This discussion is archived
7 Replies Latest reply: Feb 12, 2013 9:15 PM by scott.wesley RSS

Wiered security on login page, change page alias change page type

Damir Vadas Newbie
Currently Being Moderated
Hi!
Apex 4.2.1.00.08.

If I change page alias "LOGIN_JQM_SMARTPHONE" or "LOGIN_DESKTOP" to something else, that login page become a dynamic form (initially was Login) and icon is not with lock but as normal page. This lead to several other problems ...

I'm having mine own names for pages and want to implement them. Is there any way to achieve that?

Is there any written document what can be altered in login for and what cannot?

rg
Damir Vadas
http://damir-vadas.blogspot.com
  • 1. Re: Wiered security on login page, change page alias change page type
    scott.wesley Guru
    Currently Being Moderated
    It sounds like you need to modify your User Interface details to match with your page aliases.

    Not sure what your "normal page" is, but perhaps you'r seeing this?
    http://www.grassroots-oracle.com/2013/01/apex-42-user-interface-detection.html

    Scott
  • 2. Re: Wiered security on login page, change page alias change page type
    Damir Vadas Newbie
    Currently Being Moderated
    Scott,

    "Normal" page is anything other then login page. Your advice seems to be not correct totally.

    Here is shortly why.

    Try to modify LOGIN_DESKTOP alias value in login page (and) or in already Interface properties (even if both is changed to same other alias value, problem is reproducible!).
    Result of that is:
    - Immediately page icon in application builder home page for that app, icon from "lock" become to a "star" icon.
    - "LOGIN_THROTTLE.COUNTER" is freez on such a login page and normal login is very hard to do (have to count manually).
    - login page is (seen by protection -> Page protection report) Dynamic form and "login" value is lost.

    I have even tried to remove all pages from app and remove all interface and recreate them with new values. But interesting, all the time login page alias is "LOGIN_DESKTOP" regardless you write in new interface creation.

    You can try that on any new application it is very quick demo.

    This is why I asked what can and what cannot be altered. I just want to name login page in other then default alias and this seems to be not possible in 4.2.1 version.

    Hope now is all more clear.
    Rg,
    Damir Vadas
    http://damir-vadas.blogspot.com
  • 3. Re: Wiered security on login page, change page alias change page type
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Damir,

    we have a small heuristic for the builder's page icon view. If the alias is like 'LOGIN%', then we show the login page icon. It's a small inconvenience that the login icon is not shown in the builder, if you want to set LET_ME_IN or some translated name as page alias. In 4.1.1, the check was just for alias='LOGIN'.

    This has no effect at all on the application's runtime behaviour (e.g. the throttle), though. I just created an application with such a modified alias and the throttle worked fine. Did you check if there were some javascript errors when running the page?

    Regards,
    Christian
  • 4. Re: Wiered security on login page, change page alias change page type
    Damir Vadas Newbie
    Currently Being Moderated
    Christian
    THX heaven for this explanation but in some things things are not so easy as you thought.. Let me explain.

    If you change alias name in Interface part as well as in login page, throttle runs, and icon is different. This I agree with you.
    Throttle was stopped because I place logout URL on "Session Not Valid" part in authentication without placing proper function for that-just url ...
    In previous Apex versions this was ok now it is not and make problems for throttle, maybe you should consider this change as well....but I can live with it, no problem.

    But I saw another problem arise in such a case.
    With custom alias naming reflect that login page is never recognized as "login" type page (look in Home->Application Builder->Application xxx->Shared Components->Session State ->Protection by Page) where such an ex. Login page type is now "Dynamic Form".
    I do not know where else this might have influence and what other security issues this might produce, but IMHO this should not be like that .... login type should not dependence on it's alias.

