I was helping a colleague this morning, his name rhymes with Harold, and he was trying to get his Docker template for ORDS in order.

He had a series of questions, and while I was able to help him understand what was happening fairly quickly, I realized HIS questions looked an awful lot like some of YOUR questions.

So let’s go through them, and maybe this can help, and MAYBE we can try to incorporate some of this into the future ORDS Docs.

ORA-06598: insufficient INHERIT PRIVILEGES privilege

You are trying to REST Enable SYS a la

    p_enabled => TRUE,
    p_schema  => 'SYS'

This won’t work. It’s not possible to grant proxy connect to any Oracle account for the SYS schema. That’s one of the main things this call does, it allows the ORDS_PUBLIC_USER to do database work (your REST service call) AS the USER where the REST Service is defined.

Also, it would be extremely hazardous to REST Enable the SYS account. Your REST Service, if not coded and secured PERFECTLY, could be used to do very bad things, like…DROP a database.

404…The request could not be mapped to any database

The complete error you would see in the ORDS stack is

 The request could not be mapped to any database. Check the request URL is correct, and that URL to database mappings have been correctly configured.

So when ORDS gets routed a request, it needs to ‘unwind’ the URL to see what exactly is being asked of it.

My friend was doing something similar to this –

/ords/orcl/hr/metadata-catalog — where ‘orcl’ is the DB Name.

The problem here is ORDS is saying, I can’t unwind that request on ‘/ords/orcl/hr/metadata-catalog’ to anything I can understand.

Here is one possible way to look at the URI on a HTTP request to ORDS:

This ONE possible scenario.

If you have ORDS installed into your PDB (recommended), and that ORDS install is only servicing a single database, then the very first thing expected after the ords/ will be an alias for a REST enabled schema.

My friend was putting the DB Name after the /ords, hence that error message. You would only need to do that where you have multiple databases going for your ORDS configuration. In that scenario, you would follow the /ords with a /dbname.

Now, I would expect most folks would default that mapping pattern to the actual name of their database, but you can call it whatever you’d like. ORACLE-BASE has a nice set of instructions here.

I just lied a little bit there…you also need the db name after the /ords if you did a CDB (container) level install of ORDS, but that’s probably going to be much less common.

404 Not Found

Just the ORDS and the REST Enabled Schema

In this case, ORDS knows what you want, but is saying there’s nothing there. You have a valid REST Enabled schema (test), but that’s it.

You need to ask for something IN ‘test’ – a REST enabled schema object, or a RESTful Service. If you get this message, ORDS is working, it’s just that you are requesting something that doesn’t exist.

By the way, if you have APEX configured, if you do a request similar to this, ORDS will redirect you to the APEX login vs giving you a 404.

So, how do I test if ORDS is ‘working?’

After REST enabling a schema, the easiest way to test ORDS is with the /metadata-catalog endpoint.


This brings back the inventory of REST Services in your REST enabled schema – in this case, HR.

But, then my friend ran into the NEXT question/problem.

401 Unauthorized

But, but, but… 🙁

This is a PROTECTED resource IF you do this when you REST enable your schema –

    ORDS.ENABLE_SCHEMA(            p_enabled => TRUE,
                                    p_schema => 'HR',
                          p_url_mapping_type => 'BASE_PATH',
                       p_url_mapping_pattern => 'hr',
                            p_auto_rest_auth => TRUE); -- TRUE means protect the catalog!

THIS = setting P_AUTO_REST_AUTH to ‘TRUE’. This ONLY protects the /metadata-catalog endpoint.

So, if I login/provide the proper credentials on the request…

I have DB Auth enabled on this ORDS config, so I can login as HR.

Now if you have JUST done an install and REST enabled a schema and done NOTHING else, this call will work, but you’ll get an empty/null JSON collection back, because there’s nothing in the REST Services Catalog for that schema.

What do those funny Timestamp | asldfjalskdjfa messages mean on Error responses?

They are a STAMP that you can use to find the associated information in the ORDS standard out/Tomcat/WLS logs.

