Authentication Schema
Hello,
I created an authentication schema based on the page sentry function, We have five applications. What is the best way to associate the schema with the applications?
a. Create an authentication schema for each one
b. Create an authentication schema for one application and then copy and subscribe the others.
Thanks
Toni R.
Toni,
You can do it either way. If you use (b) there is less typing involved and you can maintain the details of the authentication scheme in one place and publish revisions to subscribing applications very easily.
I created an authentication schema based on the page sentry function
I think you might mean that you encapsulated some version of the ntlm page sentry function in a stored function that you are now calling from an authentication scheme. If this is the case then there may not be an actual login page in your application and the following points that discuss the login page may not apply in your situation.
Some things to keep in mind:
- The scheme should specify a cookie name.
- If the scheme specifies a Session Not Valid Page, be aware that this will refer to a page in each individual application that uses (and possibly subscribes to) the scheme. That is, it will not be a reference to the page (say 101) in the application that owns/publishes the scheme.
- If the scheme specifies a Session Not Valid URL like f?p=&APP_ID.101:&SESSION. then be aware that &APP_ID. will resolve to the current application at runtime. So if you really wanted all applications to use the login page in application with alias FOO then the URL in the scheme should be f?p=FOO:101:&SESSION. . In all cases where you specify a login page in the Session Not Valid URL, be sure to make the login page public.
Scott
Similar Messages
-
HTMLDB as Partner Application to TWO OID instances - Authentication Schemes
For reasons I won't go into here, we have TWO Oracle OID/SSO instances running - independently.
I am interested in having HTMLDB / APEX applications capable of authenticate against either one. (one at a time, but on the same engine installation)
We have done the PARTNER APPLICATION registration which works well against one of the OID instances. Records have been entered into the WWSEC_ENABLER_CONFIG_INFO$ table and everything works as expected.
What option do I have to register the HTMLDB engine with a SECOND OID/SSO as a partner application and then allow the developers the ability to choose which authentication scheme applies?
What I have observed is that the package given (custom_auth_sso) has built in
g_partner_app_name varchar2(2000) := 'HTML_DB';
Is it possible to duplicate that type of functionality, or is there something deeper ingrained into the engine that I do not understand?
Regards,
TimScott,
I am working under a model similar to your case number two.
Application 1 uses OID A
Application 2 uses OID B
I am going under the assumption that if there were two records in the config_info$ table, that I would need some type of ability to inform the WWV_FLOW_CUSTOM_AUTH_SSO package to switch between them.
I guess what I am missing is the mechanics. I am trying to avoid having to re-write the WWV_FLOW_CUSTOM_AUTH_SSO package by hand. Besides the package body being compiled, I do not know how that authentication scheme is called by HTMLDB/APEX. I have been using the Oracle Application Server Single Sign-On (HTML DB Engine as Partner App) scheme. This leaves most of the Authentication scheme pretty blank with the exception of the Session Not Valid URL ( populated with PORTAL_SSO-) and the logout URL. Magically it works though.
If I had TWO schemes registered in the config_info$, how would I indicate which scheme to use?
Do I have the capability of working with what has already been provided, or am I destined to writing a custom scheme because of the decision which needs to be made?
Many thanks
--Tim -
Configuring the authentication scheme for a web application
Hi all,
We have a requirement to configure the authentication scheme for a web application where some set of users should access the application using basic LDAP (userid/password) authentication and some using digital certificate authentication.
Since the deployment descriptor (web.xml) allows only one directive for auth-method in logic-config, we want to know if there is any other way to achieve this requirement. We are thinking of a custom login module approach. But we are not able to figure out how to configure the auth-method at runtime from the login servlet.
Please let us know if there is any other approach to achieve this.
I will be thankful if any body shares any specific solution to this issue.This forum is probably not the correct one to ask in. It's more related to the web container than Java Programming.
Kaj -
How to create an database account authentication scheme in apex
Dear
I have an apex installation (embeded) on oracle 11g.
I want to create a database account authentication scheme in apex. I have seen the page with different tab like name,subsription,source,session not valid, login processing, logout URL,session cookie attributes and comments.
I want to know what are the things to be specifed on these tabs and the effects. I have gone thru the documentation 'Application Builder User’s Guide Release 4.1' , but the functionalities of these tabs are not mentioned.
Please help.
Dennis
Edited by: Dennis John on Feb 28, 2012 10:57 PMThanks to dear Jit
I am new to apex.