    When you are here, please note another bug. Here are the steps to reproduce them:
    1) Create new desktop app with one page (authentication is not important or anything else later in create app wizard). Now you have two pages (Home and Login).
    2) Delete all the pages
    3) Delete Desktop Interface as well.
    4) Create new Desktop Interface and paste values for home and login page which has different aliases then standard one.
    5) Regardless you place own LOGIN naming for alias, default "LOGIN_DESKTOP" will be created in new Interface always.

    8(

    I really do hope that this problem with alias naming convention will be documented or changed in near future ... so people can name as we want. At least to have some comment from you on this case for further events.

    Rg on your contribution on this forum.

    Damir Vadas
    http://damir-vadas.blogspot.com
  • 5. Re: Wiered security on login page, change page alias change page type
    scott.wesley Guru
    Currently Being Moderated
    In piecing together Damir's three forum posts on this topic, I think the one with the potential bug is best detailed in the thread he's already closed.
    Problem with LOGIN_THROTTLE.COUNTER on login page
    Also related:
    Manually recreate login mobile page problem

    It appears that certain javascript is not being added to the page.

    I'm not convinced this is related to his manipulations of the login page, partially because of lack of info, and partially because I've seen the same thing but haven't investigated whether it's browser/apex/environment/ui etc.

    The problem may relate to apex_application_pages.page_function, mapped to apex_040200.wwv_flow_steps.page_component_map.
    When recreating a login page with the wizard, this value changes from 12 to 16.

    Damir is seeing symptoms of this in some builder pages that list page type. I don't see the heuristic Christian mentions, only what I can garner from the view above which seems to be what the builder is doing.
    Only thing I found is in a (unrelated?) process in f4000.sql

    The page type seen in session state protect screen is the same column - just viewed as text instead of icon


    Damir, regarding the "bug" you step through here, this seems related at best. On the rare occasion this process may be happening, the login url mentioned in the wizard is not driving the alias used - it's up to the developer to ensure they match up.

    What is the actual problem - is it just the throttling?
  • 6. Re: Wiered security on login page, change page alias change page type
    Damir Vadas Newbie
    Currently Being Moderated
    Scott,

    Maybe you didn't notice but your question is already answered in mine previous post.
    Damir Vadas wrote:
    Throttle was stopped because I place logout URL on "Session Not Valid" part in authentication without placing proper function for that-just url ... In previous Apex versions this was ok now it is not and make problems for throttle, maybe you should consider this change as well....but I can live with it, no problem.
    Making cross reference for posting is now pretty confused for others and make a mess in understanding the real problem. Maybe we should stop making them...sorry for starting in the first place.
    :-)
    scott.wesley (grassroots-oracle.com) wrote:
    The page type seen in session state protect screen is the same column - just viewed as text instead of icon
    Seems you are correct about this.
    Damir is seeing symptoms of this in some builder pages that list page type.
    What consider is is there in the start is deeper security problem that may happened. Which seems still to be answered.
    What is the actual problem - is it just the throttling?
    No. Please stop mentioning throttle because I explained in thread why and how this happened. I must admit that now, even I started thread I can not connect all inter topic reference.
    8(
    On the rare occasion this process may be happening
    Which process you are mentioning here? Do not follow you now.

    rg
    Damir Vadas
    http://damir-vadas.blogspot.com
  • 7. Re: Wiered security on login page, change page alias change page type
    scott.wesley Guru
    Currently Being Moderated
    I cross referenced them because you're talking about the same problems & settings, and you mention them yourself without referencing.

    Have you experienced a security issue? If not, so far it's only cosmetic.

    You never really described why throttle was corrected, except suggesting it was related to your login page fiddles/recreation. You ugpraded, something broke, and you had to change to accommodate. That doesn't sound fixed. You closed the thread without describing a fix, rather you opened a new thread discussing what you thought was the cause. I'm confused and I've read all your posts!
    rare occasion this process may be happening
    I'm referring to your 1-5 step process of smashing UI records & login pages.

    Is your problem all about recreating a login page that doesn't get classified as such?
    What issue does this cause for you besides cosmetic?
    Missing javascript on rendered page?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points