I was helping a colleague this morning, his name rhymes with Harold, and he was trying to get his Docker template for ORDS in order.

He had a series of questions, and while I was able to help him understand what was happening fairly quickly, I realized HIS questions looked an awful lot like some of YOUR questions.

So let’s go through them, and maybe this can help, and MAYBE we can try to incorporate some of this into the future ORDS Docs.

ORA-06598: insufficient INHERIT PRIVILEGES privilege

You are trying to REST Enable SYS a la

ORDS.ENABLE_SCHEMA(
    p_enabled => TRUE,
    p_schema  => 'SYS'
...

This won’t work. It’s not possible to grant proxy connect to any Oracle account for the SYS schema. That’s one of the main things this call does, it allows the ORDS_PUBLIC_USER to do database work (your REST service call) AS the USER where the REST Service is defined.

Also, it would be extremely hazardous to REST Enable the SYS account. Your REST Service, if not coded and secured PERFECTLY, could be used to do very bad things, like…DROP a database.

404…The request could not be mapped to any database

The complete error you would see in the ORDS stack is

 The request could not be mapped to any database. Check the request URL is correct, and that URL to database mappings have been correctly configured.

So when ORDS gets routed a request, it needs to ‘unwind’ the URL to see what exactly is being asked of it.

My friend was doing something similar to this –

/ords/orcl/hr/metadata-catalog — where ‘orcl’ is the DB Name.

The problem here is ORDS is saying, I can’t unwind that request on ‘/ords/orcl/hr/metadata-catalog’ to anything I can understand.

Here is one possible way to look at the URI on a HTTP request to ORDS:

This ONE possible scenario.

If you have ORDS installed into your PDB (recommended), and that ORDS install is only servicing a single database, then the very first thing expected after the ords/ will be an alias for a REST enabled schema.

My friend was putting the DB Name after the /ords, hence that error message. You would only need to do that where you have multiple databases going for your ORDS configuration. In that scenario, you would follow the /ords with a /dbname.

Now, I would expect most folks would default that mapping pattern to the actual name of their database, but you can call it whatever you’d like. ORACLE-BASE has a nice set of instructions here.

I just lied a little bit there…you also need the db name after the /ords if you did a CDB (container) level install of ORDS, but that’s probably going to be much less common.

404 Not Found

Just the ORDS and the REST Enabled Schema

In this case, ORDS knows what you want, but is saying there’s nothing there. You have a valid REST Enabled schema (test), but that’s it.

You need to ask for something IN ‘test’ – a REST enabled schema object, or a RESTful Service. If you get this message, ORDS is working, it’s just that you are requesting something that doesn’t exist.

By the way, if you have APEX configured, if you do a request similar to this, ORDS will redirect you to the APEX login vs giving you a 404.

So, how do I test if ORDS is ‘working?’

After REST enabling a schema, the easiest way to test ORDS is with the /metadata-catalog endpoint.

/ords/hr/metadata-catalog

This brings back the inventory of REST Services in your REST enabled schema – in this case, HR.

But, then my friend ran into the NEXT question/problem.

401 Unauthorized

But, but, but… 🙁

This is a PROTECTED resource IF you do this when you REST enable your schema –

BEGIN
 
    ORDS.ENABLE_SCHEMA(            p_enabled => TRUE,
                                    p_schema => 'HR',
                          p_url_mapping_type => 'BASE_PATH',
                       p_url_mapping_pattern => 'hr',
                            p_auto_rest_auth => TRUE); -- TRUE means protect the catalog!
    COMMIT;
END;

THIS = setting P_AUTO_REST_AUTH to ‘TRUE’. This ONLY protects the /metadata-catalog endpoint.

So, if I login/provide the proper credentials on the request…

I have DB Auth enabled on this ORDS config, so I can login as HR.

Now if you have JUST done an install and REST enabled a schema and done NOTHING else, this call will work, but you’ll get an empty/null JSON collection back, because there’s nothing in the REST Services Catalog for that schema.

What do those funny Timestamp | asldfjalskdjfa messages mean on Error responses?

They are a STAMP that you can use to find the associated information in the ORDS standard out/Tomcat/WLS logs.

For example, let’s say I get a 500. Those logs can be HUGE. If I want to pinpoint where in the stack dump that is happening in the ORDS logs…

EZ-PZ. Colm added this in 2019, I think in ORDS 19.2.

