This content has been marked as final. Show 12 replies
Hi Vikas,1 person found this helpful
Thanks for reporting this. I've asked some folks on our team to take a look at this and get back with you.
Websheet sentries have slight differences to application sentries.
I created a websheet sentry for you that should work (see below).
Edited by: Christian Neumueller on Nov 15, 2011 7:07 AM (fixed wiki format error)
create or replace function sample_page_sentry return boolean is l_username varchar2(512); l_session_id number; l_ws_app_id number; begin -- check to ensure that we are running as the correct database user. if user != 'APEX_PUBLIC_USER' then return false; end if; -- get sessionid in cookie l_session_id := wwv_flow_custom_auth_std.get_session_id_from_cookie; if wwv_flow_custom_auth_std.is_session_valid then -- the session still exists. we configure the APEX engine to use -- this session id and the session's username. -- -- NOTE: it is more secure to also check if this is the session id from -- the URL! -- apex_application.g_instance := l_session_id; l_username := wwv_flow_custom_auth_std.get_username; if nvl(l_username,'nobody') != 'nobody' then wwv_flow_custom_auth.define_user_session( p_user => l_username, p_session_id => l_session_id); return true; end if; else -- session can not be reused, create a new one l_session_id := apex_custom_auth.get_next_session_id; end if; -- the current session is unauthenticated. we have to determine the user -- and log in. -- get the username from somewhere, e.g. a cgi variable. it is hard-coded -- here for simplification. l_username := 'VANJ'; -- configure the engine to use this username and session. apex_custom_auth.define_user_session( p_user => l_username, p_session_id => l_session_id ); -- build a deep link to the websheet start page l_ws_app_id := apex_util.get_session_state ('WS_APP_ID'); wwv_flow_custom_auth.remember_deep_link ( p_url=>'ws?p='||l_ws_app_id||'::'||l_session_id ); -- register the session in apex sessions table, set cookie, redirect back. apex_authentication.login( p_username => l_username, p_password => null ); return true; end sample_page_sentry; /
Christian - I thought I had already changed my page sentry to accommodate the differences. Anyway, I used your sentry function and still can't get it to work. Would you mind logging in to my workspace on apex.oracle.com (vikasa/christian/christian) and taking a look? The websheet is 35565. Thanks
I created a page_sentry_ws_christian with a few changes to your original. I also removed the "Authentication Function" and "Invalid Session URL" values in the websheet properties, because they are irrelevant for this kind of authentication.
Christian - Thanks! Works fine now. I missed the session_id part; although I am not sure I understand the second change you made. The assignment to l_authenticated_username at the start of the function...why does that get nulled out if is_session_valid is false?
1. I need to set Allow Public Access to Yes otherwise I get an Access Denied error. I expected to get Reader or End User level access. This is not intuitive (to me at least)
2. The access control help table on page 4000.119 has its column headings smooshed. Putting table cell borders might help
3. When I enable Public Access and run the websheet, the Create and Edit buttons at the top are disabled (good), the View button is available (good) but the Administration button also seems available but clicking on it does nothing. Shouldn't it be disabled like the Create & Edit buttons when a non-Administrator is logged in?
I like the overall facelift in this version, lots of new functionality, modern look and feel, great job!
[Now it is almost as good as MS SharePoint! Just kidding, was that below the belt?]
Christian? Your thoughts?
In your initial version, the l_authenticated_username gets overwritten in the call to wwv_flow_custom_auth_std.get_username. The subsequent "if" handles the case where the username is not "nobody" (i.e. already authenticated session), but for unauthenticated sessions, the sentry continues. Only, it now has "nobody" or null in l_authenticated_username.
1. If your websheet requires authentication, you should add the users to the websheet's access control list, but you already know that. It's simply the distinction between authentication (determining who the user is) and authorization (the user's privileges). Admitted, the latter is relatively static in the current version, compared to db apps.
2. The changelog says that borders were recently removed. I'll talk with our UI experts.
3. I just tested that on our dev server and the Administration button is hidden until you are logged in. Seems like they already fixed it.
It's great that you like the new version! My part on websheets was tiny, just some tinkering with authentications. The credits should go to Christina and Shakeeb. I'll let them decide if they take the SharePoint comparison as a compliment ;-)
Thanks a lot for all your help, appreciate it.
Sure, no problem. It's a great help to us that people like you are thoroughly testing our code, so thank you
Christian - Going back to the 3 points I raised earlier since apex.oracle.com has been upgraded to 4.1.0.00.28
1. So it would appear that for websheets with Custom Authentication Schemes that implement a sort of "single signon" and do not present a login page, the Allow Public Access attribute has to be set to Yes for anyone to get access. This should be clearly documented. Maybe even set it automatically to Yes on the Builder page when a Custom scheme is chosen
2. This is still unchanged on apex.oracle.com. Not a big deal, but it makes it hard to read & understand the table without the cell borders
3. This is also unchanged. Maybe I didn't explain it clearly. The Create and View buttons are grayed out for a readonly user, this is good. But the Administration button is not grayed out. It appears clickable but when you click on it, nothing happens. Again, not a big deal, but the inconsistency is very obvious.
These issues will need to be logged as bugs and fixed after Application Express 4.1.