I have gone thru that documents but I couldn't find any detailed documentation about the database account authentication scheme configuration
The database account authentication scheme creation interface will show tabs like name,subsription,source,session not valid, login processing, logout URL,session cookie attributes and comments.
I want to know what are the things to be specifed on these tabs and how it will reflect in the login. The specified documentation is not giving any detail about the above mentioned tabs of authentication scheme creation iwizard.
And also I want to know how the applciation user will be mapped to the database account?
As per my understanding a database user (for each run time user) is required for to authenticate the apex run time login other than the applciation schema user (holds the objects of applicaiton)
run time user means - end user who uses the applcaition, not the developer.
Please help.
Dennis -
Apex Custom Authentication Schema Page Sentry Error
Hi,
I am using Application Express 4.0.0. I am struggling with a strange problem while trying to implement custom authentication schema.
I declare a page sentry function 'page_sentry' which returns TRUE or FALSE based on certain conditions. My page_sentry is as follows:
FUNCTION PAGE_SENTRY RETURN BOOLEAN
IS
l_username VARCHAR2(512);
l_session_id NUMBER;
BEGIN
IF USER != 'APEX_PUBLIC_USER' THEN
RETURN false;
END IF;
l_session_id := wwv_flow_custom_auth_std.get_session_id_from_cookie;
-- check application session cookie.
IF wwv_flow_custom_auth_std.is_session_valid THEN
apex_application.g_instance := l_session_id;
l_username := wwv_flow_custom_auth_std.get_username;
wwv_flow_custom_auth.define_user_session(
p_user => l_username, p_session_id => l_session_id);
RETURN true;
ELSE
--redirect to login page using OWA_UTIL.REDIRECT_URL
END IF;
RETURN false;
END page_sentry;
And Cookie Name : _AUTH
At first, It always returned FALSE. I wasn't getting any error. However, even after forcibly returning TRUE from the page_sentry function the redirect was still not happening. I tried to look into what cookies were being set for the same and I found this:
Name: ApexLibErrorStack1
Content: page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication
I couldn't find any relevant help for this. Worst of it is I cannot set any cookie from the page_sentry function at all. Please help!Hi all.
Can someone please help me out with the above issue. I am not sure if things are wrong at my end or is this an apex bug.
--Update:
The source of my problem perhaps lies in the manner in which I have configured my Oracle HTTP Server. When I disable port HTTP server on port 80 and run apex without it on default port 8080, the custom authentication schema cookie gets set.
Executing the following with Oracle HTTP Server:
OWA_UTIL.PRINT_CGI_ENV;
gives:
HTTP_COOKIE = ApexLibErrorStack1=page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication.; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL
And without HTTP Server:
gives:
HTTP_COOKIE = WWV_CUSTOM-F_1420403886791332_100=9625AAC49B9951D8;......
Did I miss something in my HTTP server configuration ?
Edited by: pc on Jan 2, 2012 3:15 AM -
How to Use REGION_STATIC_ID in authentication scheme
Hello,
I am storing Region Static ID in Table , on bases of that table I created an Authentication scheme, I want to give specific user to access that region.
When I am passing #REGION_STATIC_ID# in authentication function it is not allowing me to do that.
I want to to use static ID as below.
-- authentication Scheme function return Boolean
AND obj.OBI_APP_STATIC_ID = #REGION_STATIC_ID#
can any one please help ?
Muhammad RehanHello Muhammad,
>> I am storing Region Static ID in Table , on bases of that table I created an Authentication scheme
The “out-of-the-box” APEX approach is different from yours. You maintain a list of regions per your users. APEX allows you to maintain a list of users per your regions (or other APEX component). You should check the principles of the APEX Access Control List - http://download.oracle.com/docs/cd/E14373_01/appdev.32/e11838/app_comp.htm#sthref1263 – and see if you can use them to your needs.
Regards,
Arie.
♦ Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.
♦ Author of Oracle Application Express 3.2 – The Essentials and More -
Hello,
I have developed a small applet that uses:
URL url = new URL(getDocumentBase(), strURL);
AudioInputStream stream = AudioSystem.getAudioInputStream(url);to retrieve an audio clip from my webserver.
The audio clip is protected using DIGEST authentication.
The applet is embedded in an HTML page that also uses DIGEST authentication.
Firefox is okay, but after changing to Java plugin 1.6.0_1, Internet Explorer + Java is popping up a second login, with the footer: "Authentication scheme: Windows Integrated".