For example, let’s say I get a 500. Those logs can be HUGE. If I want to pinpoint where in the stack dump that is happening in the ORDS logs…

EZ-PZ. Colm added this in 2019, I think in ORDS 19.2.

How do I Get ORDS to not escape my JSON data in my HTTP responses?


You have a few options. You can print the JSON yourself. You can tell ORDS the column you’re dealing with is JSON so it doesn’t try to convert it, or you can have the response content type set to Media Resource and use an application/json content-type.

I talk more about this here.

I’m sure you have more questions…you know what to do!

In case you don’t know, search in Google. And then if you can’t fine a good answer, I’m happy to take those here 🙂


I'm a Distinguished Product Manager at Oracle. My mission is to help you and your company be more efficient with our database tools.


  1. HI Jeff,
    is there a way to send Server Sent Events over ORDS without additional software? As SSE is part of HTML5, I think it would be nice to have this channel to talk to clients.

  2. How can we check the value of ORDS.SET_MODULE_ORIGINS_ALLOWED? Is it set in the database or a config file?

    • It’s super easy – sqldev web and sqldev desktop show you the allowed origins when you go to create/edit the modules, or you can use SQL

      SELECT *
      FROM (
      , X.NAME NAME
      , URI_PREFIX
      , PATTERN

  3. Andreas Markus Reply

    Even if it was just for the fun of it: can i configure allowed origins for oauth secured autorest enabled objects in ords?

  4. Hello Jeff,

    I am receiving a 400 bad request “One of the following request parameter values is missing or incorrect: client_id” error when trying to get an access token for the OAuth2 implicit grant flow. This occurs after I sign in as the ORDS user I created using the “ords user add” command.

    Here is my setup, and what I have done so far:
    I am using ORDS 23.2.3.r2421937 and running in standalone mode on my local machine. I have ORDS installed in an Oracle 21c XE database, and I use PL/SQL developer. My OS is Windows 11 Pro.
    –Rest enabled the schema (testuser1).
    –Defined a module, template, and handler
    –The handler is a GET method that calls a procedure which executes htp.p(‘Hello World!);

    I tested that this procedure can be called from a web browser (I am using MS Edge version 122.0.2365.92) using /ords/testuser1/module_name/template_name.

    I then wanted to add OAuth2 authorization, so I followed the article at https://oracle-base.com/articles/misc/oracle-rest-data-services-ords-authentication.
    –Logged into the database as testuser1 in PL/SQL developer
    –Created a role in the database using ORDS.create_role.
    –Defined a privilege related to both the role, and the module using ORDS.define_privilege.
    –On the command line, created an ords_user and assigned the above role to it.
    Then calling /ords/module_name/template_name in MS Edge prompted me to sign in, which I can do using the ORDS user credentials, and the hello world text is printed to the screen.

    So up to this point, things are working as they should. Now to try to add OAuth2 authentication:
    –Removed the security.requestValidationFunction configuration key so that I can use OAuth2 on HTTP.
    –Back in PL/SQL developer, I created a client (assigning it the above privilege) with the ‘IMPLICIT’ grant type.
    –The client exists and the client ID can be seen from querying the user_ords_clients view.

    When I go to …/testuser1/oauth/auth?response_type=code&client_id={client id from table}&state={random 32 character string} I am prompted to sign in (as expected) but then after signing in as the above ORDS user, I receive the 400 missing/incorrect client_id error.
    The client_id in the URL matches the one stored in the database.
    Also, I have followed the steps in the quoted Oracle-Base article.

    Do you have any suggestions or ideas why this is happening, and how I may resolve it please?

    Many thanks,

    • I solved the above error (it should be response_type=token for the implicit grant flow, whereas I was using response_type=code – which is for the authorization 3-legged flow).

    • However, instead of going to the page where I am supposed to click “Approve”, I receive the following internal server error:
      “Cannot ask end user to approve two-legged scope: emp_priv”.

      (Note: emp_priv is the name of the privilege that protects the module).

      Any thoughts on how to solve this?