How do I Get ORDS to not escape my JSON data in my HTTP responses?

Yuck.

You have a few options. You can print the JSON yourself. You can tell ORDS the column you’re dealing with is JSON so it doesn’t try to convert it, or you can have the response content type set to Media Resource and use an application/json content-type.

I talk more about this here.

I’m sure you have more questions…you know what to do!

In case you don’t know, search in Google. And then if you can’t fine a good answer, I’m happy to take those here 🙂

Author

I'm a Distinguished Product Manager at Oracle. My mission is to help you and your company be more efficient with our database tools.

39 Comments

  1. Duncan Mercer Reply

    Hi Jeff – Running ORDS from one weblogic instance for multiple databases. Keep getting 404 not found error when trying to access token.

    Works on all other DB’s on the server – except one. Tried everything scripts all the same – server settings the same. The URL upto and including the DB name gets me to the APEX login screen – even adding in the rest of the URL to the metadata-catalog just gets 404.

    Thoughts ?

    thanks

    • “Keep getting 404 not found error when trying to access token.”

      What exactly are you trying to access, the oauth2 endpoint to get an access token? But then, nothing else also works on that db, even ords/sql-developer ?

  2. Hello jeff

    I am getting HTTP 403 Forbidden URL in POST web service in APEX while redirecting from an external website.

    I have created a web service that is POST method In this module I pass STR as IN para and In PL/SQL it is just printing like begin htp.p(‘Hello ‘||:STR); end; I am gettign output in POSTMAN and in Jquery $.ajax POST method in console. This is unprotected as I want to grab POST request Payload which will be sent by Payment Gateway to the APEX page. Instead of using the APEX page, I use it to grab POST data in Webservice and then I will redirect to the APEX page after calculation.
    My problem is that I am getting HTTP 403 Forbidden URL. I am not sure what causing 403.

    ORDS log below

    POST fs1.XXXX.co.in /ords/XXX/mymodule/returl 403 The request cannot be processed because it failed cross-origin request validation
    CORSAccessForbiddenException [statusCode=403, logLevel=INFO, errorCode=ORDS-13002: The request cannot be processed because it failed cross-origin request validation Cause: This resource does not support Cross-Origin Sharing requests, or the request Origin is not authorized to access this resource. Action: If ords is being reverse proxied ensure the front-end server is propagating the host name, scheme, and port correctly. If using mod_proxy ensure ProxyPreserveHost is set to On. If using SAML with Oracle APEX, ensure security.externalSessionTrustedOrigins is correctly configured. If using a RESTful Service ensure the Origins Allowed value is correctly configured]

    • You need to protect the resource AND define an allowed origin to accommodate your external website.

  3. Jonathan Corwin Reply

    Hi Jeff,
    I’ve got an issue which only happens on one particular ORDS installation.

    I have a ‘POST’ endpoint that works fine from postman, however I get a CORS preflight issue in Chrome.
    I’ve set ORDS.SET_MODULE_ORIGINS_ALLOWED for the module with the origin (plus a few permutations just in case!), to no avail.

    To try and emulate the pre-flight call, I’ve called it with ‘OPTIONS’ in postman and this gives a 403 Forbidden error.

    I’m wondering if you have any suggestions of where else I could look to attempt to resolve this issue?

    • Jonathan Corwin

      Not protected as far as I’m aware, and we’ve never had to use SET_MODULE_ORIGINS_ALLOWED before for this to work.

    • Jonathan Corwin

      Turns out it was webserver related rather than ORDS, configured by a third party to block the OPTIONS. Apologies for taking up your time!

  4. Im migrating our servers to apex 22.2 and ords 23.1 from old versions, everything went well with standalone running, but when deployed to tomcat 9.0.74 i got 404 and it was due to a missing env variable, in oracle docs it says the variable should be JAVA_OPTS and the value between double quotes -Dconfig.url=%ORDS_CONFIG% but looks like tomcat cannot recognize this value, so in other website, i found to name this variable as JAVA_TOOL_OPTIONS and without the double quotes, restarted tomcat and it worked. Hope this can help someone. Thanks.

