1 2 Previous Next 18 Replies Latest reply: Feb 2, 2014 3:41 PM by jstem1177 RSS

    Error Page protection violation in APEX 4.2.2 - Login Page

    jstem1177

      Hello All,

       

      I've got an in-house application (extremely custom application ;-) )  that used dynamic action to login to apex without loading the login page.

      However after ungrading from 3.2.1 I found how that this "approach" is now being met with the famous "Error Page Protection".

       

      I've disabled all the session state protection and all. I do have a check_sum on the page.

       

      What I need is to completely turn these checks off. This APEX in only for a small workgroup inside an intranet, but we are looking to make it available to some other employees?

       

      I've read about the error and nothing seems to pertain to my issue. The error is directly on the login page. It happens when I submit a complete url to the login page from my application.

       

      I understand this is to protect applications, but I insist own hacking my own APEX application. I do want to manipulate my page items !!!

       

      Can someone advise how to OVERRIDE this protection feature.

       

      Thanks in advance for any suggestions.

       

      Jan S,

        • 1. Re: Error Page protection violation in APEX 4.2.2 - Login Page
          Joni Vandenberghe

          Do you have read only, disabled or hidden & protected items on the page? Those could all cause issues even if your checksum is not enabled.

          • 2. Re: Error Page protection violation in APEX 4.2.2 - Login Page
            jstem1177

            Hello Joni,

             

            None that I know of. I used the pages --> Create Login page (APEX authentication). Nothing else. State protection is turned off on all pages. However, the application is runnign in Pre 4.1 mode, however I would be really surprised that this would cause such an error.

             

            Thanks in advance for you assistance.


            Jan S.

            • 3. Re: Error Page protection violation in APEX 4.2.2 - Login Page
              Christian Neumueller-Oracle

              Hi Jan,

               

              overriding this check should not be possible (or I have to work on a security fix). However, maybe we can find a way to work around the problems that you encounter. Can you please explain what you are exactly trying to accomplish and where it fails? Maybe you could even create a simple test case on apex.oracle.com.

               

              Regards,

              Christian

              • 4. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                jstem1177

                Hello Christian,

                 

                In short, I have a desktop application that has a login window. What I do is I take in the username and password and attached it parameter p_t01 & p_t02 to AJAX call which submits a url containing the p_arg_names(argument ## representing the username textfield and password textfield) and send that to the APEX login page of my application.

                 

                This was possible to do in 3.2.1 and would be a great loss to us if we cannot work around this. This is only inhouse and inside our vpn. Furhtermore, we cannot opt for no login as the application uses roles which are bound to the user.

                 

                Thanks

                 

                Jan S.

                • 5. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                  Christian Neumueller-Oracle

                  Hi Jan,

                   

                  so you are creating a wwv_flow.accept request from the desktop application to page 101 of your APEX application. As you probably know, passing credentials in URLs is not secure, but let's ignore that for now, because the point is to hack your own application, as you mentioned above :-) How about this:

                   

                  1. generate a normal f?p request, e.g. f?p=12345:101:0::::P101_USERNAME,P101_PASSWORD:JanS,JanSPassword

                  2. on your login page, add a before header branch to page accept, with target page 101 and request LOGIN

                  3. add a condition to this branch, so APEX only uses it if P101_PASSWORD is not null

                   

                  Regards,
                  Christian

                  • 6. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                    jstem1177

                    Christian,

                     

                    YOU ARE AWESOME. Worked like a charm.

                     

                    On another note, I confirm that the flow.accept approach with the argument names caused the same "Page Protection" error. will see if there are any effects of turning state page protection back ON.

                     

                    Anyways, once more, thanks for the awesoem assistance. HACK YOUR OWN APEX !

                     

                    Thank you very much.

                    • 7. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                      Recx Ltd

                      In case you do not want to add a branch, you can make the request equal "BRANCH_TO_PAGE_ACCEPT", it should log you in.

                       

                      f?p=12345:101:0:BRANCH_TO_PAGE_ACCEPT:::P101_USERNAME,P101_PASSWORD:JanS,JanSPassword


                      regards,

                      • 8. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                        Christian Neumueller-Oracle

                        Right, because there is typically no button condition on the login process.

                         

                        Regards,
                        Christian

                        • 9. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                          jstem1177

                          Hello Christian and all,

                           

                          Well I don't know what I might have done wrong or if something changed in 4.2.4, but I'm getting the follwoing error:

                           

                          The page isn't redirecting properly

                           

                          Firefox has detected that the server is redirecting the request for this address in a way that will never complete.


                          I've  followed the below instructions and I might be missing something?