Firefox:
- FF loads (HTML)Page (unprotected)
- Page loads the applet (unprotected)
- Page tries to load clip index (protected)
- FF shows browser login
- FF reissues request for clip index (assuming successful login)
- Page tells applet to load a clip
- Applet loads a clip using browser creds.
IE6:
- IE loads page (unprotected)
- Page loads the applet(unprotected)
- Page tries to load the clip index(protected)
- IE shows the browser login
- IE reissues the request for clip index(assuming successful login)
- Page tells applet to load a clip
- Java shows login form
How can I tell the applet to use the browser's DIGEST authentication credentials?
I have started diving into the docs, but haven't found anything yet.
Thanks for any tips,
Jamie S.That is properly too late.
However, I am working on a similar problem. This is my insight. If anybody know more than I do, please let me know.
Using the applet, the Authenticator may not work due to the new JRE. I believe if you have the property file within your machine, you may get around this problem. Other than that, I have not figured out a way to get pass this security issue. Anybody have any thought on that ?
To get around this issue, in your case, it is Basic Authentication; so it won't be too bad. You will need to write your own http client. which mean, you will need to be able to read the response from the server and send the proper header back to the server. At least that is how I did it.
The problem I am facing now is doing Digest Authentication. I really hate to do all kind of work to get Digest working. Only if the Authenticator work for me.
Hope that help. -
Authentication Scheme for sample application in Oracle Express
All, I recently installed Oracle Express on linux and I was browsing the sample application and when I look up the Authentication Scheme for this app I get the message
No authentication schemes have been defined. You can create a new authentication scheme starting with the Create Scheme button above
Now when I click "Authentication Status " I see
Application: 100
Method: Authentication Scheme
Details: Uses authentication schemes to control user authentication and all other aspects of session management for your application.
Logout URL: wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_se
ss=&APP_ID.:1
Public Pages: (none)
Action: Manage authentication schemes using the report above.
Yet when I run the app I know it is looking up the data in the demo_users table. What I don't see is where the function custom_auth is defined for this app as the function to call for authenticating users. Can someone point me in the right direction.
Also has anyone upgraded apex in express to 2.2. Any issues?
thanks
Scott.I think i found it when you are in list view no schemes appear. However, when you switch to detail view then I can see the custom scheme.
scott -
Calling a function in Pre-Authentication Process in Authentication Scheme
Hello all,
I want to call a function located somewhere inside apex (not in the database) from the Pre-Authentication Process in an Authentication Scheme.
Is it possible?
Regards Pedro.Pedro
Possibly if you could unwrap the source of the package but basically you wouldn't want to mess with APEX's API.
If this is your function then you want it somewhere in one of your own schemas (you won't potentially break APEX and you will retain it when you upgrade).
If you wish, you could create your own authentication schema and only give yourself access to it (as well as execute to the applications parsing schema user). You could also just create it as in the application parsing schema
CREATE OR REPLACE PACKAGE BODY xxxxxxx WRAPPED This makes the source unreadable in the database. (remember to keep the original source yourself though!).
Hope this helps
Cheers
Ben -
Different behavior of Apex (authentication schema) in 64 bits instance
Hello
First time poster after reading many, and not sure if this is Apex related or that I should create a SR on metalink on monday
We have Apex 3.0 installed in a development 10.2.0.1 instance on Win2003 Server (32 bits), the application uses an authentication schema which queries our ldap server (MS Active directory), which works fine.
Our production environment is Apex 3.0 in 10.2.0.1 (x64) on Win2003 (64 bits) 4GB of memory. The authentication (same as in development) takes a very long time (minutes). On the server we see (task manager) a huge increase of vm size usage when we press the login button. When idle it uses around 900MB of vm size, and increases with 5GB. This results in a non responsive db server for minutes. After authentication is done, vm size decreases to normal size.
In the enterprise manager (Active sessions waiting: Other) we see DBMS_LDAP: LDAP operation in the graph
steps taken
- Installed a fresh 10.2.0.1 instance (x64) on a Win2003 x64 vmware
- Installed the PL/SQL Web Toolkit 10.1.2.0.6
- Installed Apex 3.0
- Created authentication schema in the sample application based on ldap (tried DOMAIN_NAME\%LDAP_USER% and cn=%LDAP_USER%,ou=Users,dc=domain,dc=nl notation for the dn entry)
- log on to application authentication is slow, (ldap test tool shows same behavior)
- tried different domain controllers
- upgrade instance to 10.2.0.3
After the upgrade the behavior is as described above (slow, huge increase vm size, non responsive system).