      Googe has not yielded any results yet. I noticed the approval functions/procedures in the ORDS_METADATA schema (e.g. modify_approval_status) are these anything to concern myself with to get the OAuth implicit flow working? I tried modifying an approval status for the client from PENDIGN to APPROVED but it didn’t help with the 500 error.

      The Oracle-Base article for OAuth doesn’t say anything about these. It just says to define role, privilege, and client.

    • A few thoughts, you’re reading Tim’s blog, but asking me for help. I’ve written about securing APIs with our OAuth2 stuff here, many times, and i have step-by-steps.

      You might want to look at our new auth schema, using JSON Web Tokens (JWT) to protect/access APIs, it’s going to let you tie into things like Active Directory, for example – but you’ll need to upgrade your ORDS.

      SQL Developer > PL/SQL Developer.

  5. Duncan Mercer Reply

    Hi Jeff – Running ORDS from one weblogic instance for multiple databases. Keep getting 404 not found error when trying to access token.

    Works on all other DB’s on the server – except one. Tried everything scripts all the same – server settings the same. The URL upto and including the DB name gets me to the APEX login screen – even adding in the rest of the URL to the metadata-catalog just gets 404.

    Thoughts ?


    • “Keep getting 404 not found error when trying to access token.”

      What exactly are you trying to access, the oauth2 endpoint to get an access token? But then, nothing else also works on that db, even ords/sql-developer ?

    • Duncan Mercer

      Hi Jeff

      Nothing working – just trying to check a environment by getting an OAUTH2 token – I don’t expect this call to work via browser but with the database (on the same server) that works I get a 405 method not allowed, which I would expect and then in postman the token is successful.

      For the DB that doesn’t work I get a 404 Not found – The specified resource path does not exist or is not accessible: /token.html

      This is the end part of the URL :


      Any help greatly appreciated.


    • Duncan Mercer

      3rd party use OAUTH2 authentication to access out data

    • There are several examples of showing how to access a bearer token from OAuth2 endpoint, on this blog, even. I show how to do it with a client (insomnia) from cli (curl) and code (python).

  6. Hello jeff

    I am getting HTTP 403 Forbidden URL in POST web service in APEX while redirecting from an external website.

    I have created a web service that is POST method In this module I pass STR as IN para and In PL/SQL it is just printing like begin htp.p(‘Hello ‘||:STR); end; I am gettign output in POSTMAN and in Jquery $.ajax POST method in console. This is unprotected as I want to grab POST request Payload which will be sent by Payment Gateway to the APEX page. Instead of using the APEX page, I use it to grab POST data in Webservice and then I will redirect to the APEX page after calculation.
    My problem is that I am getting HTTP 403 Forbidden URL. I am not sure what causing 403.

    ORDS log below

    POST fs1.XXXX.co.in /ords/XXX/mymodule/returl 403 The request cannot be processed because it failed cross-origin request validation
    CORSAccessForbiddenException [statusCode=403, logLevel=INFO, errorCode=ORDS-13002: The request cannot be processed because it failed cross-origin request validation Cause: This resource does not support Cross-Origin Sharing requests, or the request Origin is not authorized to access this resource. Action: If ords is being reverse proxied ensure the front-end server is propagating the host name, scheme, and port correctly. If using mod_proxy ensure ProxyPreserveHost is set to On. If using SAML with Oracle APEX, ensure security.externalSessionTrustedOrigins is correctly configured. If using a RESTful Service ensure the Origins Allowed value is correctly configured]

    • You need to protect the resource AND define an allowed origin to accommodate your external website.

  7. Jonathan Corwin Reply

    Hi Jeff,
    I’ve got an issue which only happens on one particular ORDS installation.

    I have a ‘POST’ endpoint that works fine from postman, however I get a CORS preflight issue in Chrome.
    I’ve set ORDS.SET_MODULE_ORIGINS_ALLOWED for the module with the origin (plus a few permutations just in case!), to no avail.

    To try and emulate the pre-flight call, I’ve called it with ‘OPTIONS’ in postman and this gives a 403 Forbidden error.

    I’m wondering if you have any suggestions of where else I could look to attempt to resolve this issue?

