APEX Database Account Authentication Problem

Similar Messages

• How to create an database account authentication scheme in apex

  Dear
  I have an apex installation (embeded) on oracle 11g.
  I want to create a database account authentication scheme in apex. I have seen the page with different tab like name,subsription,source,session not valid, login processing, logout URL,session cookie attributes and comments.
  I want to know what are the things to be specifed on these tabs and the effects. I have gone thru the documentation 'Application Builder User’s Guide Release 4.1' , but the functionalities of these tabs are not mentioned.
  Please help.
  Dennis
  Edited by: Dennis John on Feb 28, 2012 10:57 PM

  Thanks to dear Jit
  I am new to apex.
  I have gone thru that documents but I couldn't find any detailed documentation about the database account authentication scheme configuration
  The database account authentication scheme creation interface will show tabs like name,subsription,source,session not valid, login processing, logout URL,session cookie attributes and comments.
  I want to know what are the things to be specifed on these tabs and how it will reflect in the login. The specified documentation is not giving any detail about the above mentioned tabs of authentication scheme creation iwizard.
  And also I want to know how the applciation user will be mapped to the database account?
  As per my understanding a database user (for each run time user) is required for to authenticate the apex run time login other than the applciation schema user (holds the objects of applicaiton)
  run time user means - end user who uses the applcaition, not the developer.
  Please help.
  Dennis

• Database Account Authentication to a few users.

  Good Morning, apex teachers.
  I have one more doubt about apex.
  This time is related to Database Account Authentication.
  I was wondering if it would be possible to filter which database users
  can logon to my application?
  For instance I have this users on my database: John, Paul, Ringo and George.
  But I only want to John and Paul be able to logon, if Ringo or George try to
  do the same, they would have their access denied.
  Thanks for all the help you guys have been giving to me.
  Regards, Leandro Freitas.

  "Database Account Credentials
  Database Account Credentials utilizes database schema accounts. This authentication scheme requires that a database user (schema) exist in the local database. When using this method, the user name and password of the database account is used to authenticate the user.
  Database Account Credentials is a good choice if having one database account for each named user of your application is feasible and account maintenance using database tools meets your needs"
  You are trying to use schemas or do you have a table with the beatles users and passwords? Don't let Ringo out man... ;)

• Send insert request as database user, not APEX public account

  I have a simple form where I am trying to insert data into a table. I am using database account authentication to log into app. We are using this table to submit jobs and only certain users can submit certain jobs.This table has a trigger that looks up privledges (in another table) to see if a user is authorized to enter particular data (job).
  When I create (insert the data from the form), I get an error (APEX_PUBLIC_USER User is not authorized to submit this request). Since APEX Pub user is not in our authentication table, it errors, which is fine. What I want to happen though, is the request (insert) into the table be sent as the database account user logged in, not APEX pub user account. How do I do this?
  Thanks
  Jason

  Jason,
  No problem, we were all new to Apex at some point (outside of the development team that is!).
  Take a look at my previous reply, I'm pretty sure that is what is happening, you either have some code in your app using 'USER' or perhaps the trigger itself references it, in which case rather than -
  USERit should use -
  nvl(v('APP_USER'), USER)Which basically means "if there is an Apex username then use that, otherwise use the Oracle database user".
  Without seeing your code it's difficult to say whether this is what's happening or not however, but it's worth looking at.
  John.
  Blog: http://jes.blogs.shellprompt.net
  Work: http://www.apex-evangelists.com
  Author of Pro Application Express: http://tinyurl.com/3gu7cd

• Database Account Credentials Authentical Failure

  Hello All,
  I've set my Authentication Scheme in APEX to Database Account credentials (I have Oracle 10+ installed). However, when I login I get the following errors. Can someone please advise?
  ORA-28007: the password cannot be reused
  ORA-06512: [b]at "FLOWS_020200.WWV_FLOW_SECURITY", line 221
  ORA-06512: at "SYS.WWV_FLOW_VAL", line 49
  ORA-06521: PL/SQL: Error mapping function
  Error ERR-10480 Unable to run authentication credential check function.
  Thanks

