Apex Custom Authentication Schema Page Sentry Error

Similar Messages

• Restful Web Services - First Party Authentication with custom authentication schemes

  Hi
  I've successfully enabled security using first party authentication on our Restful web services however these only work with the built in Apex accounts and not other authentication schemes.
  Ideally I'd like to authenticate against LDAP, however when I enable this authentication scheme the restful services don't work as they only support the Apex accounts. 
  Has anyone implemented LDAP authentication for Apex restful web services, either directly or using Glassfish ? Does anyone know if support for custom authentication schemes on the feature roadmap for a future Listener release ?
  I attempted to configure the glassfish application against LDAP but am still working on it.. glassfish never challenged the client to authenticate (it's only to be for the web service endpoints and nothing else), so any pointers on how to set that up for Apex would be appreciated.
  Thanks
  Kes

  Hi Gemma,
  unfortunately at the moment you are caught between a rock and a hard place:
  - As you point out there is no way in APEX for a user to self-register themselves, short of developing your own table to store users and configuring APEX custom auth to authenticate against that table
  - Listener can only authenticate against the the APEX user repository, it cannot integrate with custom APEX authentication.
  There may be other options though, by leveraging the authentication capabilities in the JRE and/or WebLogic/GlassFish application servers. We're interested in addressing this use case, so if you wish to investigate further please send me an email ( colm <dot> divilly <at> oracle <dot> com).
  Thanks,
  Colm Divilly

• Customized authentication scheme unauthorized when using help

  I am receiving an unauthorized message when clicking on help on a label. The message was not being received until the customized authentication scheme was enabled.

  If you still need help with this, please provide all the usual information: a complete description of the situation, an example on apex.oracle.com if possible, your version of apex and database, all custom code, all authentication scheme details, etc.
  Also, please tell us your first name and put it into your handle and/or profile to help us.
  Scott

• Custom authentication scheme: Invalid Session Target

  Yesterday I spent a lot of time figuring out what was happening and I'm not sure if this is a bug or a feature...
  Create an application with some public pages (1,2,101) and some non-public pages (3,4).
  Created a list on page 0 listing all pages but only listing page 3 and 4 when user is logged in.
  Created a custom authentication scheme.
  Running the application showed me the page 1 and the list containing 1,2,101.
  I could navigate to 101 and then log in after which I was taken to page 1 showing only 1,2,101.
  I changed page 101 so that it would take me to page 3 after logging in and it did. The list showed me 1,2,101,3,4 and the username was also visible.
  I could visit all pages correctly except page 1. Whenever I navigated to page 1 I effectively got logged out.
  Finally I discovered that I had set "Invalid Session Target" to page 1 in my authentication scheme.
  Is this the intended effect ?

  Rene,
  When a page is selected in the authentication scheme's Invalid Session Page LOV, it gets designated as "the login page". Whenever this page is rendered, APP_USER is null and APP_SESSION is a new session ID. This accounts for what you saw. It's sort of a quirk more than a bug or feature and we ought to properly document this behavior. If, for some reason, you needed a login page that you could navigate back to (after login) in the current session and using the current APP_USER value, you can deselect the page from the Invalid Session Page LOV in the authentication scheme and instead code this in the Invalid Session URL:
  f?p=&APP_ID.:101:&APP_SESSION.
  ...using 101 as the login page, but it can be any page ID as long as it's a public page.
  Scott

• Setting up a custom authentication scheme

  Hello APEX Community,
  I'm working on creating an RSVP site for an upcoming event, but I want to limit the number of "random" users that try to sign in by implementing some sort of password system.
  I am running this on apex.oracle.com...
  What I have currently set up is the following:
  I have a table (user_auth) that stores a list of passwords. I will send individual people one password that they will type in on the login page.
  The issue I have right now is how to implement the authentication scheme...
  Based on the authentication drop down options, I should be choosing "Custom"... But I am stuck at this point...
  I have created a function called "my_authentication" (code provided below) and entered "my_authentication" as the Authentication Function Name, but when I test it, it keeps failing. I left the Login page as is, I don't enter a user name but I enter a valid password from the user_auth table. When I hit Login, it just boots me back to the login page. Do I need anything for Sentry Function?
  create or replace function my_authentication (
    p_username in varchar2 default null,
    p_password in varchar2)
    return boolean
  is
    l_count number;
    l_return_value boolean;
  begin
    select count(*) into l_count from user_auth t where t.user_password = upper(p_password);
    if (l_count > 0) then
      l_return_value := true;
    else
      l_return_value := false;
    end if;
    return l_return_value;
  exception
    when no_data_found then
      return false;
  end my_authentication;Please let me know if you want me to elaborate further...
  Thanks and regards,
  Ivan