  5. Abraham Olsen Reply

    I am using ORDS Version 21.1.3.r1531102

    In the database, I find this:
    DESC ORDS_METADATA.USER_ORDS_SCHEMAS
    VIEW ORDS_METADATA.USER_ORDS_SCHEMAS
    Name Null? Type
    —————————————– ——– —————————-
    ID NOT NULL NUMBER
    PARSING_SCHEMA NOT NULL VARCHAR2(30)
    TYPE NOT NULL VARCHAR2(10)
    PATTERN NOT NULL VARCHAR2(255)
    STATUS NOT NULL VARCHAR2(30)
    AUTO_REST_AUTH NOT NULL VARCHAR2(30)
    OPS_ALLOWED NUMBER
    PRE_HOOK VARCHAR2(255)

    What is the last column? I cannot find any documentation of it, and I cannot see a signature for ords.enable_schema, where this field can be set to anything.

    • The pre-hook feature allows you to do things like setup custom auth or configure a session before any API code is called.

      From the docs
      procedure.rest.preHook

      string

      Specifies the function to be invoked prior to dispatching each Oracle REST Data Services based REST Service. The function can perform configuration of the database session, perform additional validation or authorization of the request. If the function returns true, then processing of the request continues. If the function returns false, then processing of the request is aborted and an HTTP 403 Forbidden status is returned.

      Customer blog overview.

  6. Rob de Gouw Reply

    Jeff,

    I want to run ORDS from Tomcat.
    After the following steps, I get the error HTTP-404, The request could not be mapped to any database. Check the request URL is correct, and that URL to database mappings have been correctly configured
    and I have no clue as to why it reports that error.
    Done:
    – Install ORDS and configured it (for standalone mode) -> working fine on port 8088
    – Copy the ords.war to tomcat/webapps folder
    When accessing the same ORDS resource that works when accessing it from the standalone instance, but now from Tomcat, I get the error.
    Even tried:
    – Change the configdir to tomcat/webapps/ords/config
    – Configured the Tomcat ORDS ‘instance’ with the database connection, URL mapping etc conform the standalone instance -> still the same
    – Copied the config from the standalone instance to the tomcat webapps/ords folder -> still the same

    I made sure the config dir (which is owned by opc) is accessible to root (which appears to be running Tomcat) and all files / folders under the Tomcat folder are owned by root, so it could not be that the user running Tomcat is unable to access some config file.
    Any clues?

    (additionally: Where can I find any form of logging when running in TomCat?)

    Kind regards,

    Rob

    • Are the connection pools being established, do you see the connections in the database? If yes, then it sounds like the configdir is being found/used.

    • Rob de Gouw

      Nope. No conection…
      Ggrrrrr….
      Weird how you sometimes look at things over and over again and don’t see whats wrong.
      Such as a typo in the configdir path…
      Thanks to your reply I tried to start ORDS from the Tomcat webapps folder in standalone mode, which failed due to a non existent config dir.
      Changed it and now everything works!
      Thanks 1.000.000

      Kind regards,

      Rob

  7. Tab Kayani Reply

    Hi Jeff,

    I’m getting a frustrating problem when I try to enable a schema for ORDS:

    SQL> BEGIN
    ORDS.ENABLE_SCHEMA(
    p_enabled => TRUE,
    p_schema => ‘ORDSTEST’,
    p_url_mapping_type => ‘BASE_PATH’,
    p_auto_rest_auth => TRUE);
    END;
    /
    2 3 4 5 6 7 8 BEGIN
    *
    ERROR at line 1:
    ORA-20031: Management of Schema enablement has been restricted to
    ORDS_ADMINISTRATOR_ROLE privilege.
    ORA-06512: at “ORDS_METADATA.ORDS”, line 183
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 812
    ORA-01031: insufficient privileges
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 422
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 434
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 434
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 798
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 688
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 827
    ORA-06512: at “ORDS_METADATA.ORDS”, line 167
    ORA-06512: at line 2

    I have tried granting the role to the user and even:
    BEGIN
    ORDS_ADMIN.PROVISION_ADMIN_ROLE(
    p_user => ‘ORDSTEST’);
    END;
    /
    and connecting as different users but nothing seems to work. I tried google but there doesn’t appear to be any info on this error. Please help!

    Tab

    • did you revoke anything from public? And, you’re logged in as ORDSTEST?

