Authorization in apex

Similar Messages

• Authorization LOV Apex 4.2

  I have 3 database and Apex environment DEV, UAT, and SIT (all should be the same using Import Export)
  But UAT is not allowing users access to a page item due to an authorisation issue.
  The Authorisation LOV on the page in DEV and SIT has a list of Groups that can be selected from that I have created e.g. SSC_MANAGER,SSC_ADMIN but at the very end of the LOV is a number 65978970187  what!!
  I have not created this  65978970187 User Group so where has it come from? How can query the underlying users and groups in the database to compare across my 3 databases to see why the page works in DEV and SIT but not in UAT this is the only difference this rouge User Group in the Authoirization LOV.
  Thanks

  Hi Jan,
  thanks for letting us know. We have filed bug# 14577795 and are looking into this issue.
  Regards
  Patrick
  My Blog: http://www.inside-oracle-apex.com
  APEX Plug-Ins: http://apex.oracle.com/plugins
  Twitter: http://www.twitter.com/patrickwolf

• Using Page Text Item in an Authorization Scheme

  Hello,
  I will be having a text item is every page say, Px_RESP_ID (hidden and its value set in an earlier page), and want to use its value in an authorization scheme to verify if the user has an access to the page.
  I'm using the following SQL in the authorization scheme -
  Apex Version: Apex 3.2
  Scheme Type: Exists SQL Query
  SQL:
  SELECT 1
  FROM zs_users zu
  , zs_responsibilities zr
  , zs_user_resp_groups zur
  WHERE
  zu.user_name = :APP_USER
  AND zr.resp_id = '&P'||:APP_PAGE_ID||'_RESP_ID.'
  AND zu.user_id = zur.user_id
  AND zr.resp_id = zur.resp_id
  For some reason this approach is not working. Any ideas to help me move forward will be greatly appreciated.
  Regards,
  Seshu

  AFAIK an application item, or maybe a page 0 item, is the only way to do this (as those items effectively exist across all pages of an application). Unfortunately since authorization schemes are application-level, you can't really effectively reference page items at runtime since you aren't necessarily on that page.
  The other option is an ugly one. Instead of creating one auth scheme (e.g.: "user_has_whatever_authority"), create one for every page (e.g.: "user_has_whatever_authority_1", "user_has_whatever_authority_2", etc.) and attach each auth scheme to each page by matching up the number in the name with the page. But this is a maintenance nightmare and terrible style IMHO, but it'll work. Your colleagues will hate you for it when you're gone though.

• Best Approach to create Security / Authorization Schema for an APEX Apps

  Hi,
  I am planning to create a Security / Authorization Schema for an APEX Application.
  Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
  I am looking for following features...
  1. users LOGIN and then user's name is stored in APEX_USER...
  2. Based on the user, I want to restrict the Application on following levels.
  - TABS
  - TABS - Page1 (Report
  - Page2 (Form)
  - Page2 (Region1)
  - Page2 (Region1, Button1)
  - Page2 (Region1, Items,....)
  AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
  I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
  My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
  Also what should be the FRONT end, we should have to enter these detail...
  SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
  Thanks,
  Deepak

  Hi Raghu,
  thanks for the detial info.
  so that means..I should have 2 table...
  master table (2 columns - username, password)
          username    password
     user1       xxxx
     user2       xxxx2nd table (2 columns - username, chq_disp_option)
  - In this table, we don't have Y/N Flag you mentioned..
  - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
  - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
  - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
            username    chq_disp_option
     user1       re_region1
     user1       re_region2
     user1       tb_main
     user1       Page1
     user1       Page5
     ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
  - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
  Thanks,
  Deepak

• APEX - Authorization Scheme

  Hi
  i have a app developed in apex.... i'm getting a problem because on the Authorization Scheme. i create a view in oracle that shows if certain user may run the app, however i can't put this working, on apex.
  I'm wearing a Authorization Scheme based on PL/SQL Function returning boolean...bust i'm lost to doing that. i make a function in oracle and it works fine.... e also can set the result of that function to a variable, but i can't return no value... e tried to make all function on apex side...but it's not permited... so...
  what can i do for the function returns a value!
  PS - sorry for the bad english....i'm a newbie in PLSQL, and i'm usig the code:
  declare
  n number;
  begin
  n:=usr_system.f_teste('jose.lopes');
  end;
  I also tried to return n...but gives error
  thanks

  José,
  The function must return true or false (boolean). So if your f_teste function returns 1 for true and 0 for false, just do something like:declare
    n number;
  begin
    n:=usr_system.f_teste('jose.lopes');
    if n = 1 then
      return true;
    else
      return false;
    end if;
  end;Scott

• Authorization Scheme using the APEX Authentication Scheme

  How would you build an authentication scheme that is using the APEX Authorization scheme. All users are belonging to a group which could be Oracle, External or Developer and I'd like to hide certain pages from the External users.
  I am not sure if I can grab the group name from some V('..') function and make something work?
  Cheers,
  Andy

  I'll give it a try again, sorry for not being able to describe the problem better!
  I am using the APEX built in authorization and authentication to make my life simple with regards to user mgmt. So all the users are managed using the Home>Administration>Manage Application Express Users. Every user belongs to an APEX group (Home>Administration>Manage Application Express Users>User Groups). For example:
  User A belongs to Group External
  User B belongs to Group Oracle
  User C belongs to Group Admin
  Now, there are certaing pages in my application that I want to restrict from the Group External (but the Group Admin and Group Oracle can see them).
  So my question is really how would I build such an Authorization Scheme to accomplish this? Not suer about which APEX API functions I should use to get this data and how to build the function.
  I hope this makes more sense?
  Andy

• How secure is APEX authorization?