Any help or ideas on this on.
Thank in advance
RoelandHello
Did some more testing this morning, on the 64bits test instance. Created a function with pl/sql developer (found on the forum)
create or replace function authenticate_aduser(
p_username in varchar2,
p_password in varchar2)
return boolean
is
l_user varchar2(256);
l_ldap_server varchar2(256) := 'ldap_server';
l_domain varchar2(256) := 'domain_name';
l_ldap_port number := 389;
l_retval pls_integer;
l_session dbms_ldap.session;
l_cnt number;
begin
l_user := l_domain || '\' || p_username;
l_session := dbms_ldap.init( l_ldap_server, l_ldap_port ); -- start session
l_retval := dbms_ldap.simple_bind_s( l_session, l_user, p_password ); -- auth as user
l_retval := dbms_ldap.unbind_s( l_session ); -- unbind
return true;
exception when others then
l_retval := dbms_ldap.unbind_s( l_session );
return false;
end;
- First time execution took 90 secondes, and showed the increase in vmsize in the task manager
- Second execution in 0,015 seconds
- Logged off
- Started a new session
- Again the first time execution took around 90 seconds and second execution was 0,017 seconds
Maybe I mis configured something or it's a bug. but it seems not Apex related, anyway going to create a SR
Regards Roeland -
Authentication Scheme with Username / Password stored in App Table
Hi all,
Up to now all of our applications have used SSO authentication, but I now need to step away from this to allow users from outside our organisation (and therefore not in our OID system) to use one specific application.
I therefore have a table in my application that stores username and password. I have a function that compares the entered username and password to this table and returns a boolean result. This function is then registered in my Authentication Scheme as the Authentication function.
All this works well and is causing no problems. The problem is that the password is stored and checked in plain text - obviuosly not very good.
How do I go about changing the password column in my table, the pages that allow this password to be set and updated and the authentication function that checks the username / password to use some form of encryption?
Also, do I need to be worrying about all the other fields (Page Sentry Function,Session Verify Function, Pre-Authentication Process etc) that the Authentication Scheme offers me - or can I just leave these blank as they are now.
If someone can give me a complete 'out-of-the-box' solution that would be wonderful - otherwise a good hard pusj int he right direction would be much appreciated.
Many thanks,
MartinHello Martin,
If you check out the Discussion Forum application here, you should find the information you need. This app stores an encrypted version of the user's password in the table.
http://www.oracle.com/technology/products/database/application_express/packaged_apps/packaged_apps.html#FORUM
Good luck,
Don.
You can reward this reply by marking it as either Helpful or Correct :) -
HTTP request was forbidden with client authentication scheme 'anonymous'
Hi,
We have updated our support Package for version BPC NW 10.0 release 801 from 0002 to 0005.
After the update we are not being to access the server folders in EPM Add-in.
We have the following error "HTTP request was forbidden with client authentication scheme 'anonymous'". Nevertheless we only can't access to the content of folders that are not public or local.
In SLG1 log, we have the error " Access not granted, You are not the member of team: BUSINESS ADMIN". This is not true because the user has SAP_ALL in BW and is a primary administrator in BPC. The data access profile associated is the administrator member access profile.
Has anybody seen this error?
Best regards,
JAHi Nilanjan,
We are able to log in into EPM Add-in.
We have the error when we try to open input forms or reports from server, but only from some folders.
When we select the folder we have the error.
For example we can see the content from:
WEBEXCEL\REPORTLIBRARY\
ADMIN\WEBEXCEL\TEAMREPORTLIBRARY\
But we can't see the content from:
BUSINESS ADMIN\WEBEXCEL\TEAMREPORTLIBRARY\
TEAM FI\WEBEXCEL\TEAMREPORTLIBRARY\
The user has administrator member access profile ans is included in all teams (ADMIN, BUSINESS ADMIN and TEAM FI)
We really can't see what could be the problem
Hope you can help us.
regards,
JA -
"Best Practices" for using different Authentication Schemes ?
Hi
We are using different authentication schemes in different environments (Dev/QA/Prod). Changing the authentication scheme between the environments is currently a manual step during the installation. I am wondering if there are better "Best Practices" to follow, where the scheme is set programmatically as part of the build/ load process for a specific environment. ... or any other ideas.
