1 Reply Latest reply: Sep 15, 2013 1:47 AM by SteveWelch RSS

    Authentication Schemes

    SteveWelch

      Hello,

       

      I have a number of applications that all use the authentication scheme that installs when you choose to add the 'Access Control' page, (APEX_ACCESS_CONTROL & APEX_ACCESS_SETUP) I also have a simple function that checks the user is in the table SS_USERS

       

      create or replace FUNCTION ss_custom_auth (
         p_username IN VARCHAR2,
         p_password IN VARCHAR2)
      RETURN BOOLEAN IS
      BEGIN
         For c1 IN (SELECT 1
                   FROM ss_users
                   WHERE upper (userid) = upper (p_username)
                   AND upper (password) = upper (p_password))
      LOOP
      RETURN TRUE;
      END LOOP;
      RETURN FALSE;
      END;


      The APEX_ACCESS_CONTROL works well allowing controls, pages, etc to be hidden or denied to anyone who is not an administrator. My problem is that anyone in the table SS_USERS can access all applications the ss_custom_auth is assigned to. Even if they are not in the 'Access Control List' when 'Restricted Access' is set, I am missing something. The authentication scheme seems to be ignoring the 'SETUP_ID' in the 'APEX_ACCESS_CONTROL' table.


      Should my function somehow contain a reference to the setup_id? Can someone suggest where I am going wrong?


      Kind Regards,


      Steve Welch