      Finally, that PL/SQL block isn’t right, you should have a line for
      p_url_mapping_pattern => 'ordstest'

  8. Hello! Jeff Smith, I hope you have a good day! I would like to start my q with smile 🙂

    Migrating MOD_PLSQL DB apps TO ORDS_20.4 with custom authentication – Unable to capture session user info who as entered to authenticate via owa_custom. authorize function with function type validation PL/SQL.
    with this below sample code we’re getting always CGI variable info. REMOTE_USER as ORDS DB connection pool name. What we need to capture input username name during login.

    Environment info:
    ———————
    RHEL 7.8
    Oracle Database 19.0.0.0.0
    APEX 20.0.2.0.0
    Oracle REST Data Services version : 20.4.3.r0501904 Deployed in Apache tomcat 9.0.44v
    JAVA 1.8_update281

    Sample code in DB to get the CGI info.
    ——————————————————
    create or replace PROCEDURE TEST is
    anv varchar2(30);

    begin
    htp.htmlOpen;
    htp.headOpen;
    htp.title(‘Test page’);
    htp.headClose;
    htp.bodyOpen( cattributes => ‘BGCOLOR=”YELLOW”‘);
    htp.header(1, ‘Test Page !!!!! ‘||anv);
    owa_util.print_cgi_env;
    owa_util.signature;
    htp.htmlClose;
    end;
    ——————————
    [tomcat@localhost webapps]$ hostname
    closvl3110
    [tomcat@localhostwebapps]$ java -jar ords.war version
    Oracle REST Data Services 20.4.3.r0501904
    [tomcat@localhostwebapps]$ java -version
    java version “1.8.0_281”
    Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
    Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
    [tomcat@localhost webapps]$ cd $CATALINA_HOME/bin
    [tomcat@localhost bin]$ ./catalina.sh version
    Using CATALINA_BASE: /sw01/apache-tomcat-9.0.44
    Using CATALINA_HOME: /sw01/apache-tomcat-9.0.44
    Using CATALINA_TMPDIR: /sw01/apache-tomcat-9.0.44/temp
    Using JRE_HOME: /usr/java/jdk1.8.0_281
    Using CLASSPATH: /sw01/apache-tomcat-9.0.44/bin/bootstrap.jar:/sw01/apache-tomcat-9.0.44/bin/tomcat-juli.jar
    Using CATALINA_OPTS:
    Server version: Apache Tomcat/9.0.44
    Server built: Mar 4 2021 21:49:34 UTC
    Server number: 9.0.44.0
    OS Name: Linux
    OS Version: 3.10.0-1160.6.1.el7.x86_64
    Architecture: amd64
    JVM Version: 1.8.0_281-b09
    JVM Vendor: Oracle Corporation
    [tomcat@localhost bin]$
    ——————————————
    oracle SR placed but no workaround. I did my research in google to get the clue still no luck..

    Could you please share your valuable inputs/recommendations to get capture the REMOTE_USER as login user id so that customized authentication in table will get assigned designed roles for mod_plsql apps functionality display accordingly.

    Thank you

    kind regards,
    Purushotham.

  9. Thank you, Jeff, for your help. When I tried option 2. It’s overwriting my original configuration with new DB information.

    For example.
    ORDS is already configured and pointing to dev DB with the URL: http://abc.com/ords. – Which is working fine.
    After setting up new config for QA with the following commands

    [ord]$ java -jar ords.jar setup -database qa [ GIVEN QA DB INFORMATION, INSTALL SUCCESSFULLY, NO ERRORS]
    [ord]$ java -jar ords.war map-url –type base-path /qa qa

    My original url http://abc.com/ords is now pointing to QA DB not DEV DB and it is overwriting the all config files pointing to QA not DEV anymore.

    And when I tried the url http://abc.com/ords/qa/f?p=4550 it is giving 404 page error “DispatcherNotFoundException [statusCode=404, reasons=[]]”

    Please guide me If I am doing something wrong.

    Regards,
    Rose.

    • No, that’s not right, you should have /ords going to load apex on your original database pool, and you should have /ords/qa going to APEX on your second database

    • Thank you Jeff, that is the strange thing I am facing. Any suggestion, how to debug this issue. I am not sure why it is overwriting my original configuration instead of mapping the new DB connection.

      I appreciate your help.

      Regards,
      Rose.