We refrained from merging the authentication schemes (which is possible) for the following reasons:
- the authentication code becomes unnecessary complex
- some functions required in some environments are not available in all environments (LDAP integration through centrally predefined APIs), requiring dynamic execution
Any suggestions / experience / recommendation to share are appreciated.
Regards,
- Thomas
[On Apex 4.1.0]t-o-b wrote:
Thanks Vikram ... I stumbled over this post, I was more interested in what the "Work Around" / "Best Practices" given these restrictions.
So I take it that:
* load & change; or
* maintain multiple exports
seem to be the only viable options
... in addition to the one referred to in my questions.
Best,
- ThomasThomas,
Its up-to you really and depends on many criteria +(i think its more of release process and version controlling)+.
I haven't come across a similar scenario before..but I would maintain multiple exports so that the installation can be automated (no manual intervention required).
Once the API is published +(god knows when it will be)+ you can just maintain one export with an extra script to call the API.
I guess you can do the same thing with the load & change approach but I would recommend avoiding manual intervention.
Cheers,
Vikram -
Restful Web Services - First Party Authentication with custom authentication schemes
Hi
I've successfully enabled security using first party authentication on our Restful web services however these only work with the built in Apex accounts and not other authentication schemes.
Ideally I'd like to authenticate against LDAP, however when I enable this authentication scheme the restful services don't work as they only support the Apex accounts.
Has anyone implemented LDAP authentication for Apex restful web services, either directly or using Glassfish ? Does anyone know if support for custom authentication schemes on the feature roadmap for a future Listener release ?
I attempted to configure the glassfish application against LDAP but am still working on it.. glassfish never challenged the client to authenticate (it's only to be for the web service endpoints and nothing else), so any pointers on how to set that up for Apex would be appreciated.
Thanks
KesHi Gemma,
unfortunately at the moment you are caught between a rock and a hard place:
- As you point out there is no way in APEX for a user to self-register themselves, short of developing your own table to store users and configuring APEX custom auth to authenticate against that table
- Listener can only authenticate against the the APEX user repository, it cannot integrate with custom APEX authentication.
There may be other options though, by leveraging the authentication capabilities in the JRE and/or WebLogic/GlassFish application servers. We're interested in addressing this use case, so if you wish to investigate further please send me an email ( colm <dot> divilly <at> oracle <dot> com).
Thanks,
Colm Divilly -
Defining an Authentication Scheme for user ID and password and client certi
Hi,
I do need to define an Authentication Scheme for user ID/Password and client certificate,, both at the same time, so whenever the end user access the SAP Portal he/she will be asked to provide user and password as well digital certificate,
Despite of the whole idea behind o f the concept of digital certificate, my client sill wants to keep the user ID and password to complies with business requirements.
I found a documentation that discuss Authentication Scheme with example using both ID and Digital certificate, but the priority was set different for each authentication method.
http://help.sap.com/saphelp_nw04s/helpdata/en/d3/1dd4516c518645a59e5cff2628a5c1/content.htm
So I am wondering with I can accomplish User ID/Pwd plus digital certificate just by making the priority the same value. Anyone had a similar requirement?
Best Regards
Claudio RochaHi
Did you get an answer for this Query ?
Regards
Priyanka
Maybe you are looking for
-
I am getting an error message after 2 years saying my Windows 7 in not authentic, error code 7601.
I need baby steps to understand where to go and what to do. I can't figure out how to do a diagnostic report. Seems like Windows would have links to click and open? Do I type the information in the address bar or what? Then, how do I submit the r
-
When i try to get microphone to record on ms movie maker, it wont work.
i can't get the built in mic to work on MS Movie maker. Any suggestions?
-
How do i get my computer to stop instantly recognizing my iphone???
okay so my sister and i have two separate iphones and recently found out that her computer is recognizing it as the same one, so we are running out of storage space very quickly. how do i get my phone off of it or how do i get her computer to stop re
-
Access Denied to Site Collection for Everyone Including Site Collection Administrator
I have a site collection with several subsites which I can no longer access. I am listed as both a farm administrator and site collection administrator in this installation. I can access a separate site collection on the same web application, and I
-
Problem retriving data from OSA MS9710 with GPIB interface
Hi all, I'm trying to read data from Anritsu OSA MS9710 using a GPIB interface and a terminal software in computer. However, I am not having sucess with it. Anyone know how can I do this? or another way to read this data without needing a floopy disk