  Hi Scott:
  Thanks for the clarification with Default User profile.
  In my database, the authetication works for all the profiles that have DEFAULT PROFILE. However, doesn't work for DB accounts that don't belong to DEFAULT profile(these users have profile called ENDUSER_PROFILE).
  So, how and where can I define multiple profiles as VALID for the Database Account authentication?
  Thanks for your help!
  Muni

• Authentication Scheme - Database Account with login user exists in table

  Hi all,
  I m new to APEX. Could anyone tell me how can i modify the authentication scheme to validate the user by Database Account DB user & password, also the username must exist in a table
  As the DB is not only designed for one application, so DB account may incl. DB users more than the users who can access the APEX application. So I must check the user name exists in a table also.
  Thx.

  Scott,
  I try to save the msg in application item and set the message by application item in process before header, it works perfect. The message display as what i want :)
  One more question is i would like to give this link to user will go let the user go to the target page and can edit the page without doing any searching b4.
  http://XXX/apex/f?p=115:3::NO:::P3_ID:82
  If the user hvnt login, system will prompt login page, after the user login it, it will direct go to the target page. I have try if the user type in a wrong username / password it still work after i retype a correct one. The page can redirect to the target page.
  However, if i type in a user name & password is correct but not exist in my define table like what i stated b4. Then i type in a correct one I can just go to page 1 instead of the target one.
  How can i do the same thing?
  Sorry for non-stop questioning, but pls help. Thanks a lot.

• Database authentication & database account profiles

  Hi,
  Is anyone aware of any sample applications that uses database acccount profiles for password policies like ageing, length, reuse and so on.
  I've searched the forums but havn't found any links
  Has anyone experience in this field
  Many thanks
  Pete

  Roger,
  The authentication code and the general steps to hook it up are posted in this thread: Re: Custom Authentication
  As far as checking profile settings and account status, I would run these checks in processes on your after-login page. If there are exceptions, the user can respond to them on that page. If there are no exceptions, the page should branch to the start-of-application page of your choice. How you access this profile/account information for the authenticated user is up to you to figure out. Keep in mind that you will not be connected as the database account you authenticated against, so there is really no "active" profile involved. Your application's parsing schema will need to be granted access to whatever dictionary views it needs for this purpose.
  Good luck,
  Scott

• Authentication using database accounts (EJB)

  Hi.
  I'm developing a web app(struts, jsp). Users should log-in using their Oracle
  database accounts (created with CREATE USER ...). Is it possible to accomplish that using EJB? How?
  I've read that i can somehow map application server's users with database users
  using sql authentication providers: Wouldn't then sql queries made by ejbs
  still be executed with the same user every time?

  Normally application servers use a shared login to allow using a shared connection pool, and avoid the cost of logging in and out.
  Are you using JPA or the native TopLink API? Are you using JTA?
  TopLink / EclipseLink have several features for user logins.
  You can use Oracle proxy connections, these allow a shared connection pool to be used, but allow setting a proxy user on the connection.
  See, org.eclipse.persistence.config.PersistenceUnitProperties.ORACLE_PROXY_TYPE
  You can also use real database logins with JPA (or ServerSession) through using a JPA EntityManager properties or a ConnectionPolicy.
  See, org.eclipse.persistence.config.EntityManagerProperties, org.eclipse.persistence.sessions.server.ConnectionPolicy.
  You also have the option of using a shared login for reads, and a user login for writes.
  If you are using the native API, you can also use DatabaseSessions.
  James : http://www.eclipselink.org

• Authentication problem - solved, but maybe a bug in Mac OS X?

