![Avatar of Alex [***Alex140181***]](https://filedb.experts-exchange.com/files/public/2022/11/13/8257e912-ee3c-4a93-9df0-fe9a8a1515cf.jpeg)
asked on How to restrict access of 2 different APEX applications within the same workspace running ORDS on Tomcat
Dear fellow experts ;-)
Maybe one of you already had this constellation or maybe one of you knows someone who knows someone.... ?!
Set up:
Everything on Windows Server (this one resides within the DMZ, so half in/on the Internet)
Oracle DB SE2 18
APEX 19.2 in PDB
ORDS 18 on Tomcat 8
We have an APEX app already running on this server, accessible from outside at https://<our_external_address>:444
This is where our firewall also comes into play, which only allows a whitelist of IPs to access this URL.
Now there should be a second site for another new project: https://<starting_point_for_new_ap
This should then forward to the corresponding APEX app and page ... (yes, I know, using a reverse proxy would be "nicer" & better, but not possible without a "real" web server in front of the Tomcat; planned for future migration of whole DMZ server)
That would be this: https://<our_external_address>:444
So now to the real problems:
The firewall should now continue for the first URL (let through only whitelisted IPs), but
on the other hand let the 2nd URL through without any restrictions.
The firewall now has problems distinguishing the two URLs merely based on the parameters (i.e. APP-ID). A custom app within the FW that analyzes the parameters for further filtering could be set up, but this is at the expense of performance. This is surely bad practice, we want to avoid this in any case.
My idea was:
I simply clone the ords.war/apex.war, rename it to e.g. newapp.war and deploy it on the Tomcat. So I would have a different URL.
So far so good, BUT I can still access the 1st app from the 2nd (new) URL by changing the parameters: https://<our_external_address>:444
Thus, firewall policies would get overridden somehow, because a blocked IP would be able to access the 1st app through the 2nd URL!
Is there a way to prevent this or to configure the apps and/or workspace(s) that you can no longer access the other apps from the 2nd URL (2nd war file)?
Maybe one of you already had this constellation or maybe one of you knows someone who knows someone.... ?!
Set up:
Everything on Windows Server (this one resides within the DMZ, so half in/on the Internet)
Oracle DB SE2 18
APEX 19.2 in PDB
ORDS 18 on Tomcat 8
We have an APEX app already running on this server, accessible from outside at https://<our_external_address>:444
This is where our firewall also comes into play, which only allows a whitelist of IPs to access this URL.
Now there should be a second site for another new project: https://<starting_point_for_new_ap
This should then forward to the corresponding APEX app and page ... (yes, I know, using a reverse proxy would be "nicer" & better, but not possible without a "real" web server in front of the Tomcat; planned for future migration of whole DMZ server)
That would be this: https://<our_external_address>:444
So now to the real problems:
The firewall should now continue for the first URL (let through only whitelisted IPs), but
on the other hand let the 2nd URL through without any restrictions.
The firewall now has problems distinguishing the two URLs merely based on the parameters (i.e. APP-ID). A custom app within the FW that analyzes the parameters for further filtering could be set up, but this is at the expense of performance. This is surely bad practice, we want to avoid this in any case.
My idea was:
I simply clone the ords.war/apex.war, rename it to e.g. newapp.war and deploy it on the Tomcat. So I would have a different URL.
So far so good, BUT I can still access the 1st app from the 2nd (new) URL by changing the parameters: https://<our_external_address>:444
Thus, firewall policies would get overridden somehow, because a blocked IP would be able to access the 1st app through the 2nd URL!
Is there a way to prevent this or to configure the apps and/or workspace(s) that you can no longer access the other apps from the 2nd URL (2nd war file)?
* Oracle18cOracle Database* Tomcat* Apex
Last Comment
Alex [***Alex140181***]
ASKER
We would truly love to have that Tomcat container "web-fronted" by nginx or Apache http(d) or even MS IIS. Then, we could finally setup this whole stuff using reverse proxy etc... But sadly, it's a productive, live system (DMZ -> internet -> external impact) which we cannot modify like this :-(
Considering OWA_UTIL and its available variables, I've already dug there... Sure, it's possible to setup some kind of filtering using OWA or even some built-in APEX features, but we do NOT want to do this. We're running a firewall within our network structure for this, so there is no need to clone its behavior ;-)
Considering OWA_UTIL and its available variables, I've already dug there... Sure, it's possible to setup some kind of filtering using OWA or even some built-in APEX features, but we do NOT want to do this. We're running a firewall within our network structure for this, so there is no need to clone its behavior ;-)
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Where should I put the sentry function? I think of switching the authorization schema to a custom one where I can make use of this sentry function. Though it's the same database it should work. I'll just clone the existing service and install the 2nd war file based upon the new service.
I'll give this a shot in our development environment.
I'll give this a shot in our development environment.
ASKER
Ok, Sean, this seems to be a nice workaround until we manage to exchange our servers and do some makeover ;-)
Another workmate suggested using the brand new APEX 20 with the new feature "Friendly URL"... This would also solve the problem, but unfortunately we cannot "just" upgrade this crucial server :-(
A pity that the sentry function is not capable of showing some kind of warning or error before returning false and thus calling either the login page, the built-in login page or some other URL.
I'd really like to raise a hard error from within that function. What about apex_application.stop_apex_engine? Would this do the job?!
Another workmate suggested using the brand new APEX 20 with the new feature "Friendly URL"... This would also solve the problem, but unfortunately we cannot "just" upgrade this crucial server :-(
A pity that the sentry function is not capable of showing some kind of warning or error before returning false and thus calling either the login page, the built-in login page or some other URL.
I'd really like to raise a hard error from within that function. What about apex_application.stop_apex_engine? Would this do the job?!
I've not tried this specifically, but you should be able to set up an error page that your failed session would redirect to and that could then provide a link to proper login page with correct url if desired.
ASKER
Thanks Sean, great job (as always) :-))
MarkusId: nice input though ;-)
MarkusId: nice input though ;-)
Some possible variants would be to set up an nginx-server in front of the Tomcat which does the filtering (but still - if a rule in the firewall is a performance-issue it might be a performance issue here is well), or to use the owa_util in a pre-page-process in the restricted app and filter here based on the remote address (OWA_UTIL.get_cgi_env(VARIABLE_NAME)). See the possible variable-names here: https://technologydribble.info/2011/02/11/getting-session-environment-parameters-in-oracle/
Best wishes
Markus