4 Replies Latest reply: Nov 6, 2013 3:58 AM by Christian Neumueller-Oracle RSS

    Apex_Authentication.Is_Authenticated Function Doesn't Work in APEX 4.2.3

    konrad_wroc

      Hi,

       

      in my APEX application I call a stored procedure via URL to download and display logo depends on logged user (pkg.download_logo).

      Inside download_logo procedure I want to make sure that user's session is valid, for that I used wwv_flow_custom_auth_std.is_session_valid function before migration from APEX 3.2 to 4.2 which stopped working after upgrade (Bug 17250508)

       

      According to solution for the Bug 17250508 (Doc ID 1585545.1), the apex_authentication.is_authenticated function should be used. However this function seems not to work properly either.

      Now the user is always authenticated what allow me to download my logo by pasting suitable url into the browser  even if a user is not logged in.

       

       

      I also executed the following code in PLSQL Developer (from Oracle published doc) which always returns TRUE in my case :

       

      DECLARE
      VAL BOOLEAN;
      BEGIN
      VAL := apex_authentication.is_authenticated;

      IF VAL THEN
      dbms_output.put_line('Valid');
      ELSE
      dbms_output.put_line('Invalid');
      END IF;

      END;

       

       

       

      Did anyone encounter the same problem?

      Is there any way to verify if session is valid from external/customer function that needs to be called via url from Apex 4.2.3 ?

       

       

       

      Best regards,

      Konrad

        • 1. Re: Apex_Authentication.Is_Authenticated Function Doesn't Work in APEX 4.2.3
          Christian Neumueller-Oracle

          Hi Konrad,

           

          the apex_authentication.is_authenticated and apex_authentication.is_public_user functions currently expect that they are called from within an established APEX session. They do not properly work when called from outside, because some internal package state is not set in these cases. I filed bug #17593502 to make them more useful in 4.2.4. You copied the code above from bug #17250508, which expected it to be run from SQL Workshop. Since SQL Workshop runs within APEX, the example works there.

           

          In your case, where you have a stand alone procedure that gets called instead of f, wwv_flow.show, wwv_flow.accept, etc., you need to directly get the user name from the session record, which needs to be looked up via the session cookie. However, in this small example, how could APEX know which cookie contains your session? You need to at least set up some context, so APEX can determine the session, like this (you have to change the workspace id):

           

          create or replace procedure test (
              p_application_id in number,
              p_session_id     in number )

           

              l_session_id   number;
              l_session_user varchar2(255);
          begin
              --
              -- 1. set up application context, so APEX can determine the cookie name
              --
              apex_application.g_flow_id := p_application_id;
              apex_util.set_security_group_id(p_security_group_id => 2176428392971420);
              --
              -- 2. get the session id from the cookie
              --
              l_session_id := apex_custom_auth.get_session_id_from_cookie;
              --
              -- 3. accept session, if it matches our input parameter
              --
              if l_session_id = p_session_id then
                  apex_custom_auth.set_session_id(p_sssion_id => p_session_id);

                  l_session_user := apex_custom_auth.get_username;

                      --

                      -- 4. determine whether the session has an authenticated user

                      --

                      if l_session_user is null or l_session_user = 'nobody' then

                          sys.htp.p('user has not yet logged in');

                      else

                          sys.htp.p('user logged in - '||apex_escape.html(l_session_user));

                      end if;

              else
                  sys.htp.p('can not accept session');
              end if;
          end test;

           

          In 4.2.4 I will change is_authenticated, so it loads the session user itself if it is empty. So you would be able to write

           

                      ...

                      apex_custom_auth.set_session_id(p_sssion_id => p_session_id);

                      --

                      -- 4. determine whether the session has an authenticated user

                      --

                      if not apex_authentication.is_authenticated then

                          sys.htp.p('user has not yet logged in');

                      else

                          sys.htp.p('user logged in');

                      end if;

                      ....


          Regards,

          Christian

          • 2. Re: Apex_Authentication.Is_Authenticated Function Doesn't Work in APEX 4.2.3
            Recx Ltd

            Bypassing APEX and calling directly into packages is always a security concern. This completely negates one of the primary reasons for choosing APEX, the in-built security and session handling.

             

            Is there any specific reason not to use an APEX application process and call the package from there, then the session will be set up and you can let APEX apply authorisation/authentication.

             

            regards,

            • 3. Re: Apex_Authentication.Is_Authenticated Function Doesn't Work in APEX 4.2.3
              konrad_wroc

              Hi Christian,

               

              thank you for your response and sorry for my late feedback but I was engaged in others tasks recently. I've checked solution proposed by you and unfortunately it didn't solve my problem, as apex_custom_auth.get_session_id_from_cookie function returns NULL as well in my case. Additionally I've used apex_util.find_security_group_id() to get workspace id, however this function also returns NULL when called from an external stored procedure.

               

              It seems that not only there is a problem with apex_authentication.is_authenticated and wwv_flow_custom_auth_std.is_session_valid functions, but also with functions mentioned above.

               

              Finally I decided to check if a session exists in apex_workspace_sessions view where user is different than "nobody" that approach should solve my concern.

               

               

               

              Thank you for your support.

               

              Best regards,

              Konrad

              • 4. Re: Apex_Authentication.Is_Authenticated Function Doesn't Work in APEX 4.2.3
                Christian Neumueller-Oracle

                Hi Konrad,

                 

                that procedure works fine here. However, it requires a correct security group id and application id. It also assumes that the user already navigated to the application in the same browser session. You can add a call to

                 

                  apex_debug.enable(p_level => apex_debug.c_log_level_engine_trace);

                 

                in the 1st line, to examine what's going on.

                 

                Btw, the answer from RecxLtd below is important. You can probably implement this requirement via a before header or application process, all within the APEX framework.

                 

                Regards,

                Christian