    • Is the API protected? Because if not, those allowed origins aren’t applied to the resource.

    • Jonathan Corwin

      Not protected as far as I’m aware, and we’ve never had to use SET_MODULE_ORIGINS_ALLOWED before for this to work.

    • Jonathan Corwin

      Turns out it was webserver related rather than ORDS, configured by a third party to block the OPTIONS. Apologies for taking up your time!

  8. Im migrating our servers to apex 22.2 and ords 23.1 from old versions, everything went well with standalone running, but when deployed to tomcat 9.0.74 i got 404 and it was due to a missing env variable, in oracle docs it says the variable should be JAVA_OPTS and the value between double quotes -Dconfig.url=%ORDS_CONFIG% but looks like tomcat cannot recognize this value, so in other website, i found to name this variable as JAVA_TOOL_OPTIONS and without the double quotes, restarted tomcat and it worked. Hope this can help someone. Thanks.

  9. Abraham Olsen Reply

    I am using ORDS Version 21.1.3.r1531102

    In the database, I find this:
    Name Null? Type
    —————————————– ——– —————————-

    What is the last column? I cannot find any documentation of it, and I cannot see a signature for ords.enable_schema, where this field can be set to anything.

    • The pre-hook feature allows you to do things like setup custom auth or configure a session before any API code is called.

      From the docs


      Specifies the function to be invoked prior to dispatching each Oracle REST Data Services based REST Service. The function can perform configuration of the database session, perform additional validation or authorization of the request. If the function returns true, then processing of the request continues. If the function returns false, then processing of the request is aborted and an HTTP 403 Forbidden status is returned.

      Customer blog overview.

  10. Rob de Gouw Reply


    I want to run ORDS from Tomcat.
    After the following steps, I get the error HTTP-404, The request could not be mapped to any database. Check the request URL is correct, and that URL to database mappings have been correctly configured
    and I have no clue as to why it reports that error.
    – Install ORDS and configured it (for standalone mode) -> working fine on port 8088
    – Copy the ords.war to tomcat/webapps folder
    When accessing the same ORDS resource that works when accessing it from the standalone instance, but now from Tomcat, I get the error.
    Even tried:
    – Change the configdir to tomcat/webapps/ords/config
    – Configured the Tomcat ORDS ‘instance’ with the database connection, URL mapping etc conform the standalone instance -> still the same
    – Copied the config from the standalone instance to the tomcat webapps/ords folder -> still the same

    I made sure the config dir (which is owned by opc) is accessible to root (which appears to be running Tomcat) and all files / folders under the Tomcat folder are owned by root, so it could not be that the user running Tomcat is unable to access some config file.
    Any clues?

    (additionally: Where can I find any form of logging when running in TomCat?)

    Kind regards,


    • Are the connection pools being established, do you see the connections in the database? If yes, then it sounds like the configdir is being found/used.

    • Rob de Gouw

      Nope. No conection…
      Weird how you sometimes look at things over and over again and don’t see whats wrong.
      Such as a typo in the configdir path…
      Thanks to your reply I tried to start ORDS from the Tomcat webapps folder in standalone mode, which failed due to a non existent config dir.
      Changed it and now everything works!
      Thanks 1.000.000

      Kind regards,


  11. Tab Kayani Reply

    Hi Jeff,

    I’m getting a frustrating problem when I try to enable a schema for ORDS:

    p_enabled => TRUE,
    p_schema => ‘ORDSTEST’,
    p_url_mapping_type => ‘BASE_PATH’,
    p_auto_rest_auth => TRUE);
    2 3 4 5 6 7 8 BEGIN
    ERROR at line 1:
    ORA-20031: Management of Schema enablement has been restricted to
    ORA-06512: at “ORDS_METADATA.ORDS”, line 183
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 812
    ORA-01031: insufficient privileges
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 422
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 434
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 434
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 798
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 688
    ORA-06512: at “ORDS_METADATA.ORDS_INTERNAL”, line 827
    ORA-06512: at “ORDS_METADATA.ORDS”, line 167
    ORA-06512: at line 2

    I have tried granting the role to the user and even:
    p_user => ‘ORDSTEST’);
    and connecting as different users but nothing seems to work. I tried google but there doesn’t appear to be any info on this error. Please help!


