALSE<br /> );<br />END IF;Didier Bhttps://www.blogger.com/profile/14033854146488101949noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-46108195697245667622011-10-18T13:51:16.289-04:002011-10-18T13:51:16.289-04:00Hello Jason,
I've choosen an architecture usi...Hello Jason,<br />I've choosen an architecture using APEX 4.1 with Oracle GlassFish and APEX-Listener. Now I want to use NTLM for authentication but I got stuck with the the first point: the DAD. I cannot find such a configuration file in APEX-Listener or GlassFish. <br />APEX is working via APEX Listener under GlassFish; the Embedded PL/SQL Gateway is not installed. <br />Can you give me an advice how to move on with GlassFish? Do I have to install other components like EPG?<br />Best regards, joerg.Jeorghttps://www.blogger.com/profile/16182501677433913708noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-21260900561044625652011-09-21T05:37:39.319-04:002011-09-21T05:37:39.319-04:00Hi Jason
Have you tested NTLM on IE9?Hi Jason<br /><br />Have you tested NTLM on IE9?Jon Trøstheimhttps://www.blogger.com/profile/03295922777384558791noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-44106575436796731742011-07-18T10:42:35.485-04:002011-07-18T10:42:35.485-04:00Hi Jason,
thanks a lot for your blog post.
I wan...Hi Jason,<br /><br />thanks a lot for your blog post.<br /><br />I want now to implement NTLM Authentication via MOD_PLSQL.<br /><br />What i did:<br />1. Added PlsqlCGIEnvironmentList AUTHORIZATION in the DADS File.<br />2. Restarted the Oracle HTTP-Server (Oracle Fusion Middleware Web Tier Utilities 11.1.1).<br />3. Added as first Statement vAuthorization := owa_util.get_cgi_env('AUTHORIZATION'); in the modNtlmPageSentry function.<br />4. Log the content of vAuthorization in my log table in the database.<br /><br />What i can see is that the variable vAuthorization is allways NULL with IE and Firefox browser.<br /><br />Do you have an ideaa what's wrong?<br />Thanks in advance<br /><br />Best regards<br />Martin<br />greenIT Est.Martin Köbhttps://www.blogger.com/profile/13192309793527325330noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-737477556656120822011-05-02T15:29:27.388-04:002011-05-02T15:29:27.388-04:00Andreas:
Yes, I have confirmed in my environment ...Andreas:<br /><br />Yes, I have confirmed in my environment that when I do a owa_util.print_cgi_env on the page, it does appear empty.<br /><br />I believe I used ProxyTrace, http://www.pocketsoap.com/tcptrace/pt.aspx, to view the traffice between the browser and Application Express instance.<br /><br />Regards,<br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-22799449531275861042011-05-02T11:19:45.421-04:002011-05-02T11:19:45.421-04:00Hi Jason,
Thanks a lot for your reply. It makes s...Hi Jason,<br /><br />Thanks a lot for your reply. It makes sense after reading the blog and papers again.<br />My Problem does persist, but in a different form.<br /><br />I note: "this solution does not pass along credentials to a domain controller for authentication. This solution requests that the browser present an NTLM authentication token and decodes the username and domain from that token".<br /><br />Printing all cgi variables I can see the AUTHORIZATION, but it is always empty - is that expected?<br /><br />The variable is empty regardless of browser. IE does state "local instranet". Any way to verify that the browser represent a NTLM token?<br /><br />Thanks again<br /> /Andreas...Andreashttps://www.blogger.com/profile/12341176666761162550noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-83025621223685082072011-04-29T11:10:33.321-04:002011-04-29T11:10:33.321-04:00Tony, the OS of the HTTP Sever or database server ...Tony, the OS of the HTTP Sever or database server does not matter. The OS of the client and the browser version does matter. Check the comments listed here where people have posted their experiences with Windows 7, IE > 7 and various windows udpates.<br /><br />Regards,<br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-70261262490318689272011-04-29T11:08:21.491-04:002011-04-29T11:08:21.491-04:00Andreas:
This solution *will not* work in combina...Andreas:<br /><br />This solution *will not* work in combination with mod_ntlm as described in the whitepaper from greenIT. It was meant as a simple token decoding "trick" in PL/SQL. With releases of new browser versions, and operating systems, this "trick" is becoming less reliable. It does not actually do any negotiation with the domain controller so it should not be considered a secure solution.<br /><br />Regards, <br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-56793600202081819492011-04-27T09:15:24.844-04:002011-04-27T09:15:24.844-04:00Does it matter what OS your database or http serve...Does it matter what OS your database or http server is running on? For instance, if you are running the http server and database on linux, does this affect your ability to have SSO from a windows box.Tonyhttps://www.blogger.com/profile/12184354575866057215noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-74201722535155482672011-04-27T08:45:07.728-04:002011-04-27T08:45:07.728-04:00Hi Jason,
I am having difficulties getting this t...Hi Jason,<br /><br />I am having difficulties getting this to work with Firefox.<br />I can see post from "Tara and Bernhard" who are experiencing exactly the same problem "Method Not Implemented" and "mod_plsql: request method not supported".<br />My platform is APEX 4.0.2.00.07 on Oracle 10gR2 (AIX) and Oracle HTTP Server 10.1.2 on Windows 2003. The NTLM module (mod_ntlm-1.3) is installed as described in "OracleApplicationExpressProofOfConceptNTLM.doc" from greenIT.<br />As I understand, solution is known to be working with IE and Firefox?<br /><br />Any suggestions?<br />Could this be related to APEX 4 and Apache 1.3?<br /><br />Help appreciated<br />/Andreas...Andreashttps://www.blogger.com/profile/12341176666761162550noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-50267636985964162592011-02-14T16:56:53.092-05:002011-02-14T16:56:53.092-05:00Hi Jason,
Testing from Win7 using IE8 or Firefox ...Hi Jason,<br /><br />Testing from Win7 using IE8 or Firefox 3.6 is blowing up the authentication with "ORA-06502: PL/SQL: numeric or value error: character string buffer too small". After debugging, the size of l_auth on line 09 is the issue. While it's fine for XP, our Win7 is returning a 661-byte string. I boosted the length of l_auth to 1024 and all's right again with the world.<br /><br />Thought you might like to know. I looked through the other replies here and am a little curious that no one else has come across this (yet?).<br /><br />Thanks!<br /><br />RichRich Jhttps://www.blogger.com/profile/12117645612613995829noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-51547549918499067352010-12-07T04:37:39.714-05:002010-12-07T04:37:39.714-05:00Hi gfraq,
if you have installed 4.0.2, don't ...Hi gfraq,<br /><br />if you have installed 4.0.2, don't forget to apply the patch for bug# 10347091. See our <a href='http://www.oracle.com/technetwork/developer-tools/apex/downloads/apex402knownissues-189793.html">known issues list</a> for details.<br /><br />Regards<br />PatrickPatrick Wolfhttps://www.blogger.com/profile/16652802762749621200noreply@blogger.comtag:blogger.com,1999:blog-6139250371277978964.post-26638715845392510162010-12-06T11:26:23.605-05:002010-12-06T11:26:23.605-05:00gfraq:
I just tested it with a 4.0.2 instance fro...gfraq:<br /><br />I just tested it with a 4.0.2 instance from a Windows 7 client running IE8 and it worked perfectly.<br /><br />Regards,<br /><br />JasonJason Straubhttps://www.blogger.com/profile/12627913070109819002noreply@blogger.com