  Hi Scott,
  Thanks for replying and sorry it took so long to get a reply back.
  I hope the following makes sense.
  1: When I say "it keeps failing", what happens is when I enter just the password, and hit "Login" it just boots me back to the Login page and no error is displayed.
  2: Yes, I don't have any encryption at all but I have x number of randomly generated strings stored in that table, and what I was hoping to do was have the user enter the password and then have it go and confirm that that is one of the x number of strings in the table.
  The problem I'm starting to realize with this approach is that the passwords are not displayed. Users just see *'s instead. My approach now is to use an Open door authentication and have them enter the password there to log in, and upon logging in, it will assign value to a global value that checks to see if it's a valid password... (passes back user_id for a matching user_password). If the password is invalid, it will pass a -100 or something...
  This seems like a somewhat effective way of getting around the authentication. I guess my next challenge is to figure out how to boot invalid users back to the login page in an Open Door Authentication scheme.
  Ivan

• Strange problem when using custom authentication schema

  Hello,
  I'm building a custom authentication system for the application. Basically, I followed the blog post from Martin: http://www.talkapex.com/2009/03/custom-authentication-status.html
  However, the authentication seems working fine at the beginning when running the page 101 from Application Builder and log in, but when I log out from the application (redirect back to page 101) and try to log in with the same credentials, it gives error message "Invalid Login Credentials ". Also, when the application is accessed from public (open page 101 directly using another computer), the authentication doesn't work at all.
  Furthermore, I checked the table apex_workspace_access_log and found out that it has "AUTH_SUCCESS" even if using the fake credentials and the login failed (I use "apex_util.set_authentication_result (p_code => 3);" when auth function return false).
  I couldn't find the cause of the problem, then I created the same custom authentication in apex.oracle.com. The problem doesn't appear anymore. To make sure they are same, I have double checked the custom authentication in both the development environment and the apex.oracle.com.
  This is very strange to me and I don't know where to looking for the problem. Could you give me some advice of what may cause this problem. Thanks in advance!

  I found the problem myself. The cause is the VPD, the account table has VPD policy applied, which prevented public access.

• Custom Authentication scheme

  Hello,
  I am building a custom auth. scheme that actually checks username/password in a custom table (app_users) [ not DB acocunts] . I have created a package with a login function as follows:
  PROCEDURE login ( p_uname IN VARCHAR2 ,p_password IN VARCHAR2 ,p_session_id IN VARCHAR2 ,p_flow_page IN VARCHAR2 ) IS
  lv_goto_page NUMBER DEFAULT 1;
  BEGIN
  IF UPPER(p_uname) = 'ADMIN' THEN
  lv_goto_page := 1;
  ELSE  lv_goto_page := 100;
  END IF;
  wwv_flow_custom_auth_std.login  (  p_uname => p_uname,
  p_password => p_password,
  p_session_id => p_session_id,
  p_flow_page => p_flow_page || ':' || lv_goto_page  );
  EXCEPTIONWHEN OTHERS THEN
  RAISE;
  END login;
  and a valid_user function in that package that simply returns TRUE if username/password are correct in APP_USERS table.......
  and then I have changed the 101 login page login process to :
  app_security_pkg.login(
  P_UNAME       => :P101_USERNAME,
  P_PASSWORD    => :P101_PASSWORD,
  P_SESSION_ID  => v('APP_SESSION'),
  P_FLOW_PAGE   => :APP_ID||':1'
  +);+
  and created my own auth. scheme and enterd this in the auth. function field :
  return app_security_pkg.valid_user
  My question is , this is not working when I enter a valid username/pass from APP_USERS because I think it still points to oracle's db users .... Where should I make the built in function wwv_flow_custom_auth_std.login point to my APP_USERS table instead ????
  Thanks,
  Sam K