    • did you revoke anything from public? And, you’re logged in as ORDSTEST?

      Finally, that PL/SQL block isn’t right, you should have a line for
      p_url_mapping_pattern => 'ordstest'

  12. Hello! Jeff Smith, I hope you have a good day! I would like to start my q with smile 🙂

    Migrating MOD_PLSQL DB apps TO ORDS_20.4 with custom authentication – Unable to capture session user info who as entered to authenticate via owa_custom. authorize function with function type validation PL/SQL.
    with this below sample code we’re getting always CGI variable info. REMOTE_USER as ORDS DB connection pool name. What we need to capture input username name during login.

    Environment info:
    RHEL 7.8
    Oracle Database
    Oracle REST Data Services version : 20.4.3.r0501904 Deployed in Apache tomcat 9.0.44v
    JAVA 1.8_update281

    Sample code in DB to get the CGI info.
    create or replace PROCEDURE TEST is
    anv varchar2(30);

    htp.title(‘Test page’);
    htp.bodyOpen( cattributes => ‘BGCOLOR=”YELLOW”‘);
    htp.header(1, ‘Test Page !!!!! ‘||anv);
    [tomcat@localhost webapps]$ hostname
    [tomcat@localhostwebapps]$ java -jar ords.war version
    Oracle REST Data Services 20.4.3.r0501904
    [tomcat@localhostwebapps]$ java -version
    java version “1.8.0_281”
    Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
    Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
    [tomcat@localhost webapps]$ cd $CATALINA_HOME/bin
    [tomcat@localhost bin]$ ./catalina.sh version
    Using CATALINA_BASE: /sw01/apache-tomcat-9.0.44
    Using CATALINA_HOME: /sw01/apache-tomcat-9.0.44
    Using CATALINA_TMPDIR: /sw01/apache-tomcat-9.0.44/temp
    Using JRE_HOME: /usr/java/jdk1.8.0_281
    Using CLASSPATH: /sw01/apache-tomcat-9.0.44/bin/bootstrap.jar:/sw01/apache-tomcat-9.0.44/bin/tomcat-juli.jar
    Server version: Apache Tomcat/9.0.44
    Server built: Mar 4 2021 21:49:34 UTC
    Server number:
    OS Name: Linux
    OS Version: 3.10.0-1160.6.1.el7.x86_64
    Architecture: amd64
    JVM Version: 1.8.0_281-b09
    JVM Vendor: Oracle Corporation
    [tomcat@localhost bin]$
    oracle SR placed but no workaround. I did my research in google to get the clue still no luck..

    Could you please share your valuable inputs/recommendations to get capture the REMOTE_USER as login user id so that customized authentication in table will get assigned designed roles for mod_plsql apps functionality display accordingly.

    Thank you

    kind regards,

  13. Thank you, Jeff, for your help. When I tried option 2. It’s overwriting my original configuration with new DB information.

    For example.
    ORDS is already configured and pointing to dev DB with the URL: http://abc.com/ords. – Which is working fine.
    After setting up new config for QA with the following commands

    [ord]$ java -jar ords.jar setup -database qa [ GIVEN QA DB INFORMATION, INSTALL SUCCESSFULLY, NO ERRORS]
    [ord]$ java -jar ords.war map-url –type base-path /qa qa

    My original url http://abc.com/ords is now pointing to QA DB not DEV DB and it is overwriting the all config files pointing to QA not DEV anymore.

    And when I tried the url http://abc.com/ords/qa/f?p=4550 it is giving 404 page error “DispatcherNotFoundException [statusCode=404, reasons=[]]”

    Please guide me If I am doing something wrong.


    • No, that’s not right, you should have /ords going to load apex on your original database pool, and you should have /ords/qa going to APEX on your second database

    • Thank you Jeff, that is the strange thing I am facing. Any suggestion, how to debug this issue. I am not sure why it is overwriting my original configuration instead of mapping the new DB connection.

      I appreciate your help.


  14. Hi Jeff,

    I’m putting together a new ORDS Service which is working great using OAUTH2 as the authorisation scheme. Currently the URI endpoints to access the resources include the schema name of the user that installed the ORDS modules. In your article you make reference to the ORDS Request URI and in particular:

    hr – schema (alias!), service handler code runs as this user

    I’m struggling to see where I can set this alias. I need to achieve this via a script or config file edit as it’s for a deployment to a client. I have a schema of mprs_ws and want to use mprs-ws in the URI.

    Please can you point me in the right direction.


    • Yeah, just run the ODRS package and the ENABLE_SCHEMA procedure. The default behavior is for the schema name to be the alias.


      ORDS.ENABLE_SCHEMA(p_enabled => TRUE,
      p_schema => 'HR',
      p_url_mapping_type => 'BASE_PATH',
      p_url_mapping_pattern => 'not_hr',
      p_auto_rest_auth => FALSE);



    • Ian Young

      I’ve tried using the following:

      p_url_mapping_type => ‘BASE_PATH’,
      p_url_mapping_pattern => ‘mprs-ws’);

      which is called from the MPRS_WS user but the following URL still fails with the following error:
      DispatcherNotFoundException [statusCode=404, logLevel=FINER, reasons=[]]
      With the schema left as the default mprs_ws all seems to work fine.

    • Ian Young

      Apologies URL is:


      /dubs/v1/ address/ PUBLISHED plsql/block



      Just can’t see why this isn’t working!

  15. The problem of “boring Java library loading” on 19.2 does not occur?

    Is there a patch on metalink on ORDS 19.2?

    • ‘boring Java library loading’ – I’m not aware of that issue for ORDS

      There’s a newer version of ORDS than 19.2 – there’s 19.4

      We are working on a patch for 19.4 though, it’ll be avail soon with a bug fix around a 500 issue popping up on the forums.

    • Hello Jeff,

      I am new to ORDS. I am trying to configure ORDS 3x with multiple 11g DB in a Tomcat . When I read document, you can achieve with multiple options.

      Option 1:
      You can simply copy the war file and do settup the war for each DB with different configuration dir, which I am able do. For example, abc.com/dev or abc.com/qa etc.,

      Option 2:
      Other approache is with one war file you can map the url to different db connection, which I am not succeed yet. Please point me for any good documentation. For example abc.com/ORDS/dev or abc.com)ORDS/qa .

      Which option is industry standard. If you can please let me know the pros and cons of each approaches.

      I appreciate your help.


    • having one ords to maintain (option 2) would be less work, less to maintain, less server resources. Do your setup BEFORE you copy the war file to Tomcat. Get it working in standalone mode, and then move it over to Tomcat.

  16. Geert De Paep Reply

    Thanks for this info, but still for me it remains very difficult to troubleshoot issues when it is not working. E.g. is there an easy way to identify that you run into the issue described in Doc 2488390.1? Is there a way to have more significant logging in catalina.log instead of 1000 lines of java stack trace that usually don’t help a lot? A the moment I have an apex setup where an image will not load using #APP_IMAGES#/someimage.gif, but again, how to easily troubleshoot this?
    If you see a chance to add a debug option that can clearly say what ords is doing exactly and where to look in case of issues, I would really appreciate this.
    Thanks and regards. Note that I remain a big fan of Apex and ORDS!

    • That one’s pretty simple, install APEX before you tell ORDS you want to configure it for APEX. If you run into this, run the validate command via ords (java -jar ords.war validate)

      You say a 1,000 lines of java stack trace that don’t help a lot – well, they generally have everything we need to know to figure out what’s going on. It’s a java app, so you get a java stack. Having more meaningful errors is important, and this is also why we just started adding the fingerprint info to the error dialogs so you could jump straight to the right place in that 1,000 line error stack. There already is a debug option for ORDS – it prints the full error stack (in the browser response) if you have print debug to screen also enabled

Write A Comment