4 Replies Latest reply on Sep 26, 2013 6:02 PM by Quazi

    Creating functionality for changing user's password.

      Good Morning,

      I'm trying to create a functionality on my application that lets the user change their password
      whenever they want or when the password gets expired.

      But to do that, first I need a Branch to the page "Password Change" whenever the login procedure returns "Password Expire",
      but when the user has an expired password he can't access none of the pages of the application.

      My other problem is:
      Even if I can get the user to be redirect to the "Password Change" page, I would need a function that validate his current expired password, because
      in order to alter his own, he would need to inform his current password and the new one he desires.

      If I was using Apex Authentication that would be very easy I think, but I'm obligate to use Database Account Authentication.

      Do you guys have any suggestions to solve this problems when using Database Account Authentication?

      Thanks for the help and the attention.
        • 1. Re: Creating functionality for changing user's password.
          Jorge Rimblas
          I think your solution would look something like this:
          1. Add a public page to change the password.
          2. Provide fields for current, new and verification password.
          3. Have your own process that executes a statement like this:
          alter user identified by :new replace :current
          You'll need to run this with an execute immediate command. Because the alter is not PL/SQL
          4. Add your own page validation to make sure the new and verification passwords are the same.
          5. Have a link on your login page to this new public page.

          I think this should work for you.
          • 2. Re: Creating functionality for changing user's password.
            I think the major problem here is to create a function that validates if the value of
            the current password field is the same as the current user expired password.

            Do you have any suggestions to solve this?


            • 3. Re: Creating functionality for changing user's password.
              Jorge Rimblas
              Well... normally I would say that it doesn't matter because the database will tell you that. We don't need to know the password.

              But I setup a little proof of concept to see how this would work and I see the issue.
              APEX connects with a different user than the one you're trying to log in, so when you try to change someone else's password you get "ORA-01031: insufficient privileges".

              I'm not sure if there's a way to have a privileged procedure that could issue the command. Such procedure could test that the provided user and password can connect before issuing the alter statement.
              I'm not aware of a way to do this with standard APEX.

              • 4. Re: Creating functionality for changing user's password.

                APEX4.2: There is a package and function in it: sys.wwv_flow_val.verify_user(username => l_username, password => l_old_password);

                It can be run under APEX_040200 schema, so you can write your own procedure to for validating and changing passwords.