  Hi,
  I've a rather small installation with only a handful of users configured on a Mac mini (Mac OS X Server, 10.6.8). All of them use the mail, calendar and addressbook server on the Mac, nothing more. They use it with Mac, iPhone and iPad. Everything worked fine for months but suddenly all of them were faced authentication problems: it was not possible to login on the imap server, the calendar server, the addressbook server. It was possible to login using the admin account on the server directly. Moreover, all users disappeared from the workgroup manager, however they still were available on the servers LDAP server and findable using ldapsearch.
  First, I used to completely restart the server to solve the problem, but it reappeared after only few hours again.
  Second, after understanding more about the authentication process, I found the "killall DirectoryService" was sufficient to solve the problem, but it still reappeared after few hours.
  Then I found the, once the problem occured, there was nearly no more communication to the local LDAP server on port 389 on localhost. When everything was working fine, the was a lot of such communication, including queries for usernames, when a login attempt was made. I started a "tcpdump -n -i lo0 port 389" and waited for the problem again. After the problem occured, I found in the pcap files that there were a few final query attempts, actually attempts the open a port 389 TCP connection to the slapd running on localhost, which were answered with a TCP RST. Then, no more attempts were made until l restarted the DirectoryService. Using the logfile of the slapd I found that this happened exactly at the time the slapd was stopped and restarted. And - surprisingly for me - stopping and restarting the slapd happened exactly once an hour.
  I then found that it happened exactly at the time the time machine backup process was started and indeed it was possible to trigger the event of restarting the slapd by manually starting a time machine backup.
  (Indeed, I switched my backup strategy from SuperDuper to time machine the other day and maybe that was the time the problem occured for the first time. I know that time machine is not considered as the best backup strategy for a server but I wanted to try on my own.)
  Google helped my to find a hint that time machine will actually stop and restart slapd - which is a generally a good idea, since otherwise a backup from some open database files would be made, which could work but may fail. So, I thing, someone of the developers thought about that problem too and has considered time machine for backups of a server.
  However, a not running slapd can not answer queries from a DirectoryService and a stopping or starting process might indeed end up with TCP SYNs answered with TCP RST.
  My solution was to disable time machine again and from that time the problem does not occur again.
  I'm wondering why the DirectoryService process isn't starting to query the slapd again after a failed connection. Isn't this a bug? After this experience I consider time machine as not only the not preferred backup solution for a server but as completely incompatible with Mac OS X server - although, as I said, it seems that someone thought about backing up the LDAP database using time machine.
  (On a Lion server this problem does not occur, the slapd will not be stopped and restarted when time machine is running. Moreover, I saw a com.apple.slapd.start notification in the slapd.log ... maybe this tells DirectoryService to try again.)
  Cheers,
  Wolfgang

  Another problem I found with the MacOS X key bindings: the 6 key doesn't work!
  In the config that ships with SQL Developer, I found this:
  <Item class="oracle.javatools.util.Pair">
  <first class="java.lang.String">DOCUMENT_6_CMD_ID</first>
  <second class="oracle.ide.keyboard.KeyStrokes">
  <data>
  <Item class="javax.swing.KeyStroke">6</Item>
  </data>
  </second>
  </Item>
  which should be:
  <Item class="oracle.javatools.util.Pair">
  <first class="java.lang.String">DOCUMENT_6_CMD_ID</first>
  <second class="oracle.ide.keyboard.KeyStrokes">
  <data>
  <Item class="javax.swing.KeyStroke">meta 6</Item>
  </data>
  </second>
  </Item>

• Database Account and User Groups

  Hello,
  Currently, I am using DATABASE ACCOUNT for an authentication scheme for all of my applications but, I would like to setup User Groups as well to limit users to thier prospective pages and/or objects within the application for easy maintenance of users. I have read that, in order to apply user groups in an application, you must use APPLICATON EXPRESS ACCOUNT credentials.
  Another developer has modified the "APEX_ACCESS_CONTROL" table with an additional column(s) that would allow access to specific pages. I am not sure if this is good practice to modify Apex tables.
  Is there a way to create user groups while using DATABASE ACCOUNT for authentication? What is the best practice in a case like this?
  Can anyone please shed some light on this? Thanks.
  - Dee

