troubleshooting Question

How to restrict access of 2 different APEX applications within the same workspace running ORDS on Tomcat

Avatar of Alex [***Alex140181***]
Alex [***Alex140181***]Flag for Germany asked on
Oracle Database* Apex* Tomcat* Oracle18c
7 Comments1 Solution46 ViewsLast Modified:
Dear fellow experts ;-)

Maybe one of you already had this constellation or maybe one of you knows someone who knows someone.... ?!

Set up:

Everything on Windows Server (this one resides within the DMZ, so half in/on the Internet)

Oracle DB SE2 18
APEX 19.2 in PDB
ORDS 18 on Tomcat 8

We have an APEX app already running on this server, accessible from outside at https://<our_external_address>:4443/apex/f?P=1400
This is where our firewall also comes into play, which only allows a whitelist of IPs to access this URL.

Now there should be a second site for another new project: https://<starting_point_for_new_app>/
This should then forward to the corresponding APEX app and page ... (yes, I know, using a reverse proxy would be "nicer" & better, but not possible without a "real" web server in front of the Tomcat; planned for future migration of whole DMZ server)
That would be this: https://<our_external_address>:4443/apex/f?p=11101:30100


So now to the real problems:
The firewall should now continue for the first URL (let through only whitelisted IPs), but
on the other hand let the 2nd URL through without any restrictions.
The firewall now has problems distinguishing the two URLs merely based on the parameters (i.e. APP-ID). A custom app within the FW that analyzes the parameters for further filtering could be set up, but this is at the expense of performance. This is surely bad practice, we want to avoid this in any case.

My idea was:  
I simply clone the ords.war/apex.war, rename it to e.g. newapp.war and deploy it on the Tomcat. So I would have a different URL.
So far so good, BUT I can still access the 1st app from the 2nd (new) URL by changing the parameters: https://<our_external_address>:4443/newapp/f?p=1400...
Thus, firewall policies would get overridden somehow, because a blocked IP would be able to access the 1st app through the 2nd URL!

Is there a way to prevent this or to configure the apps and/or workspace(s) that you can no longer access the other apps from the 2nd URL (2nd war file)?
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 7 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros