13 Replies Latest reply: Oct 28, 2011 9:04 AM by rizwanarshad RSS

    Logout Problem 4.01

    Justin Patterson
      My app uses the proecudure: wwv_flow_custom_auth_std.logout_then_go_to_url this worked in 3.2 but has now stopped working in 4.0.1.00.03.


      Here is info from my instance and apex.oracle.com neither is working but they give slightly different errors:

      Authentication scheme:
      Application express - Current
      Logout url:
      wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:http://www.yahoo.com

      url listed when hovering over:
      http://myhost:7777/apex/ltest/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=122:http://www.yahoo.com

      page says:
      Not Found
      The requested URL /apex/ltest/wwv_flow_custom_auth_std.logout_then_go_to_url was not found on this server.

      http server error_log:
      [Tue Aug 24 13:29:51 2010] [error] [client xxx.xxx.xx.xx] [ecid: 1282670991:xxx.xxx.xx.xxx:5551:0:1695,0] mod_plsql: /apex/ltest/wwv_flow_custom_auth_std.logout_then_go_to_url HTTP-404 ORA-20018: Unauthorized URL: http://www.yahoo.com\nORA-06512: at "APEX_040000.WWV_FLOW_SECURITY", line 3611\nORA-06512: at "APEX_040000.WWV_FLOW_CUSTOM_AUTH_STD", line 1609\nORA-06512: at "APEX_040000.WWV_FLOW_CUSTOM_AUTH_STD", line 2228\nORA-06512: at line 22\n


      so I tried it on apex.oracle.com Uploaded my app and I get a similar message but not the same. not sure what the http server log says:

      http://apex.oracle.com/pls/apex/f?p=24128
      workspace: epic
      app 24128

      logout url:
      http://apex.oracle.com/pls/apex/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=24128:http://www.yahoo.com

      page says:
      Not Found

      Sorry!The page requested was not found.


      On my instance as an apex app user:
      desc wwv_flow_custom_auth_std
      PROCEDURE
      -------------------------------------------
      AUTHENTICATION_STATUS
      AUTHENTICATION_STATUS
      FLOWCHART_LOGIN
      FLOWCHART_PERPAGE
      GET_COOKIE_PROPS
      GET_COOKIE_PROPS
      GET_COOKIE_PROPS
      GET_COOKIE_PROPS
      GET_COOKIE_PROPS
      GET_LDAP_PROPS
      GET_LDAP_PROPS
      GET_LDAP_PROPS
      GET_LDAP_PROPS
      GET_LDAP_PROPS
      GET_LDAP_PROPS
      GET_LDAP_PROPS
      GET_SESSION_ID_FROM_COOKIE (FUNCTION)
      GET_USERNAME (FUNCTION)
      IS_SESSION_VALID (FUNCTION)
      LDAP_AUTHENTICATE (FUNCTION)
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_AUTHENTICATE
      LDAP_DNPREP (FUNCTION)
      LDAP_DNPREP
      LOGIN
      LOGIN
      LOGIN
      LOGIN
      LOGIN
      LOGIN
      LOGIN
      LOGIN_PAGE
      LOGOUT
      LOGOUT
      LOGOUT
      LOGOUT
      LOGOUT_THEN_GO_TO_PAGE
      LOGOUT_THEN_GO_TO_URL
      PORTAL_SSO_SENTRY_V0 (FUNCTION)
      PORTAL_SSO_SENTRY_V1 (FUNCTION)
      POST_LOGIN
      POST_LOGIN
      POST_LOGIN
      POST_LOGIN
      POST_LOGIN
      POST_LOGIN
      REMOVE_SESSION
      WS_LOGIN
      WS_LOGIN
      WS_LOGIN
      WS_LOGIN
      WS_LOGIN
      WS_LOGIN
      WS_LOGIN
      WS_LOGIN
      WS_LOGOUT
      WS_LOGOUT
      WS_LOGOUT
      WS_POST_LOGIN
      WS_POST_LOGIN
      WS_POST_LOGIN
      WS_POST_LOGIN
      WS_POST_LOGIN
      WS_POST_LOGIN

      select object_name, object_type, status
      FROM DBA_OBJECTS
      where object_name = 'WWV_FLOW_CUSTOM_AUTH_STD';

      object_name                                    object_type       status
      WWV_FLOW_CUSTOM_AUTH_STD     SYNONYM     VALID
      WWV_FLOW_CUSTOM_AUTH_STD     PACKAGE     VALID
      WWV_FLOW_CUSTOM_AUTH_STD     PACKAGE BODY     VALID
      WWV_FLOW_CUSTOM_AUTH_STD     PACKAGE     VALID
      WWV_FLOW_CUSTOM_AUTH_STD     PACKAGE BODY     VALID