  Dee,
  I would like to setup User Groups as well to limit users to thier prospective pages and/or objects within the application for easy maintenance of users.I'm not clear on what your purpose is, just runtime authorization, or something more?
  Another developer has modified the "APEX_ACCESS_CONTROL" table with an additional column(s) that would allow access to specific pages. I am not sure if this is good practice to modify Apex tables.Those tables belong to your application's parsing schema and they are accessed only by code in applications you develop. The Application Express machinery knows nothing about them.
  Is there a way to create user groups while using DATABASE ACCOUNT for authentication?You can create your own tables to define groups and to keep track of which named accounts belong to which groups. And you can write an API for applications to use to query this information and to maintain it from custom applications built for that purpose.
  All

• Apex in IFRAME login problem (P3P IE6+)

  Hi
  I have problem with Apex application in Frame. I can't login to my APEX app because IE6 or 7 blocked cookies. I browsed internet about it and problem is in P3P.
  At this time I add to my Apex app this meta tag (changed Templates)
  *<meta http-equiv="P3P" content='CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"'>*
  but problem is still.
  Also I found in the Internet some solution for other platform:
  For example
  1. PHP
  header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
  2. ASP.NET
  HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
  *3. APEX*
  *?????????? -- some ideas?*
  Can you help me ??
  Regards
  Edited by: AndyPol on 2009-04-15 00:54

  Hi
  Any APEX app requires authentication (even if that authentication is 'No Authentication') of some kind. Are you trying to access it from another web page or using SSO, or is your custom authentication scheme referencing something tabular within your database?
  Cookie management is handled by the browser and therefore not necessarily applicable to the APEX app that you are trying to access unless you are already authenticated within the same session.
  I'm not sure what exactly you are trying to achieve in your web page, accessing an Apex region or page within an iframe without any kind of authentication within the Apex app itself?
  Sorry, if I have misunderstood, maybe you could post an example on apex.oracle.com and show me what you are trying to do and we should be able to help.
  Cheers
  Ben

• Database Account Credentials

  I have the following questions:
  1. I currently have APEX 2.0 in 3 databases. How can I upgrade them to APEX 2.2? APEX 2.0 uses the tablespaces called HTMLDB and FILES.
  2. How can I use database account credentials in APEX 2.2? Is there any detailed instruction on the Website?
  Thanks.
  Andy

  Download 2.2 and use the upgrade installation option. I don't understand the part about tablespaces.
  About the authentication scheme, just create an authentication scheme and select the new method and try it out.
  Detailed instructions on the website? What website or URL?
  Scott

• Accessing several applications after logging into database account once

  I have several applications with authentication against database accounts. I would like to create a situation in which users only have to log in once and are able to use all the applications they are allowed to use afterwards without having to log in again.
  Has anyone already got a solution for this problem?
  Your suggestions are very welcome,
  Greets, Dik

  I understand that it is possible for applictions within one workspace. These applications share the same session.
  What applications share the same session? Applications belonging to the same workspace that might operate at the same time? As a generic rule? No, this is not the case. Those applications share the same session only if you intend them to, but they need not.
  Applications that do not belong to the same workspace cannot share the same session.
  Single Sign-On (without a login server) is something you'd have to cook up yourself. That would have nothing to do with session-sharing but rather the ability of multiple applications to reference some artifact outside the application (a session cookie, an HTTP header value, a combination of those, ...) that would help it identify that authentication (by some trusted authority) had occurred. Each application could then do its own session management independent of that finding.
  Scott

• SQLNET authentication problem!

