4 Replies Latest reply: Nov 26, 2013 2:59 AM by Christian Neumueller RSS

    wwv_flow_custom_auth_std issue in 4.2.3

    cloaked

      Greetings,

       

      We are on APEX 4.1 and have an environment set up for the testing of 4.2.3.  In most of our APEX applications we have download procedures for downloading Oracle tables.  In order to prevent the procedures from being hacked and simply called via a URL with a valid row ID we have an internal authorization check in the code of the procedures.  The code is listed below.  In the 4.2.3 environment the download procedures now return the 'Sorry, you cannot access that resource.' message.  Our DBA insures us that the only difference in the new environment is the 4.2.3 upgrade.  Is there an issue with wwv_flow_custom_authe_std in 4.2.3?  Are we using it correctly?  Is there a new/better method to perform the internal authorization check? The process has worked fine until the upgrade.

       

      Thanks for any input you may have, Tony

       

        apex_application.g_flow_id := 2140; 
        if not(wwv_flow_custom_auth_std.is_session_valid) then 
          htp.p('Sorry, you cannot access that resource.'); 
          return; 
        end if;
      
        • 1. Re: wwv_flow_custom_auth_std issue in 4.2.3
          Christian Neumueller

          Hi Tony,

           

          you would at least have to set the security group id, too (apex_util.set_security_group_id).

           

          However, while I realize that you have existing code that you probably do not want to re-write, you should consider getting rid of these stand alone procedures. File download can easily be implemented within the framework, with before header processes, on demand processes or restful services. You would automatically get all security features that we baked into APEX, a single app would contain all external interfaces and there would be no need to configure exceptions for the allowed externally called procedures.

           

          Regards,
          Christian

          • 2. Re: wwv_flow_custom_auth_std issue in 4.2.3
            cloaked

            Hi Christian,

             

            Thanks for the feedback. 

             

            Since posting my original question we have found that there is a documented bug in 4.1.1 and 4.2 with the wwv_flow_custom_auth_std procedure.  I coded up the work around that Oracle suggested and the download procedure now works, but now a person can call our download procedure directly from a URL, without authentication, and have it work.  That was the same behavior we had in 4.1.1.

             

            Yes, in most instances we could just code up the procedure on a page, but we try to limit the PL/SQL procedures we have on pages.  Our standard it to put our functions and procedures in packages and call them from the page.  To complicate matters, we call the download procedure from a URL that is part of an image map's hotspot.  I may be missing something, but I don't know of an alternative to call the procedure when it is part of an image map hotspot.

             

            Thanks, Tony

            • 3. Re: wwv_flow_custom_auth_std issue in 4.2.3
              fac586

              cloaked wrote:

               

              Yes, in most instances we could just code up the procedure on a page, but we try to limit the PL/SQL procedures we have on pages.  Our standard it to put our functions and procedures in packages and call them from the page.  To complicate matters, we call the download procedure from a URL that is part of an image map's hotspot.  I may be missing something, but I don't know of an alternative to call the procedure when it is part of an image map hotspot.

              Use an on-demand process for file download rather than calling external procedures directly (the ODP can be used as a wrapper to call the existing procedure). This allows files to be viewed/downloaded within the APEX security model, including the use of session state protection to prevent URL tampering.

              • 4. Re: wwv_flow_custom_auth_std issue in 4.2.3
                Christian Neumueller

                Hi Tony,

                 

                can you please explain why image maps should pose a problem with APEX processes? The area tag has a href attribute, where you can put

                 

                  f?p=&APP_ID.:&APP_PAGE_ID.:&SESSION.:APPLICATION_PROCESS%3Dmy_odp:...

                 

                or

                 

                  javascript:someActionThatMakesAnAPEXRequest()

                 

                if you prefer that.

                 

                Regards,

                Christian