  10. Hi Jeff,

    I’m putting together a new ORDS Service which is working great using OAUTH2 as the authorisation scheme. Currently the URI endpoints to access the resources include the schema name of the user that installed the ORDS modules. In your article you make reference to the ORDS Request URI and in particular:

    hr – schema (alias!), service handler code runs as this user

    I’m struggling to see where I can set this alias. I need to achieve this via a script or config file edit as it’s for a deployment to a client. I have a schema of mprs_ws and want to use mprs-ws in the URI.

    Please can you point me in the right direction.

    Thanks

    • Yeah, just run the ODRS package and the ENABLE_SCHEMA procedure. The default behavior is for the schema name to be the alias.

      BEGIN

      ORDS.ENABLE_SCHEMA(p_enabled => TRUE,
      p_schema => 'HR',
      p_url_mapping_type => 'BASE_PATH',
      p_url_mapping_pattern => 'not_hr',
      p_auto_rest_auth => FALSE);

      commit;

      END;

    • Ian Young

      I’ve tried using the following:

      ORDS.ENABLE_SCHEMA(p_enabled=>TRUE,
      p_url_mapping_type => ‘BASE_PATH’,
      p_url_mapping_pattern => ‘mprs-ws’);

      which is called from the MPRS_WS user but the following URL still fails with the following error:
      DispatcherNotFoundException [statusCode=404, logLevel=FINER, reasons=[]]
      With the schema left as the default mprs_ws all seems to work fine.

    • Ian Young

      Apologies URL is:

      http://mprsapp:9201/ords/mprs-ws/dubs/v1/address

      USER_ORDS_SERVICES shows:
      BASE_PATH PATTERN STATUS SOURCE_TYPE
      /dubs/v1/ address/ PUBLISHED plsql/block

      USER_ORDS_SCHEMAS:
      PARSING_SCHEMA TYPE PATTERN STATUS
      MPRS_WS BASE_PATH mprs-ws ENABLED

      url_mappings:

      Just can’t see why this isn’t working!

  11. The problem of “boring Java library loading” on 19.2 does not occur?

    Is there a patch on metalink on ORDS 19.2?

    • ‘boring Java library loading’ – I’m not aware of that issue for ORDS

      There’s a newer version of ORDS than 19.2 – there’s 19.4

      We are working on a patch for 19.4 though, it’ll be avail soon with a bug fix around a 500 issue popping up on the forums.

    • Hello Jeff,

      I am new to ORDS. I am trying to configure ORDS 3x with multiple 11g DB in a Tomcat . When I read document, you can achieve with multiple options.

      Option 1:
      You can simply copy the war file and do settup the war for each DB with different configuration dir, which I am able do. For example, abc.com/dev or abc.com/qa etc.,

      Option 2:
      Other approache is with one war file you can map the url to different db connection, which I am not succeed yet. Please point me for any good documentation. For example abc.com/ORDS/dev or abc.com)ORDS/qa .

      Which option is industry standard. If you can please let me know the pros and cons of each approaches.

      I appreciate your help.

      Regards,
      Rose.

    • having one ords to maintain (option 2) would be less work, less to maintain, less server resources. Do your setup BEFORE you copy the war file to Tomcat. Get it working in standalone mode, and then move it over to Tomcat.

  12. Geert De Paep Reply

    Thanks for this info, but still for me it remains very difficult to troubleshoot issues when it is not working. E.g. is there an easy way to identify that you run into the issue described in Doc 2488390.1? Is there a way to have more significant logging in catalina.log instead of 1000 lines of java stack trace that usually don’t help a lot? A the moment I have an apex setup where an image will not load using #APP_IMAGES#/someimage.gif, but again, how to easily troubleshoot this?
    If you see a chance to add a debug option that can clearly say what ords is doing exactly and where to look in case of issues, I would really appreciate this.
    Thanks and regards. Note that I remain a big fan of Apex and ORDS!

    • That one’s pretty simple, install APEX before you tell ORDS you want to configure it for APEX. If you run into this, run the validate command via ords (java -jar ords.war validate)

      You say a 1,000 lines of java stack trace that don’t help a lot – well, they generally have everything we need to know to figure out what’s going on. It’s a java app, so you get a java stack. Having more meaningful errors is important, and this is also why we just started adding the fingerprint info to the error dialogs so you could jump straight to the right place in that 1,000 line error stack. There already is a debug option for ORDS – it prints the full error stack (in the browser response) if you have print debug to screen also enabled

Write A Comment