1 2 Previous Next 15 Replies Latest reply on Jul 1, 2008 6:37 PM by 337404

    Authorization Scheme checking before login

      Good Day all,

      I have a 10gr2 DB with 5 existing APEX 3.0 apps. 2 Apps are DB account authenticated, 2 are LDAP authenticated and 1 is public.

      I have been asked to put in an ACL for the 4 authenticated apps. I created a table, put in the usernames. I created an authorization scheme for 1 app which is a PL/SQL returning boolean.

      But, I now can not log into that app. The PL/SQL works, the problem appears to be that the V('USER') or :APP_USER are not being defined for the 101 login page and the boolean comes back as false, and the page does not render for me to be able to authenticate.

      How does one get around that?
        • 1. Re: Authorization Scheme checking before login
          Dimitri Gielis
          Hi Herod,

          Do you want to keep the existing authentications methods (LDAP, DB)? and before or after that you want to check based on your table?
          Or do you want to replace it with your custom login mechanism?

          Did you already have a look at the post-authentication option? you can run a function over there too and set an application item. Then in Authorization you can check for the value of the application item.

          • 2. Re: Authorization Scheme checking before login
            It is the authorization that is the problem.

            Not the authentication.

            The authorization is stopping the authentication from being loaded.

            The authorization is running on the login page, before the app user is set, therefore the authorization returns a FALSE.
            • 3. Re: Authorization Scheme checking before login
              Dimitri Gielis
              Hi Herod,

              Yes, I understand that... but what do you want to do then?
              How can APEX (the authorization) now who you are (and if you're authorized) if you never logged in before? Maybe I don't understand completely. ACL what does that mean?

              I thought you wanted to do a double check. One with LDAP or DB followed by your custom login (based on the records in your table).

              • 4. Re: Authorization Scheme checking before login
                I think that is the problem...

                I will go into more detail, but try to simplify it.

                I have an apex app that we use DB authentication for, DB account showing the APEX Login screen. page 101

                This works great. We created another APEX application in the same parsing schema that also we want to have DB authentication for.

                We realized that DB users logging into APEX app#1 can not see the data in APEX app#2, using DB authentication, the users can log into either app as long as they know the URL. So, we built an access control list (ACL) table. And I built an authorization scheme that takes the :APP_USER and compares it to the ACL table. That works - except the authorization scheme is running for all pages which includes the login page at 101. Because APEX hasn't authenticated the user, :APP_USER is null being passed into the authorization scheme which is causing the query to return no records which is causing the authorization scheme to not allow the person access to the login screen. We get the failed application security before we get to the login page.

                My question is, how do we disable/turn off/work around authorization schemes on the authentication screen.

                If the answer is set the authorization on each page EXCEPT for the login page, I am moving the app the MS Access :)

                • 5. Re: Authorization Scheme checking before login
                  Dimitri Gielis
                  Hi Herod,

                  I already understand a bit better... you don't need to move to Access ;-)
                  Why don't you adapt your authorization scheme?

                  You've as Type: PL/SQL Returning a boolean. Why don't you check in that function if you're on page 101? (through APP_PAGE_ID) If you're on that page you always return TRUE...

                  • 6. Re: Authorization Scheme checking before login
                    That loud noise you heard was me slapping my forehead and saying "D'OH".

                    Yup, that works like a charm... anyone think of any security concerns to doing that, spoof page id or something like that.
                    • 7. Re: Authorization Scheme checking before login
                      Dimitri Gielis
                      Hi Herod,

                      If it was a real application item or page item, you could have some problems with url tampering. But it isn't, I tried to add APP_PAGE_ID:101 in the url, but it doesn't do anything except returning an error that the item doesn't exist.
                      But even if it worked, you can always protect your pages with Session State Protection.

                      Glad it works now,
                      • 9. Re: Authorization Scheme checking before login

                        A belated thanks for this suggestion, which was driving me nuts too!

                        Such a simple solution!

                        BTW, anyone who tries this should realize that this scheme needs to be authorized

                        Once per page view

                        if you're attaching this authorization scheme to the application definition, not once per session, as they've already been authorized on the login page. Otherwise you've just let anyone in!

                        This would lead to multiple authorization checks.

                        Another way to use this scheme but only authorize once would be:

                        * Set the scheme to authorize once per session
                        * Assign the authorization scheme to the first page after the login page. Usually page 1.

                        Good luck to all who use this,


                        Message was edited by:
                        • 10. Re: Authorization Scheme checking before login
                          Can any one please post a detailed steps of setting up an custom authentication for an application in apex 3.0 and db10g XE. I read Demitri steps, but I am having trouble creating the package used apex. I would appreciate a detailed steps. I have about 4 users that I need to add that they will have access to this application but not all apex users.
                          Thank you for your assistance.

                          • 11. Re: Authorization Scheme checking before login

                            We need to start over. What is the problem you need help with, authentication or authorization? For authentication, first answer this: how do your users login and where is the account information stored?

                            • 12. Re: Authorization Scheme checking before login
                              Hi Scott,

                              Thank you for the quick response.
                              I need help with authentication, I managed to do the authorization by creating the ACL page and added some users for testing. I am just confused how to setup the authentication for that application. I usually use the application express user credinials, I know how to create users from the admin point. what are the steps to create custom authentications, and how about the authentication function.
                              In conclusion all what I need to do is to setup security on my application let those 6 users to authenticate from the login page first.
                              I hope I made it clear, please let me know if you need more info.

                              Kind Regards,
                              • 13. Re: Authorization Scheme checking before login
                                What are you trying to accomplish by not using Application Express user accounts for authentication?

                                • 14. Re: Authorization Scheme checking before login

                                  I don't know what you mean by your questions. I want to use the Apex user accounts. But how I can verify that only those 6 users have access to that particular application and not all apex users that they already have any account.
                                  I hope this explains more.

                                  1 2 Previous Next