  Gus,
  The only code I have is for the authentication package and here it is :
  create or replace PACKAGE BODY app_security_pkg AS
  PROCEDURE login ( p_uname IN VARCHAR2 ,p_password IN VARCHAR2 ,p_session_id IN VARCHAR2 ,p_flow_page IN VARCHAR2 ) IS
  lv_goto_page NUMBER DEFAULT 1;
  BEGIN
  IF UPPER(p_uname) = 'sam' THEN // just for test. sam is a username in app_users
  lv_goto_page := 1;
  ELSE lv_goto_page := 100;
  END IF;
  wwv_flow_custom_auth_std.login ( p_uname => p_uname, p_password => p_password, p_session_id => p_session_id, p_flow_page => p_flow_page || ':' || lv_goto_page );
  EXCEPTION WHEN OTHERS THEN
  RAISE;
  END login;
  PROCEDURE add_user ( p_username IN VARCHAR2,p_password IN VARCHAR2) AS
  BEGIN
  INSERT INTO app_users (username, PASSWORD)VALUES (UPPER (p_username),get_hash (TRIM (p_username), p_password));
  COMMIT;
  EXCEPTION WHEN OTHERS THEN ROLLBACK;
  RAISE;
  END add_user;
  FUNCTION get_hash (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN VARCHAR2 AS
  BEGIN
  RETURN DBMS_OBFUSCATION_TOOLKIT.md5 (input_string => UPPER (p_username)||'/'||UPPER (p_password));
  END get_hash;
  PROCEDURE valid_user2 (p_username IN VARCHAR2, p_password IN VARCHAR2) AS
  v_dummy VARCHAR2 (1);
  BEGIN
  SELECT '1' INTO v_dummy FROM app_users
  WHERE UPPER (username) = UPPER (p_username) AND PASSWORD = get_hash (p_username, p_password);
  EXCEPTION WHEN NO_DATA_FOUND THEN
  raise_application_error (-20000, 'Invalid username / password.');
  END valid_user2;
  FUNCTION valid_user (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
  BEGIN
  valid_user2 (UPPER (p_username), p_password);
  RETURN TRUE;
  EXCEPTION WHEN OTHERS THEN
  RETURN FALSE;
  END valid_user;
  END app_security_pkg;and in the shared components >> current auth. scheme is myscheme >> Auth. Function : return app_security_pkg.valid_user
  and in page 101 login process :
  app_security_pkg.login(
  P_UNAME => :P101_USERNAME,
  P_PASSWORD => :P101_PASSWORD,
  P_SESSION_ID => v('APP_SESSION'),
  P_FLOW_PAGE => :APP_ID||':1'
  );Thats it ! I hope this helps you figuring it out ;)
  Thanks,
  Sam

• Custom Authentication Scheme - How To

  For anyone who is interested in implementing your own Authentication Scheme, I have published an article on my blog. It covers the basic steps needed and can be extended in any number of ways to suit your additional needs.
  http://djmein.blogspot.com/2007/07/custom-authentication-authorisation.html
  Duncan

  Hi Duncan,<br><br>
  Thanks for your article. <br><br>
  Regards,<br>
  Gonçalo

• Custom Authentication Scheme - call SSO or Local Process based on User Name

  Hi,
  We are looking at building a new application that allows employee and public user access.
  For staff we want to use Single Sign On as we have for all our other ApEx applications.
  For public users (who will register to create an account) we want to use our own Custom Authentication Function.
  What I would like to do is to have an Authentication Function along the lines of:
  If username like '%@%'
  then call Custom Function
  else call SSO Funcion.
  How do I call the SSO Authentication Function progamatically?
  Thanks,
  Martin

  Probably I don't explain myself clearly....sorry for that!
  Anyway you are right, the role of the user can change after the user is initially provisioned.
  I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
  1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
  2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
  Is it possible with pre-populate adapter?
  Sorry again for my not very clear explanations.
  Daniele
  Edited by: 886636 on Jan 24, 2012 4:10 AM

• X509 Cert Authentication Scheme - 403 HTTP Error

  The user is been thrown a 403 HTTP error as part of this configuration to support X509certs.
  Environment is OAM 10g running on Sun One Web Server6.1 and Solaris 2.8 O/S.
  Any pointers on troubleshooting this issue ?
  Thanks in advance.

