This content has been marked as final. Show 15 replies
Do you want to keep the existing authentications methods (LDAP, DB)? and before or after that you want to check based on your table?
Or do you want to replace it with your custom login mechanism?
Did you already have a look at the post-authentication option? you can run a function over there too and set an application item. Then in Authorization you can check for the value of the application item.
It is the authorization that is the problem.
Not the authentication.
The authorization is stopping the authentication from being loaded.
The authorization is running on the login page, before the app user is set, therefore the authorization returns a FALSE.
Yes, I understand that... but what do you want to do then?
How can APEX (the authorization) now who you are (and if you're authorized) if you never logged in before? Maybe I don't understand completely. ACL what does that mean?
I thought you wanted to do a double check. One with LDAP or DB followed by your custom login (based on the records in your table).
I think that is the problem...
I will go into more detail, but try to simplify it.
I have an apex app that we use DB authentication for, DB account showing the APEX Login screen. page 101
This works great. We created another APEX application in the same parsing schema that also we want to have DB authentication for.
We realized that DB users logging into APEX app#1 can not see the data in APEX app#2, using DB authentication, the users can log into either app as long as they know the URL. So, we built an access control list (ACL) table. And I built an authorization scheme that takes the :APP_USER and compares it to the ACL table. That works - except the authorization scheme is running for all pages which includes the login page at 101. Because APEX hasn't authenticated the user, :APP_USER is null being passed into the authorization scheme which is causing the query to return no records which is causing the authorization scheme to not allow the person access to the login screen. We get the failed application security before we get to the login page.
My question is, how do we disable/turn off/work around authorization schemes on the authentication screen.
If the answer is set the authorization on each page EXCEPT for the login page, I am moving the app the MS Access :)
I already understand a bit better... you don't need to move to Access ;-)
Why don't you adapt your authorization scheme?
You've as Type: PL/SQL Returning a boolean. Why don't you check in that function if you're on page 101? (through APP_PAGE_ID) If you're on that page you always return TRUE...
That loud noise you heard was me slapping my forehead and saying "D'OH".
Yup, that works like a charm... anyone think of any security concerns to doing that, spoof page id or something like that.
If it was a real application item or page item, you could have some problems with url tampering. But it isn't, I tried to add APP_PAGE_ID:101 in the url, but it doesn't do anything except returning an error that the item doesn't exist.
But even if it worked, you can always protect your pages with Session State Protection.
Glad it works now,
A belated thanks for this suggestion, which was driving me nuts too!
Such a simple solution!
BTW, anyone who tries this should realize that this scheme needs to be authorized
Once per page view
if you're attaching this authorization scheme to the application definition, not once per session, as they've already been authorized on the login page. Otherwise you've just let anyone in!
This would lead to multiple authorization checks.
Another way to use this scheme but only authorize once would be:
* Set the scheme to authorize once per session
* Assign the authorization scheme to the first page after the login page. Usually page 1.
Good luck to all who use this,
Message was edited by:
Can any one please post a detailed steps of setting up an custom authentication for an application in apex 3.0 and db10g XE. I read Demitri steps, but I am having trouble creating the package used apex. I would appreciate a detailed steps. I have about 4 users that I need to add that they will have access to this application but not all apex users.
Thank you for your assistance.
We need to start over. What is the problem you need help with, authentication or authorization? For authentication, first answer this: how do your users login and where is the account information stored?
Thank you for the quick response.
I need help with authentication, I managed to do the authorization by creating the ACL page and added some users for testing. I am just confused how to setup the authentication for that application. I usually use the application express user credinials, I know how to create users from the admin point. what are the steps to create custom authentications, and how about the authentication function.
In conclusion all what I need to do is to setup security on my application let those 6 users to authenticate from the login page first.
I hope I made it clear, please let me know if you need more info.
What are you trying to accomplish by not using Application Express user accounts for authentication?
I don't know what you mean by your questions. I want to use the Apex user accounts. But how I can verify that only those 6 users have access to that particular application and not all apex users that they already have any account.
I hope this explains more.