      Any ideas?
      Thanks in advance,
      Justin
        • 1. Re: Logout Problem 4.01
          joelkallman-Oracle
          Hi Justin,

          A new feature was added to Application Express 4.0 named "Authorized URLs". The instance administrator now has the responsibility of determining which URLs can be safely redirected to from their instance.

          http://download.oracle.com/docs/cd/E17556_01/doc/relnotes.40/e15512/toc.htm#BABIJICD

          Joel
          • 2. Re: Logout Problem 4.01
            Justin Patterson
            Joel,

            That did the trick! I overlooked this when reading through the docs before.

            Thanks,
            Justin
            • 3. Re: Logout Problem 4.01
              SaraB
              Hi Joel

              Can you please advise how you turn this feature off. I'm not 100% sure why this is required, surely it is up to the developers to ensure they are redirecting to the correct URL?

              In my scenario, we have a hosted environment. We have numerous workspaces, all used by a different customer, using our application. Through our application the customer can specify a URL to logout to. There are certain restrictions on the URL, but it would be impossible for us to be able to list all the URLs that could be used. Therefore we need to turn this feature off in order to use APEX 4.

              Thanks
              Sara
              • 4. Re: Logout Problem 4.01
                joelkallman-Oracle
                Hi Sara,

                This feature was implemented so someone would be prevented from providing a link to your site which would ultimately redirect to another site. That's very dangerous. So, it must be from a list of pre-defined URLs which are authorized to be redirected to. We implemented this at the instance level, but as you suggest, it would also be ideal to have this controlled at the workspace level too.

                So I have good news and bad news. The bad news is that there is no switch to turn this off. It's a security feature that should not be allowed to be disabled.

                Now the good news - there is no validation performed on the page where you enter Authorized URLs. So you can enter any arbitrary string - it doesn't have to be a well-formed URL. And only a portion of the developed-provided URL must match for it to be considered "authorized". Thus, at the instance level, simply enter two authorized URLs of:

                http://
                https://

                and you will have enabled your workspace developers to enter any URL to redirect to. Keep in mind, though, that you are now essentially making your entire instance open to URL redirection.

                I hope this helps.

                Joel
                • 5. Re: Logout Problem 4.01
                  SaraB
                  Hi Joel

                  Thanks for the update. I've added those URLs and it now works for us. It wasn't clear from the help that this was possible. It read to me that the redirect URL needed to exactly match an authorised URL.

                  For us URL redirection isn't so much of a problem. We build the URL to redirect to dynamically and then call APEX_CUSTOM_AUTH.LOGOUT from a process in the application.

                  From your description of the issue, I assume the problem is to do with the redirect URL being specified in a URL i.e. APEX_CUSTOM_AUTH.LOGOUT is called from a URL. Perhaps an alternative is for there to be an option to prevent this package from being called in the URL? This allows developers much more options, whilst still providing a useful security feature.

                  Sara
                  • 6. Re: Logout Problem 4.01
                    rizwanarshad
                    Joel,

                    Is there an API availablie to achieve the same thing in a SQL script?

                    Thanks,
                    Riz
                    • 7. Re: Logout Problem 4.01
                      Patrick Wolf-Oracle
                      Hi Riz,

                      have a look at the following procedures/functions in the package APEX_INSTANCE_ADMIN
                      procedure add_authorized_url(
                          p_url                 in varchar2,
                          p_description         in varchar2 default null );
                          
                      procedure remove_authorized_url(
                          p_url                 in varchar2 );
                          
                      function get_authorized_urls return wwv_flow_global.vc_arr2;    
                      They are not yet documented in http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_instance.htm#CACGJEDD but they are safe to use.

