Date: October 2018
Log Oracle REST Data Services bugs and issues using My Oracle Support.
Supported WebLogic Version
Oracle REST Data Services is compatible with Oracle WebLogic 126.96.36.199 and later. It is not compatible with older versions of Oracle WebLogic.
Improvements to PL/SQL Gateway to aid transition from mod_plsql
In ORDS 18.2.0 support was introduced for authenticating database users via HTTP Basic authentication (see below). In ORDS 18.3.0 the following changes have been made aimed at faciliating customers migrating from Oracle mod_plsql:
With mod_plsql customers enabled custom authentication by implementing a stored function named:
OWA_CUSTOM.AUTHORIZE. Oracle REST Data Services provides equivalent functionality via the
security.requestAuthenticationFunction stored function. This setting names a stored function that takes zero arguments and returns a
boolean indicating if authentication was succesful or not. The function should use the Oracle Web Agent (OWA) PL/SQL APIs to examine any or all of the following package level variables:
owa.hostname and/or the OWA APIs to examine the request's headers and parameters.
Note that this facility is provided to assist customers migrating from existing mod_plsql installations. Its use is not recommended outside of these scenarios, as it uses HTTP Basic authentication only.
One difference in behaviour between Oracle REST Data Services and mod_plsql is that out of the box ORDS caches the result of validating a procedure name. The intent is that the set of whitelisted procedure names is fixed, and thus validation outcomes can be cached. However mod_plsql does not behave this way, the request validation function is invoked on every request. In addition the request validation function is executed after the OWA (Oracle Web Agent) environment has been initialized for the request, so the validation function can examine the headers and parameters of the request, and thus can make decisions about whether to authorize the request based on the contents of the request in addition to the name of the procedure being invoked.
Some mod_plsql customers have come to rely on this behaviour to perform application specific validation, user authentication and authorization, thus to facilitate those customers, ORDS 18.3.0 provides the capability to replicate this behaviour of mod_plsql. This done by setting the configuration property named:
security.maxEntries to zero. This can be done in
defaults.xml (if it should apply across all pools) or in a specific pools configuration file. Setting this value to zero disables caching of procedure validations, leading to behaviour equivalent to mod_plsql.
To facilitate customers migrating from Oracle mod_plsql to Oracle REST Data Services, this release introduces support for authentication of database users using HTTP Basic Authentication. This functionality is equivalent to the Basic authentication mode in mod_plsql where the database user name and password are omitted from the mod_plsql DAD.
For performance and security reasons we strongly advise customers not to use database authentication in general. The only way to validate a database password is by creating a connection to the database, which is very expensive. Database passwords are often weak and poorly chosen on the assumption that they are not accessible from the web. The HTTP Basic Authentication scheme lacks a mechanism for terminating (logging out) a user session. The only way to end the session is to close the Browser.
The only scenario where using database authentication is acceptable is for migrating existing applications from mod_plsql that are reliant on database authentication, and the database is appropriately configured with a strong password strength and expiration policy.
You can learn more about this feature in the tutorial located in the ORDS distribution, i.e. examples/db_auth/index.html.
RESTful Services Pre-Hook Function
ORDS 18.3.0 introduces the ability for a stored function to be invoked prior to the dispatching of an ORDS based RESTful Service. This facility enables customers to perform additional request validation and authorization and/or configure the database session as required. In addition this facility provides a means for the pre-hook to assert the identity and roles of the user making the request, thus facilitating integration with custom authentication mechanisms.
You can learn more about this feature in the tutorial located in the ORDS distribution, i.e. examples/pre_hook/index.html.
Changes to Installation in CDB$ROOT
As of release 18.2.0, ORDS no longer installs its
ORDS_METADATA schema into the CDB$ROOT container. Now only the
ORDS_PUBLIC_USER common user is installed in the CDB$ROOT (and ALL PDBs connected to the CDB). The
ORDS_METADATA schema is installed in each PDB connected to the CDB. This aids future upgrades of ORDS, minimizing downtime as the CDB and PDBs will no longer need to be all taken offline at the same time for an ORDS upgrade.
The installation changes are supported for Oracle database 188.8.131.52 and later in this release.
Disabling/enabling PDB Lockdown Profile during install/upgrade
For Oracle database 184.108.40.206 or later, the installer will check if the PDB initialization parameter PDB_LOCKDOWN contains a PDB lockdown profile. If a PDB lockdown profile exists, then it will disable the PDB lockdown profile during ORDS install or upgrade, and will enable it when the install or upgrade completes.
If you do not want the ORDS installer disabling the PDB lockdown profile during ORDS install or upgrade, then you can set the pdb.disable.lockdown property to false in the ORDS parameter file:
Supported Java Version
Oracle REST Data Services requires Java 8 or later. Java 7 is no longer supported. Please consult the documentation for the minimum supported Application Server versions for ORDS.
Contents of defaults.xml File
The defaults.xml configuration file is intended for non-default values for all connections. For version 18.3 and higher, only settings with non-default settings are in the file initially. The available settings and their default values are in the Docs. For example, cache.duraction defaults to 7, so unless cache.duration is configured to something other than 7, it is not needed in the defaults.xml file.
The following changes and enhancements have been made since 18.2.0:
Issues Fixed in 18.3.0
New Features in 18.3.0
The following changes and enhancements have been made since 18.1.1:
Issues Fixed in 18.2.0
examples/soda/getting-started/for the SODA feature
db.passwordvalues prefixed with
New Features in 18.2.0
The following changes and enhancements have been made since 18.1.0:
Issues Fixed in 18.1.1
New Features in 18.1.1
The following changes and enhancements have been made since 17.4.1:
Issues Fixed in 18.1.0
New Features in 18.1.0
NoSQL Database Support
Support for Oracle NoSQL Database has been removed in ORDS 18.1.1 and later releases.
From ORDS 18.1.0 and later you can launch ORDS on JDK 9 by just typing:
java -jar ords.war <command-name>
--add-modules java.xml.bindcommand line argument has been eliminated
Autogenerated REST Endpoints
/sign-in/interactive sign in form. Accessing
/sign-in/in APEX workspaces will produce a 404 status.
Support For mod_plsql logmeoff
Starting Standalone Mode when connected to CDB
The typical manner to start ORDS in standalone mode, once ORDS has been configured is:
java -jar ords.war
ORDS will detect that it is fully configured and proceed to launching standalone mode. Since 18.2 the
ORDS_METADATA schema is not installed in the CDB, which means that when the default pool is connected to a CDB there is no way for ORDS to automatically verify the version of the ORDS schema installed in the database, thus ORDS prompts for the
SYS AS SYSDBA password so it can connect to each PDB and verify the ORDS version installed in each PDB. This means that when connected to a CDB the above command is not sufficient to start standalone mode automatically. To work around this issue, use the following command to start ORDS (only after the ORDS instance has been configured) in standalone mode automatically:
java -jar ords.war standalone
Support for apex.docTable