5 Replies Latest reply: Jul 22, 2013 6:03 AM by Christian Neumueller-Oracle RSS

    How to create a sentry-Function

    user3536752


      Hi all,

      I want to build a custom authentication scheme which combines the funcionality of of SSO and a custom authentication function.

      1. If the HTTP Header Variable REMOTE_USER is set, this user should be a valid logged on user. (Single Sign On functionality)

      2. If the HTTP Header Variable is not set, the LOGIN-Page should appear. (local user Administration)

      3. The user/passowrd combination from the login page should be validated by my own authentication function

       

      I think I have to create a sentry-Function, which is a combination of the sentry-functions which are used in the schemes "custom" and "HTTP Header Variable".

       

      I tried to find an implemention of these functions in the APEX_040200 database scheme, but without success.

      @APEX-Team: can you provide the implementation of these sentry-functions or at least a documentation.

       

      @all: Is there anybody, who have implemented an similar athentication scheme.

       

      Thanks

      Richard

        • 1. Re: How to create a sentry-Function
          Christian Neumueller-Oracle

          Hi Richard,

           

          a sentry function defines whether the request should be allowed to be processed, because the session is ok. Since 4.1, we have an additional invalid session function that runs if the sentry returns false, before redirecting to the login page. A callback function can be used to continue processing when the login page is external. It runs when the external login succeeds and redirects back to APEX. The authentication function is used in combination with internal login pages to verify that the user credentials (username / password) are ok. If it returns true, the session gets updated with the username. Otherwise, the login page should show again, with an error message. The post logout function runs after the user logged out. It is sometimes useful for cleanup of session-related data or to tweak the redirect.

           

          In your case, the sentry function is probably not necessary. The default already checks whether the session id and session cookie match, that should be sufficient. Only if you are trying to implement single sign-out, a sentry could check whether the session is already authenticated, but the REMOTE_USER became null. The invalid session function gets called when the sentry (either your custom one or the default) fails. If REMOTE_USER is not null, it can simply call APEX_AUTHENTICATION.POST_LOGIN to register the header value as the username, instead of doing the normal redirect to the login page. This authenticates the user without checking credentials with the authentication function. The callback function is not necessary in your case. The authentication function gets called when the user logs in, using the application's login page (101). It can verify username/password for the cases where REMOTE_USER is null.

           

          This can be implemented either as an authentication plugin or with the custom authentication scheme. The former should be preferred for production code, the latter is sometimes useful for prototyping. The plugin and authentication item help texts for the various functions contain example code. If they are not sufficient, just respond here and I'll try to come up with more concrete examples.

           

          Regards,
          Christian

          • 2. Re: How to create a sentry-Function
            user3536752

            Hi Christian,

            thanks for your detailed information.

             

            I have two further question:

            1. In the "invalid session function" when REMOTE_USER is not null, APEX_AUTHENTICATION.POST_LOGIN should be called. Does POST_LOGIN a redirect to requested page? If POST_LOGIN isnt called (REMOTE_USER is null) is there an redirect to the login page done automatically?

             

            2. I think I do not need to do an SSO-Logout, but I have to check it out with my customer. In the case of implement an SSO-logout in my own sentry-function, what I have to do, to call the "standard sentry function", so I do not  have to implement the complete functionality?

             

            In the future, a enhancement of the official documentation of the called procedures would be helpful. Especially in the predefined authentication-plugins e.g "HTTP Header Variable" there is no sentry-function in WWV_FLOW_PLUGINS defined.

             

            Thanks a lot

            Richard

            • 3. Re: How to create a sentry-Function
              Christian Neumueller-Oracle

              Hi Richard,

               

              no problem.

               

              1. You should not have to worry about redirects. POST_LOGIN sends you to the requested page and if it isn't called, the engine redirects you to the "invalid session" page (i.e. the login page).

               

              2. The standard sentry is always called. Your dual authentication is only tricky insofar, as a missing REMOTE_USER is not always an indication of logout. You have to somehow distinguish between external and internal login.

               

              Thank you for your enhancement suggestion, but I'm not sure whether I understand it correctly. Are you suggesting a means to enhance existing authentication plugins, e.g. to extend "HTTP Header Variable" with custom sentry and authentication functions?

               

              Regards,
              Christian

              • 4. Re: How to create a sentry-Function
                user3536752

                Hi Christian,

                a missing REMOTE_USER indicates a SSO-Logout. I think I, this logout have to be done in the senty-function?

                So I have to provide my own sentry-function.

                My question was, what to do, to call the standard-sentry-functionality in my own sentry-function, because I thought by providing a sentry-function, the standard functionality isnt called.

                 

                I only suggested to enhace the documentation. Because I can not see any differences in the plungin definition tables (WWV_FLOW_PLUGINS etc.) for the predefined Plugins ("HTTP Header Variable" etc.). I wondered where the different functionality is defined.

                 

                Best regards

                Richard

                • 5. Re: How to create a sentry-Function
                  Christian Neumueller-Oracle

                  Hi Richard,

                   

                  I was referring to your first message, where you mentioned

                   

                    2. If the HTTP Header Variable is not set, the LOGIN-Page should appear. (local user Administration)

                   

                  You just have to return false from your sentry function and not call POST_LOGIN in the invalid session function.

                   

                  The built-in plugins' functions are hard wired, to make them a bit more efficient. We can avoid dynamic SQL to run these functions this way.

                   

                  Regards,

                  Christian