This discussion is archived
4 Replies Latest reply: Nov 26, 2013 12:59 AM by Christian Neumueller RSS

wwv_flow_custom_auth_std issue in 4.2.3

cloaked Newbie
Currently Being Moderated

Greetings,

 

We are on APEX 4.1 and have an environment set up for the testing of 4.2.3.  In most of our APEX applications we have download procedures for downloading Oracle tables.  In order to prevent the procedures from being hacked and simply called via a URL with a valid row ID we have an internal authorization check in the code of the procedures.  The code is listed below.  In the 4.2.3 environment the download procedures now return the 'Sorry, you cannot access that resource.' message.  Our DBA insures us that the only difference in the new environment is the 4.2.3 upgrade.  Is there an issue with wwv_flow_custom_authe_std in 4.2.3?  Are we using it correctly?  Is there a new/better method to perform the internal authorization check? The process has worked fine until the upgrade.

 

Thanks for any input you may have, Tony

 

  apex_application.g_flow_id := 2140; 
  if not(wwv_flow_custom_auth_std.is_session_valid) then 
    htp.p('Sorry, you cannot access that resource.'); 
    return; 
  end if;
  • 1. Re: wwv_flow_custom_auth_std issue in 4.2.3
    Christian Neumueller Expert
    Currently Being Moderated

    Hi Tony,

     

    you would at least have to set the security group id, too (apex_util.set_security_group_id).

     

    However, while I realize that you have existing code that you probably do not want to re-write, you should consider getting rid of these stand alone procedures. File download can easily be implemented within the framework, with before header processes, on demand processes or restful services. You would automatically get all security features that we baked into APEX, a single app would contain all external interfaces and there would be no need to configure exceptions for the allowed externally called procedures.

     

    Regards,
    Christian

  • 2. Re: wwv_flow_custom_auth_std issue in 4.2.3
    cloaked Newbie
    Currently Being Moderated

    Hi Christian,

     

    Thanks for the feedback. 

     

    Since posting my original question we have found that there is a documented bug in 4.1.1 and 4.2 with the wwv_flow_custom_auth_std procedure.  I coded up the work around that Oracle suggested and the download procedure now works, but now a person can call our download procedure directly from a URL, without authentication, and have it work.  That was the same behavior we had in 4.1.1.

     

    Yes, in most instances we could just code up the procedure on a page, but we try to limit the PL/SQL procedures we have on pages.  Our standard it to put our functions and procedures in packages and call them from the page.  To complicate matters, we call the download procedure from a URL that is part of an image map's hotspot.  I may be missing something, but I don't know of an alternative to call the procedure when it is part of an image map hotspot.

     

    Thanks, Tony

  • 3. Re: wwv_flow_custom_auth_std issue in 4.2.3
    fac586 Guru
    Currently Being Moderated

    cloaked wrote:

     

    Yes, in most instances we could just code up the procedure on a page, but we try to limit the PL/SQL procedures we have on pages.  Our standard it to put our functions and procedures in packages and call them from the page.  To complicate matters, we call the download procedure from a URL that is part of an image map's hotspot.  I may be missing something, but I don't know of an alternative to call the procedure when it is part of an image map hotspot.

    Use an on-demand process for file download rather than calling external procedures directly (the ODP can be used as a wrapper to call the existing procedure). This allows files to be viewed/downloaded within the APEX security model, including the use of session state protection to prevent URL tampering.

  • 4. Re: wwv_flow_custom_auth_std issue in 4.2.3
    Christian Neumueller Expert
    Currently Being Moderated

    Hi Tony,

     

    can you please explain why image maps should pose a problem with APEX processes? The area tag has a href attribute, where you can put

     

      f?p=&APP_ID.:&APP_PAGE_ID.:&SESSION.:APPLICATION_PROCESS%3Dmy_odp:...

     

    or

     

      javascript:someActionThatMakesAnAPEXRequest()

     

    if you prefer that.

     

    Regards,

    Christian

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points