                      Regards
                      Patrick
                      -----------
                      My Blog: http://www.inside-oracle-apex.com
                      APEX 4.0 Plug-Ins: http://apex.oracle.com/plugins
                      Twitter: http://www.twitter.com/patrickwolf
                      • 8. Re: Logout Problem 4.01
                        rizwanarshad
                        Thanks Patrick
                        • 9. Re: Logout Problem 4.01
                          RAKESH CHUNCHEGOWDA
                          Hi Joel,

                          I have placed below URL under logout URL in SSO Authentication Scheme.
                          wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:<Single Sign-off URL>?p_done_url=http://host.domain/pls/apex/f?p=&APP_ID.:PUBLIC_PAGE

                          when the user clicks LOGOUT link , user is prompted with a Pop-up saying "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.Are you sure you want to continue sending this information?" with a Continue and Cancel button.

                          On selecting continue, user is thrown a error :
                          Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
                          Error ERR-7620 Could not determine workspace for application ().

                          Please let me know wat needs to be done to logout without any errors.

                          PS - I'm using APEX4.0 and the <Single Sign-off URL> has been added to the Authorized URLs list.

                          SQL> desc wwv_flow_custom_auth_std;

                          PROCEDURE LOGOUT_THEN_GO_TO_URL
                          Argument Name Type In/Out Default?
                          ------------------------------ ----------------------- ------ --------
                          P_ARGS VARCHAR2 IN DEFAULT
                          • 10. Re: Logout Problem 4.01
                            Patrick Wolf-Oracle
                            Hi Rakesh,

                            what exact version are you using of 4.0?

                            Is the <single sign-off URL> prefixed with https? And you should also change your
                            http://host.domain/pls/apex/f?p=&APP_ID.:PUBLIC_PAGE
                            to
                            https://host.domain/pls/apex/f?p=&APP_ID.:PUBLIC_PAGE
                            I assume as well that PUBLIC_PAGE is a page in your application where the page attribute "Authorization" is set to "Page is Public".

                            Regards
                            Patrick
                            -----------
                            My Blog: http://www.inside-oracle-apex.com
                            APEX 4.0 Plug-Ins: http://apex.oracle.com/plugins
                            Twitter: http://www.twitter.com/patrickwolf
                            • 11. Re: Logout Problem 4.01
                              RAKESH CHUNCHEGOWDA
                              Hi Patrick,

                              Thanks for the quick reply.

                              APEX version : Application Express 4.0.0.00.46

                              Yes, the <single sign-off URL> is prefixed with https.
                              Patrick Wolf wrote:
                              And you should also change your
                              http://host.domain/pls/apex/f?p=&APP_ID.:PUBLIC_PAGE
                              to
                              https://host.domain/pls/apex/f?p=&APP_ID.:PUBLIC_PAGE
                              The Application server is not SSL configured. So https is not an option at this time.

                              And the page attribute "Authorization" is set to "Page is Public" for PUBLIC_PAGE.

                              Thx
                              Rakesh
                              • 12. Re: Logout Problem 4.01
                                Patrick Wolf-Oracle
                                RAKESH CHUNCHEGOWDA wrote:
                                The Application server is not SSL configured. So https is not an option at this time.
                                Actually I think that's your problem, because the browser warns you that you going from a secure web page to an insecure one. ("Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.Are you sure you want to continue sending this information?")

                                It might still be possible to define the https, I think in most cases the web servers are automatically falling back to http, but it might trick the browser not to show the message.

                                About the
                                RAKESH CHUNCHEGOWDA wrote:
                                Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
                                Error ERR-7620 Could not determine workspace for application ().
                                Is this also reproducible if you enter
                                http://host.domain/pls/apex/f?p=&APP_ID.:PUBLIC_PAGE
                                into your browser. (&APP_ID. -> replaced by your real application id)

                                Regards
                                Patrick
                                -----------
                                My Blog: http://www.inside-oracle-apex.com
                                APEX 4.0 Plug-Ins: http://apex.oracle.com/plugins
                                Twitter: http://www.twitter.com/patrickwolf
                                • 13. Re: Logout Problem 4.01
                                  rizwanarshad
                                  Patrick,

                                  How would I use the function get_authorized_urls to retrieve a list of authorized urls that have already been added?

                                  I'm upgrading to APEX 4.1 and I want to check if my url has been added.

                                  Thanks,
                                  Riz