12 Replies Latest reply on Aug 14, 2011 1:38 PM by joelkallman-Oracle

    Apex 4.1 - Websheets with custom authentication scheme

      Apex v4.1 (as seen on the hosted apex.oracle.com) - Websheets still don't appear to work with a custom authentication scheme. Database applications work fine with a page sentry function but when the same page sentry function is used for a websheet, running it gives an error The page you requested has not been found

      Can someone from the Apex team please review? Thanks
        • 2. Re: Apex 4.1 - Websheets with custom authentication scheme
          Hi Vikas,

          Thanks for reporting this. I've asked some folks on our team to take a look at this and get back with you.

          1 person found this helpful
          • 3. Re: Apex 4.1 - Websheets with custom authentication scheme
            Christian Neumueller-Oracle
            Hi Vikas,

            Websheet sentries have slight differences to application sentries.
            I created a websheet sentry for you that should work (see below).

            create or replace function sample_page_sentry return boolean                                  
                l_username   varchar2(512);                                                             
                l_session_id number;                                                                    
                l_ws_app_id  number;                                                                    
                -- check to ensure that we are running as the correct database user.                    
                if user != 'APEX_PUBLIC_USER' then                                                      
                    return false;                                                                       
                end if;                                                                                 
                -- get sessionid in cookie                                                              
                l_session_id := wwv_flow_custom_auth_std.get_session_id_from_cookie;                    
                if wwv_flow_custom_auth_std.is_session_valid then                                       
                    -- the session still exists. we configure the APEX engine to use                    
                    -- this session id and the session's username.                                      
                    -- NOTE: it is more secure to also check if this is the session id from             
                    --       the URL!                                                                   
                    apex_application.g_instance := l_session_id;                                        
                    l_username                  := wwv_flow_custom_auth_std.get_username;               
                    if nvl(l_username,'nobody') != 'nobody' then                                        
                            p_user       => l_username,                                                 
                            p_session_id => l_session_id);                                              
                        return true;                                                                    
                    end if;                                                                             
                    -- session can not be reused, create a new one                                      
                    l_session_id := apex_custom_auth.get_next_session_id;                               
                end if;                                                                                 
                -- the current session is unauthenticated. we have to determine the user                
                -- and log in.                                                                          
                -- get the username from somewhere, e.g. a cgi variable. it is hard-coded               
                -- here for simplification.                                                             
                l_username := 'VANJ';                                                              
                -- configure the engine to use this username and session.                               
                     p_user       => l_username,                                                        
                     p_session_id => l_session_id );                                                    
                -- build a deep link to the websheet start page                                         
                l_ws_app_id  := apex_util.get_session_state ('WS_APP_ID');                              
                wwv_flow_custom_auth.remember_deep_link (                                               
                     p_url=>'ws?p='||l_ws_app_id||'::'||l_session_id );                                 
                -- register the session in apex sessions table, set cookie, redirect back.              
                     p_username => l_username,                                                          
                     p_password => null );                                                              
                return true;                                                                            
            end sample_page_sentry;                                                                       
            Edited by: Christian Neumueller on Nov 15, 2011 7:07 AM (fixed wiki format error)
            • 4. Re: Apex 4.1 - Websheets with custom authentication scheme
              Christian - I thought I had already changed my page sentry to accommodate the differences. Anyway, I used your sentry function and still can't get it to work. Would you mind logging in to my workspace on apex.oracle.com (vikasa/christian/christian) and taking a look? The websheet is 35565. Thanks
              • 5. Re: Apex 4.1 - Websheets with custom authentication scheme
                Christian Neumueller-Oracle
                Hi Vikas,


                I created a page_sentry_ws_christian with a few changes to your original. I also removed the "Authentication Function" and "Invalid Session URL" values in the websheet properties, because they are irrelevant for this kind of authentication.

                • 6. Re: Apex 4.1 - Websheets with custom authentication scheme
                  Christian - Thanks! Works fine now. I missed the session_id part; although I am not sure I understand the second change you made. The assignment to l_authenticated_username at the start of the function...why does that get nulled out if is_session_valid is false?

                  Some observations

                  1. I need to set Allow Public Access to Yes otherwise I get an Access Denied error. I expected to get Reader or End User level access. This is not intuitive (to me at least)
                  2. The access control help table on page 4000.119 has its column headings smooshed. Putting table cell borders might help
                  3. When I enable Public Access and run the websheet, the Create and Edit buttons at the top are disabled (good), the View button is available (good) but the Administration button also seems available but clicking on it does nothing. Shouldn't it be disabled like the Create & Edit buttons when a non-Administrator is logged in?

                  I like the overall facelift in this version, lots of new functionality, modern look and feel, great job!

                  [Now it is almost as good as MS SharePoint! Just kidding, was that below the belt?]
                  • 7. Re: Apex 4.1 - Websheets with custom authentication scheme
                    Christian? Your thoughts?
                    • 8. Re: Apex 4.1 - Websheets with custom authentication scheme
                      Christian Neumueller-Oracle
                      Hi Vikas!

                      In your initial version, the l_authenticated_username gets overwritten in the call to wwv_flow_custom_auth_std.get_username. The subsequent "if" handles the case where the username is not "nobody" (i.e. already authenticated session), but for unauthenticated sessions, the sentry continues. Only, it now has "nobody" or null in l_authenticated_username.

                      1. If your websheet requires authentication, you should add the users to the websheet's access control list, but you already know that. It's simply the distinction between authentication (determining who the user is) and authorization (the user's privileges). Admitted, the latter is relatively static in the current version, compared to db apps.
                      2. The changelog says that borders were recently removed. I'll talk with our UI experts.
                      3. I just tested that on our dev server and the Administration button is hidden until you are logged in. Seems like they already fixed it.

                      It's great that you like the new version! My part on websheets was tiny, just some tinkering with authentications. The credits should go to Christina and Shakeeb. I'll let them decide if they take the SharePoint comparison as a compliment ;-)

                      • 9. Re: Apex 4.1 - Websheets with custom authentication scheme
                        Thanks a lot for all your help, appreciate it.
                        • 10. Re: Apex 4.1 - Websheets with custom authentication scheme
                          Christian Neumueller-Oracle
                          Sure, no problem. It's a great help to us that people like you are thoroughly testing our code, so thank you
                          • 11. Re: Apex 4.1 - Websheets with custom authentication scheme
                            Christian - Going back to the 3 points I raised earlier since apex.oracle.com has been upgraded to

                            1. So it would appear that for websheets with Custom Authentication Schemes that implement a sort of "single signon" and do not present a login page, the Allow Public Access attribute has to be set to Yes for anyone to get access. This should be clearly documented. Maybe even set it automatically to Yes on the Builder page when a Custom scheme is chosen

                            2. This is still unchanged on apex.oracle.com. Not a big deal, but it makes it hard to read & understand the table without the cell borders

                            3. This is also unchanged. Maybe I didn't explain it clearly. The Create and View buttons are grayed out for a readonly user, this is good. But the Administration button is not grayed out. It appears clickable but when you click on it, nothing happens. Again, not a big deal, but the inconsistency is very obvious.

                            • 12. Re: Apex 4.1 - Websheets with custom authentication scheme
                              These issues will need to be logged as bugs and fixed after Application Express 4.1.