  This generally points to a certificate trust or certificate revocation issue. I have a bunch of questions that might point you in the right direction.
  1 - Does the web server trust the CA that issued certs to the clients?
  2 - Does the user certificate have a CRL Distribution Point?
  2a - If so, can the web server follow this CDP to ensure the user cert is not revoked?
  3 - Is the user cert revoked?
  4 - Does the server cert have a CRL Distribution Point?
  4a - If so, can the user browser's follow this CDP to ensure the server cert is not revoked?
  5 - Do the clients trust the CA that issued the cert to the web server (not likely a cause)?
  6 - Does this happen to all users or just one? (if it only happens with one user then that user's cert is likely revoked).
  FYI - this isn't a OAM issue really, it's a mutual SSL client / server authentication issue between your web server and your browser. You should also check the web server docs, these may point you in the right direction.

• Page Sentry Setup - Oracle ApEx 4.1.1

  Hi,
  Hoping someone can please assist or point me in the right direction but I am creating a new Page Sentry setup in Oracle ApEx 4 based on the following link:
  Updating Page Sentry for APEX 4.0 Upgrade:
  http://zetetic.net/blog/2010/12/10/updating-page-sentry-for-apex-40-upgrade.html
  I have pretty much just used what has been provided from this link with a few minor changes but my question that I cannot figure out why it is happening is that in MS IE8, when I fire up my app, it all starts up fine and and sets up my APP_USER and APP_SESSION fine but what I have found that, when I go to a new tab in IE8 and start up another session for this very same APP_ID, it is assigning the same APP_SESSION as the previous session, which is not what I am after from the Page Sentry.
  Could someone please assist with what I need to change this pl/sql code, so that a new session id is always generated when starting up a new IE8 tab in the same browser window.
  Thanks.
  Tony.

  Hi Tony,
  If you are using OAM, why would you want each tab to have a different session?
  (OTN PDF on OAM - http://www.oracle.com/technetwork/developer-tools/apex/learnmore/apex-oam-integration-1375333.pdf )
  If I'm not mistaken . . . your problem with Apex 3 is now solved in Apex 4 (unless you implemented a broken page sentry function), because the session id in the url is backed by a cookie. If the session id in the url doesn't match the credentials in the cookie, it cancels the session.
  At the same time, since browsers share cookies between different tabs, the database can't distinguish between page calls from one tab from page calls from another tab - because they pass the same cookie. This is a browser issue, not an apex limitation. I don't think its possible to have each tab be treated as a separate session, unless you disable the cookie, and that leaves you open to the problems you had with Apex 3.
  I keep saying "if I'm not mistaken", and that's because I've got 0 applications under my belt (well, I have a websheet, but that doesn't count). I've been studying page sentry functions on-and-off since November 2011, and got nowhere. Fortunately, I discovered how to do what I wanted to do without using a page sentry function.
  Here are the most helpful links I found - most of the code are variations on a theme, and they reference functions that are not well documented.
  I found Christian Neumueller's second post on this page very enlightening - Re: APEX 4.1 Login page kills existing session cookie
  I might implement this - http://www.oracle.com/technetwork/issue-archive/2009/09-may/o39security-101079.html
  You've probably seen Joel Kallman's post - http://joelkallman.blogspot.co.uk/2010/10/custom-authentication-scheme-for-oracle.html
  Here's one about NTLM, which isn't what you're looking for, but its another example of a page sentry function - http://jastraub.blogspot.co.uk/2008_03_01_archive.html
  There is a little bit about session management and the login process in this pdf - http://www.sumneva.com/c/sumneva/presentations/APEX%20Behind%20the%20Scenes.pdf - all of which is very interesting.
  Tak