  Hi,
  We have a setup in which the database server is running on a 'XXX' domain and all the clients are running in domain 'YYY'.
  On the client, if following is the setup, then the clients face ORA-03113 after around 45 to 90 minutes of idle time.
  SQLNET.ORA
  NAMES.DEFAULT_DOMAIN=YYY
  TNSNames.ORA
  DBName.YYY = (..........
  Note: This is not happening with all the clients in 'YYY' domain.
  Now, we thought this was a domain authentication problem and removed the DEFAULT_DOMAIN setup from the client. Still the client faces ORA-03113.
  As a part of trial, we moved one of the machines which was facing the problem to the domain of the database server and the error is gone.
  But, due to obvious reasons, it is not possible to move all the clients to the domain of database server.
  Is there any way to get around this problem?
  Why is it that only some of the clients are facing this problem?
  Why is it that the error occurs only after idle time and not during work?
  Do we need to set NAMES.DEFAULT_DOMAIN=XXX at client? (I apologize for this question but I am really confused with the matters now)
  Addition info: The database server is Oracle 10.1.0.2.0 and clients are ranging from Oracle 8.1.6 to Oracle 10.1.0. And the errors occur on clients with any version of Oracle.
  Please help us out in this regard.
  Thanks in advance,
  Satish

  I have gone thorugh the Action suggested for this oracle error.
  If problematic machine is shifted to the domain XXX, error is gone,Do you shift physically to some other network?? if yes then there might be a problem with your network. The machines which are disconnected, might be on the same network channel or switch which is creating some problem in your network. this is only luck that your failure occur when there is no activity from that client which is disconnected.
  Shift the places of problem facing client and non-problem facing client with each other and then check. It will clear the mind about the netrowk problem
  Regards

• How Can we move files from apex database to third party database (i.e. Google drive)

  Hi All,
  I am storing the files in apex database which are uploaded through apex form. Now i want to move these files to the third party server on regular bases. Means once we stored those files in our apex database at specific time on everyday we have to move these files to google drive. How can i achieve this please do  need full.
  Version: apex 4.2
  Regards,
  Vijay J

  Hi Vijay,
  Check out the following code: https://gist.github.com/trent-/7526011
  The following need to be set accordingly
  g_upload_folder_id - the google folder ID (obtained from the URL) - used as a default to upload into a particular folder
  g_wallet_path - the path of your oracle wallet with the trusted certificates imported
  g_wallet_password - the password for the above wallet
  g_redirect_uri - The procedure that has your implementation with what to do after the user accepts
  g_client_id and g_client_secret - property's from your project out of your google API console
  l_endpoint_url in the function authorization_code_callback - the page to go to after authorizing
  This particular code is designed to use a refresh token such that once the user authorizes, the system can refresh the token whenever they need. But you can adjust this to suit your needs. I suggest reviewing the following documentation: https://developers.google.com/accounts/docs/OAuth2WebServer
  So, here is what I've done. Create a button, with a dynamic action click event with the following code:
  $.ajax({
      url: '&OWNER..google_drive.GET_AUTHORIZATION_URL',
      data: {
          p_state: &APP_SESSION.
      success: function(data){
          window.location.href=data;
  This redirects the user to the authorization page. And as you can see in the code, would run the following when authorized:
  update app_users set refresh_token = (returned token); -- that is, depending on your user management design, you would need to adjust this accordingly.
  Then to upload the file, I have an onsubmit process with:
  declare
      l_filerow apex_application_files%rowtype;
  begin
      select * into l_filerow
      from apex_application_files
      where name = :P133_ATTACH_DATA;
      :P133_GOOGLE_DOC_ID := google_drive.create_file(l_filerow.blob_content, l_filerow.mime_Type, l_filerow.filename);
  end;
  Please also review the following post, which describes the overall process of setting up the project, wallet, acl, etc: Oracle Apex Tips: Accessing Google Data
  There are probably bits of the code that need refinement, and better error checking, but hope it helps :-)