                          1. generate a normal f?p request, e.g. f?p=12345:101:0::::P101_USERNAME,P101_PASSWORD:JanS,JanSPassword

                          2. on your login page, add a before header branch to page accept, with target page 101 and request LOGIN

                          3. add a condition to this branch, so APEX only uses it if P101_PASSWORD is not null

                           

                          I really appreciate your help. Trust when I say, I'm really up to no good with APEX ;-) and trying to push the limits, as I think its fantastic product.

                           

                          Jan S.

                          • 10. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                            Christian Neumueller-Oracle

                            Hi Jan,

                             

                            please use a tool like FireBug or the built-in Developer Tools to check the URLs that this redirect loop produces. Can you post some examples here?

                             

                            Regards,

                            Christian

                            • 11. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                              jstem1177

                              Hello Christian,

                               

                               

                              Thanks in advance for your asistance

                               

                              So I ran the test on fire bug, but I cannot see where its redirecting to??. All the Details are the same for every call.

                               

                              Tab Params:

                              ===========

                              p   125:101:0::::P101_USERNAME,P101_PASSWORD:PSINCLAIR,ioracle

                               

                              Tab Headers:

                              =================

                              Cache-Control    no-cache, no-store, max-age=0, must-revalidate
                              Connection    Keep-Alive
                              Content-Language    en
                              Content-Length    0
                              Content-Type    text/html; charset=UTF-8
                              Date    Thu, 30 Jan 2014 14:41:09 GMT
                              Keep-Alive    timeout=5, max=100
                              Location    f?p=125:101:0::::P101_USERNAME,P101_PASSWORD:PSINCLAIR,ioracle
                              Pragma    no-cache
                              Server    Oracle-Application-Server-11g
                              Set-Cookie    WWV_CUSTOM-F_1046305524817659_125=ORA_WWV-YHEJdYj6oAD66KJWx2uj7OhM;HttpOnly
                              X-DB-Content-length    0
                              Request Headersview source
                              Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding    gzip, deflate
                              Accept-Language    en-US,en;q=0.5
                              Connection    keep-alive
                              Host    www.mysite.com
                              User-Agent    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

                               

                              Tab HTML:

                              ==========

                              Reload the page to get source for: http://www.mysite.com/pls/apex/f?p=125:101:0::::P101_USERNAME,P101_PASSWORD:PSINCLAIR,ioracle

                               

                              Cache

                              =======

                              Empty

                               

                              Cookies

                              =============

                              WWV_CUSTOM-F_1046305524817659_125

                              ORA_WWV-nYrXMocdEzIy8Uvi75D1CJMQ;HttpOnly

                              ORA_WWV-nYrXMocdEzIy8Uvi75D1CJMQ;HttpOnly

                              www.mysite.com

                              74 B

                              74 B

                              Value
                              ORA_WWV-nYrXMocdEzIy8Uvi75D1CJMQ;HttpOnly

                               

                               

                               

                               

                              Net Window (repeated same call 21 times)

                               

                               

                              GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
                              GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
                              GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
                              GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
                              GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80
                              GET f?p=125:101:0::::P101_U...SWORD:PSINCLAIR,ioracle302 Foundmysite.com0 BXXXXXXXXX:80

                               

                              Jan S.

                              • 12. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                                Christian Neumueller-Oracle

                                Hi Jan,

                                 

                                I guess there is something wrong with your before header branch. Is it really a branch to page accept? Can you post the details of this branch?

                                 

                                Regards,

                                Christian

                                • 13. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                                  jstem1177

                                  Hello Christian,

                                   

                                  Here is my page.

                                   

                                  Page:    101 Login

                                  Name    Branch before header

                                  Type:    Branch to Page Accept Processing (not common)

                                   

                                  Branch Point

                                  ============

                                   

                                  *Sequence (Value Required)      : 10   

                                  *Branch Point (Value Required)    : On Load Before Header

                                  Action

                                  =========

                                  Page      :101

                                  Request    :10

                                   

                                  Conditions

                                  ===========

                                  Condition Type   : Value of Item / Comlumn Expression 1 is NOT NULL

                                  Expression 1    :P101_PASSWORD

                                     

                                  When Button Pressed

                                  ===================

                                   

                                  Security

                                  =======

                                  Authorization Scheme

                                   

                                  Configuration

                                  =============

                                  Build Option

                                   

                                  Comments

                                  ========

                                  Updated: 3 days ago - ADMIN

                                   

                                   

                                   

                                   

                                  • 14. Re: Error Page protection violation in APEX 4.2.2 - Login Page
                                    Christian Neumueller-Oracle

                                    Hi Jan,

                                     

                                    did you enter a value of "10" for "Request"? The idea was to simulate login, so the request would have to be what the login button sends and the submit process waits for (typically "LOGIN"). Otherwise, the login process will not be triggered. It's probably best if you try to send the request with LEVEL9 debug. The debug logs should show us what's really going on when the engine processes such a request.

                                     

                                    Regards,

                                    Christian

                                    1 2 Previous Next