1 2 Previous Next 18 Replies Latest reply: Feb 2, 2014 1:41 PM by jstem1177 RSS

Error Page protection violation in APEX 4.2.2 - Login Page

jstem1177 Explorer
Currently Being Moderated

Hello All,

 

I've got an in-house application (extremely custom application ;-) )  that used dynamic action to login to apex without loading the login page.

However after ungrading from 3.2.1 I found how that this "approach" is now being met with the famous "Error Page Protection".

 

I've disabled all the session state protection and all. I do have a check_sum on the page.

 

What I need is to completely turn these checks off. This APEX in only for a small workgroup inside an intranet, but we are looking to make it available to some other employees?

 

I've read about the error and nothing seems to pertain to my issue. The error is directly on the login page. It happens when I submit a complete url to the login page from my application.

 

I understand this is to protect applications, but I insist own hacking my own APEX application. I do want to manipulate my page items !!!

 

Can someone advise how to OVERRIDE this protection feature.

 

Thanks in advance for any suggestions.

 

Jan S,

  • 1. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    Joni Vandenberghe Pro
    Currently Being Moderated

    Do you have read only, disabled or hidden & protected items on the page? Those could all cause issues even if your checksum is not enabled.

  • 2. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    jstem1177 Explorer
    Currently Being Moderated

    Hello Joni,

     

    None that I know of. I used the pages --> Create Login page (APEX authentication). Nothing else. State protection is turned off on all pages. However, the application is runnign in Pre 4.1 mode, however I would be really surprised that this would cause such an error.

     

    Thanks in advance for you assistance.


    Jan S.

  • 3. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    Christian Neumueller Expert
    Currently Being Moderated

    Hi Jan,

     

    overriding this check should not be possible (or I have to work on a security fix). However, maybe we can find a way to work around the problems that you encounter. Can you please explain what you are exactly trying to accomplish and where it fails? Maybe you could even create a simple test case on apex.oracle.com.

     

    Regards,

    Christian

  • 4. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    jstem1177 Explorer
    Currently Being Moderated

    Hello Christian,

     

    In short, I have a desktop application that has a login window. What I do is I take in the username and password and attached it parameter p_t01 & p_t02 to AJAX call which submits a url containing the p_arg_names(argument ## representing the username textfield and password textfield) and send that to the APEX login page of my application.

     

    This was possible to do in 3.2.1 and would be a great loss to us if we cannot work around this. This is only inhouse and inside our vpn. Furhtermore, we cannot opt for no login as the application uses roles which are bound to the user.

     

    Thanks

     

    Jan S.

  • 5. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    Christian Neumueller Expert
    Currently Being Moderated

    Hi Jan,

     

    so you are creating a wwv_flow.accept request from the desktop application to page 101 of your APEX application. As you probably know, passing credentials in URLs is not secure, but let's ignore that for now, because the point is to hack your own application, as you mentioned above :-) How about this:

     

    1. generate a normal f?p request, e.g. f?p=12345:101:0::::P101_USERNAME,P101_PASSWORD:JanS,JanSPassword

    2. on your login page, add a before header branch to page accept, with target page 101 and request LOGIN

    3. add a condition to this branch, so APEX only uses it if P101_PASSWORD is not null

     

    Regards,
    Christian

  • 6. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    jstem1177 Explorer
    Currently Being Moderated

    Christian,

     

    YOU ARE AWESOME. Worked like a charm.

     

    On another note, I confirm that the flow.accept approach with the argument names caused the same "Page Protection" error. will see if there are any effects of turning state page protection back ON.

     

    Anyways, once more, thanks for the awesoem assistance. HACK YOUR OWN APEX !

     

    Thank you very much.

  • 7. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    Recx Ltd Explorer
    Currently Being Moderated

    In case you do not want to add a branch, you can make the request equal "BRANCH_TO_PAGE_ACCEPT", it should log you in.

     

    f?p=12345:101:0:BRANCH_TO_PAGE_ACCEPT:::P101_USERNAME,P101_PASSWORD:JanS,JanSPassword


    regards,

  • 8. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    Christian Neumueller Expert
    Currently Being Moderated

    Right, because there is typically no button condition on the login process.

     

    Regards,
    Christian

  • 9. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    jstem1177 Explorer
    Currently Being Moderated

    Hello Christian and all,

     

    Well I don't know what I might have done wrong or if something changed in 4.2.4, but I'm getting the follwoing error:

     

    The page isn't redirecting properly

     

    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.


    I've  followed the below instructions and I might be missing something?


