This discussion is archived
13 Replies Latest reply: Aug 3, 2008 12:40 PM by dmcghan RSS

Authentication Schemes

SaraB Newbie
Currently Being Moderated
Hi

I need some advice on authentication schemes. I'm in the process of designing an application that will be used by a number of different customer, each in their own environment.

Some customers want to login using LDAP authentication, others want to login using database accounts. Those that want to use LDAP may also want to login using a different database account.

Is this possible?

I've tried searching the forum, but couldn't find anyone asking anything similar. If I've missed it, please let me know.

Thanks
Sara
  • 1. Re: Authentication Schemes
    dmcghan Oracle ACE
    Currently Being Moderated
    Sara,

    How would you deal with a situation in which Bill Smith was in the LDAP directory, Bob Smith was in DB, and their APP_USER in each system is BSMITH?

    All logging functions using the APP_USER could not really be trusted.

    Regards,
    Dan

    http://danielmcghan.us/
    http://sourceforge.net/projects/tapigen/
  • 2. Re: Authentication Schemes
    Tyler Expert
    Currently Being Moderated
    Not sure I agree with the strategy of having credentials spread across all of these sources, but you could probably write your own authentication scheme to handle this. Another option is to use Oracle Virtual Directory to combine them all into one LDAP view.
  • 3. Re: Authentication Schemes
    dmcghan Oracle ACE
    Currently Being Moderated
    Sara,

    The problem I see with this is that the authentication function can only take in two parameters: username and password. You would need a third to indicate what source to hit on.

    Regards,
    Dan

    http://danielmcghan.us/
    http://sourceforge.net/projects/tapigen/
  • 4. Re: Authentication Schemes
    650665 Newbie
    Currently Being Moderated
    Using a custom authentication scheme that ran through a PL/SQL process you could do as Dan suggests and custom a login page that passed a variable that selected the log in source...
  • 5. Re: Authentication Schemes
    SaraB Newbie
    Currently Being Moderated
    Thanks for the feedback. Writing a custom authentication scheme sounds like the way to go. For those customers not using LDAP how would I code my authentication scheme to check the database credentials?

    Any pointers appreciated. Authentication schemes are totally confusing me at present!
  • 6. Re: Authentication Schemes
    dmcghan Oracle ACE
    Currently Being Moderated
    Sara,

    If you have a workspace on apex.oracle.com and can provide me with some credentials to login, I'll create an example for you.

    Regards,
    Dan

    http://danielmcghan.us/
    http://sourceforge.net/projects/tapigen/
  • 7. Re: Authentication Schemes
    SaraB Newbie
    Currently Being Moderated
    Hi Dan

    Details sent by email (hopefully!).

    Thanks
    Sara
  • 8. Re: Authentication Schemes
    dmcghan Oracle ACE
    Currently Being Moderated
    Sara,

    Ok, did the following:

    1. Created a select list on the login page to allow the user to select the method of authentication.

    2. Created a function called CUSTOM_AUTH that looks at the select list to determine how to authenticate.

    3. Created a new authentication scheme that called the CUSTOM_AUTH function.

    You can log in using choice 1 with sara/password and sara/sara using choice 2.

    This is the basic idea that will allow you to accomplish what you want to do.

    Regards,
    Dan

    http://danielmcghan.us/
    http://sourceforge.net/projects/tapigen/
  • 9. Re: Authentication Schemes
    SaraB Newbie
    Currently Being Moderated
    Hi Dan

    Thanks for this, however this was as far as I got. Any ideas on how you would actually check the database credentials? I know you can use apex_util.is_login_password_valid which validates the APEX user password, is there something similar to validate database user credentials?

    Alternatively, is there a way to change the authentication scheme used in the application before the user logs in? I've had a look through APEX_UTIL, APEX_INSTANCE_ADMIN and APEX_CUSTOM_AUTH but couldn't see anything. Perhaps I've missed or it isn't obvious.

    Thanks
    Sara
  • 10. Re: Authentication Schemes
    60437 Employee ACE
    Currently Being Moderated
    Sara,

    There is no exposed function to check a schema password in Oracle. You might consider the approach I outlined here: Re: SSO Authentication and User defined Authentication in same application .

    Scott
  • 11. Re: Authentication Schemes
    SaraB Newbie
    Currently Being Moderated
    Brilliant idea, thank you Scott. I knew there must be a simple solution I just couldn't think of it!

    Thanks
    Sara
  • 12. Re: Authentication Schemes
    dmcghan Oracle ACE
    Currently Being Moderated
    Sara,

    I see you're dilemma now. Scott's suggestion would be the best as you wouldn't have to reinvent the wheel in terms of creating a function that validates against the server. However, I did find a way to do it...

    You would basically create a function that creates a db link with the supplied credentials and then attempts to use the db link to do something like 'SELECT 1 FROM DUAL'. If it succeeds then the password is valid and if not you just use a nested subprocedure to catch the errors in the right spot and return false.

    See here:
    http://www.tek-tips.com/viewthread.cfm?qid=728921

    Regards,
    Dan

    http://danielmcghan.us/
    http://sourceforge.net/projects/tapigen/
  • 13. Re: Authentication Schemes
    dmcghan Oracle ACE
    Currently Being Moderated
    Sara,

    I've created an example function that can be viewed here:
    http://www.danielmcghan.us/2008/08/custom-authentication-via-db.html

    Regards,
    Dan

    http://danielmcghan.us/
    http://sourceforge.net/projects/tapigen/