• Custom Authentication in Apex 4.2

  Hi,
  I am trying to create a custom authentication scheme in apex 4.2. I have a database table which have username and password in it. I am using a function which returns Boolean after checking the username and password. I have checked it from toad and it works fine. But, when i am calling it from custom authentication it doesn't work.
  How can i configure this custom auth into my application,
  Thanks,

  Hello,
  Can you please provide more details. What is not working?
  Have you created new authentication scheme? Before this, does your application had any authentication scheme?
  Best case - create sample application in apex.oracle.com and post credentials so we can have a look
  Useful blog entires.. Custom Authentication in APEX and How to setup Custom Authentication in Oracle APEX
  Regards,
  Hari
  Edited by: Hari_639 on Apr 27, 2013 7:56 PM

• Problems with custom authentication when migrating from 3.2 to 4.1.1

  Hi,
  we’re about to upgrade our APEX instances to 4.1.1 and to migrate our applications. I encountered some problems with our custom authentication schema.
  1.     Recognize already authenticated sessions: in 3.2 the sentry function could return false as long as the user was not authenticated. Public pages could still be displayed (including the login page). The result of the function apex_custom_auth.is_session_valid returned false until once the sentry function returned true. How can I recognize non authenticated sessions in 4.1.1? I looked for the test the Condition “User is the public user (user has not authenticated)” computes on a page but didn’t found the right one. It’s not what docu states here (comparison with the public user): http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/condition001.htm#HTMDB25943. I replaced the test with p_authentication.username = ‘nobody’. It works. But that doesn’t seem to me to be the right way …
  2.     Post_logout lacks session context: the Post Logout Procedure does not receive a session_id and username. Neither the V(‘APP_SESSION’) nor p_authentication.session_id are set. This applies to both plugin authentication schemes and non-plugin custom authentication schemes. Is there another way to obtain the logged-out sessions infos or is this a bug?
  See apex.oracle.com for a demo, workspace WS_MW, gast/gast. Can someone please guide me the way?
  Michael

  Hello again,
  there are no replies until now .... I reviewed some posts regarding custom authentication again and did not find any solution for the issues. Found some that worked with APEX 3.2.1 but not with 4.1.1. I can only work around
  1.) in an insecure way, because the non documented (?) user "nobody" can change and all new sessions will be considered authenticated
  2.) in a way, that ends up in implementing the logout from the non apex environment outside the authentication schema or authentication plugin.
  May be I should contact support for at least the second issue because this doesn't work as documented or am I doing something wrong?
  Michael

• Page Sentry Help

  I've created a simple page sentry function based on the ntlm code called custom_page_sentry, created public synonym and granted execute to public
  I've placed the function in the page sentry function under Authentication Scheme, page session management
  When I attempt to run the application I get the following error message.
  ORA-06550: line 2, column 1: PLS-00221: 'CUSTOM_PAGE_SENTRY' is not a procedure or is undefined ORA-06550: line 2, column 1: PL/SQL: Statement ignored
  we are on version 3.2.1.00.10
  Any help with this is greatly appreciated.
  Thanks
  Wayne

  I've placed the function in the page sentry function under Authentication Scheme, page session managementYou have to code it like this:
  return custom_page_sentry;
  Scott

• Custom authentication - different user - no edit links

  Hi
  In my apex 3 application I use a custom authentication scheme, in which I validate users against our backoffice tables. However, I don’t have in those tables the database user that I use to develop apex applications.
  When I run my application for the first time in the session (from the application builder tool) I am redirected to the login page and need to login. As I have to login using a different user, I don’t see at the bottom of the pages the edit links and I need to go back a number of times to get back to the app builder page.
  What is the best practice in this case? Is it possible to tell apex not to use the login page if the app is being run from the app builder tool? (or something like that)
  Thanks
  Luis

  Hi Scott
  Thanks for the reply. I understand why this happens, but I was wondering if there was a way to circumvent this limitation, as I can't login as the database user I am using to build the application (because I don't have that user in my custom authentication scheme).
  Of course I could add that user, but as it is maintained by another department (it is a live system and I would have to justify well why I need a new user just for development purposes), I was looking for another quicker, simpler solution.
  Thanks
  Luis