    1. generate a normal f?p request, e.g. f?p=12345:101:0::::P101_USERNAME,P101_PASSWORD:JanS,JanSPassword

    2. on your login page, add a before header branch to page accept, with target page 101 and request LOGIN

    3. add a condition to this branch, so APEX only uses it if P101_PASSWORD is not null

     

    I really appreciate your help. Trust when I say, I'm really up to no good with APEX ;-) and trying to push the limits, as I think its fantastic product.

     

    Jan S.

  • 10. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    Christian Neumueller Expert
    Currently Being Moderated

    Hi Jan,

     

    please use a tool like FireBug or the built-in Developer Tools to check the URLs that this redirect loop produces. Can you post some examples here?

     

    Regards,

    Christian

  • 11. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    jstem1177 Explorer
    Currently Being Moderated

    Hello Christian,

     

     

    Thanks in advance for your asistance

     

    So I ran the test on fire bug, but I cannot see where its redirecting to??. All the Details are the same for every call.

     

    Tab Params:

    ===========

    p   125:101:0::::P101_USERNAME,P101_PASSWORD:PSINCLAIR,ioracle

     

    Tab Headers:

    =================

    Cache-Control    no-cache, no-store, max-age=0, must-revalidate
    Connection    Keep-Alive
    Content-Language    en
    Content-Length    0
    Content-Type    text/html; charset=UTF-8
    Date    Thu, 30 Jan 2014 14:41:09 GMT
    Keep-Alive    timeout=5, max=100
    Location    f?p=125:101:0::::P101_USERNAME,P101_PASSWORD:PSINCLAIR,ioracle
    Pragma    no-cache
    Server    Oracle-Application-Server-11g
    Set-Cookie    WWV_CUSTOM-F_1046305524817659_125=ORA_WWV-YHEJdYj6oAD66KJWx2uj7OhM;HttpOnly
    X-DB-Content-length    0
    Request Headersview source
    Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding    gzip, deflate
    Accept-Language    en-US,en;q=0.5
    Connection    keep-alive
    Host    www.mysite.com
    User-Agent    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

     

    Tab HTML:

    ==========

    Reload the page to get source for: http://www.mysite.com/pls/apex/f?p=125:101:0::::P101_USERNAME,P101_PASSWORD:PSINCLAIR,ioracle

     

    Cache

    =======

    Empty

     

    Cookies

    =============

    WWV_CUSTOM-F_1046305524817659_125

    ORA_WWV-nYrXMocdEzIy8Uvi75D1CJMQ;HttpOnly

    ORA_WWV-nYrXMocdEzIy8Uvi75D1CJMQ;HttpOnly

    www.mysite.com

    74 B

    74 B

    Value
    ORA_WWV-nYrXMocdEzIy8Uvi75D1CJMQ;HttpOnly

     

     

     

     

    Net Window (repeated same call 21 times)

     

     

    GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
    GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
    GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
    GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
    GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
    GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80

     

    Jan S.

  • 12. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    Christian Neumueller Expert
    Currently Being Moderated

    Hi Jan,

     

    I guess there is something wrong with your before header branch. Is it really a branch to page accept? Can you post the details of this branch?

     

    Regards,

    Christian

  • 13. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    jstem1177 Explorer
    Currently Being Moderated

    Hello Christian,

     

    Here is my page.

     

    Page:    101 Login

    Name    Branch before header

    Type:    Branch to Page Accept Processing (not common)

     

    Branch Point

    ============

     

    *Sequence (Value Required)      : 10   

    *Branch Point (Value Required)    : On Load Before Header

    Action

    =========

    Page      :101

    Request    :10

     

    Conditions

    ===========

    Condition Type   : Value of Item / Comlumn Expression 1 is NOT NULL

    Expression 1    :P101_PASSWORD

       

    When Button Pressed

    ===================

     

    Security

    =======

    Authorization Scheme

     

    Configuration

    =============

    Build Option

     

    Comments

    ========

    Updated: 3 days ago - ADMIN

     

     

     

     

  • 14. Re: Error Page protection violation in APEX 4.2.2 - Login Page
    Christian Neumueller Expert
    Currently Being Moderated

    Hi Jan,

     

    did you enter a value of "10" for "Request"? The idea was to simulate login, so the request would have to be what the login button sends and the submit process waits for (typically "LOGIN"). Otherwise, the login process will not be triggered. It's probably best if you try to send the request with LEVEL9 debug. The debug logs should show us what's really going on when the engine processes such a request.

     

    Regards,

    Christian

1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points