  We are developing a system which mandates that a user only be able to perform functions that they have been authorized (trained) to do. My understanding is that APEX will do this nicely using authentication to make sure a user is who they say they are and authorization to restrict which pages, regions, or buttons the individual user can see/navigate to. Once we sort through all the details and get this set up, how sure can we be that a malicious user will not be able to circumvent the authorization scheme? For example: could a view only user spoof the application into thinking they had pressed a delete button on a page where the delete button was hid from them because of the authorization scheme attached to it? Our concern is that since all of the security lives in the application, if the application security is defeated a user will be able to do anything the application’s “parse as” schema can do.

  Bud,
  Absolutely a savvy user could do this. That is why you also need to protect the delete process from the user. Let's say you have a button (delete) and a process (delete proc) that only runs when the delete button is pressed. If you add an authorization scheme to the button, you should also add the same auth scheme on the process. Beyond that, you just need to make sure that your authorization scheme is well-defined (that is, not dependent on something that the user could hack) and you will be fine.
  Hope this helps,
  Anton

• Apex authentification  vs.  authorization

  I want to create an open public application where all pages are common and need no personal login to show the information. Only some objects (create, change - buttons) on different pages I want to control with the authorization mechanism based on the Username. Only an authorization schema with a table of usernames in background and the allocation to the buttons is not enaugh.
  Thanks for your information in advance

  Hello jes
  thanks for your answer, my
  1st step was to create a oracle-table with names, which I want allow to use the create-buttons etc.
  2nd step was the creation of an named authorization schema (exist rule based )with the inside sql like select id from <table> where usename = :APP_USER
  3rd step was to allocate this authorization schema to the security options of the create-Button
  Because the application is public, and nobody has to log in into the application and therefore the user is PUBLIC_USER. The problem is I can't differentiate the users inside the application

• APEX.CONDITION.UNHANDLED_ERROR in Application after Update to 4.2

  following error in an Application (working perfect in Apex 4.0.2) after Update to 4.2.0
  after entering url:
  Error     Error processing condition.
  ORA-00907: missing right parenthesis
  Technical Info (only visible for developers)
  is_internal_error: true
  apex_error_code: APEX.CONDITION.UNHANDLED_ERROR
  ora_sqlcode: -907
  ora_sqlerrm: ORA-00907: missing right parenthesis
  error_backtrace:
  ORA-06512: at "SYS.DBMS_SYS_SQL", line 1325
  ORA-06512: at "SYS.WWV_DBMS_SQL", line 1185
  ORA-06512: at "SYS.WWV_DBMS_SQL", line 1256
  ORA-06512: at "SYS.WWV_DBMS_SQL", line 1294
  ORA-06512: at "APEX_040200.WWV_FLOW_DYNAMIC_EXEC", line 880
  ORA-06512: at "APEX_040200.WWV_FLOW_CONDITIONS", line 331
  Any Ideas?
  regards
  Ralf

  the was an missed ' in an authorization schema (SQL Query) - prior Versions of Apex ignored that error ...

• Partner application authorization model missing

  We have written our own portal using j2ee technologies. Based upon user identity, we construct a launch pad for the applications that a user has authorization to. It have 260 different applications.
  We want to migrate to Oracle Portal. I would like to make each of these applications a partner application. They all share the same user repository.
  The problem is that Oracle does not have a user to Partner application authorization model.
  I could encapsulate all the applications as portlets, then Oracle portal would be able to manage the authorization to the portlets. To do this would be a major effort, changing thousands of JSP's and classes that render links. But this is not possible if they are just partner applications.
  I know, Oracle is going to say "Portal is just a launch pad, it does not handle menuing of individual applications. That is the individual application's responsibility."
  THIS does not apply. I thought long and hard on this issue. I am not asking Oracle Portal to take over menuing of an application, rather, I am asking it to be a launchpad to my 260 different applications, and to provide the facility that would allow the assignment of user and groups to execute partner applications.
  One thing I may have to do is on the initialization of the partner application is to make a call back to the login server and check whether they are authorized to use the partner application.
  There is a big difference between authentication and authorization.
  Thanks,
  Phillip

  Did you try checking the partner application entries on the SSO-login server page?
  please login as orcladmin or some other user with membership in, i beleive, iasadmins group. verify that for this partner application, what you see here corresponds to the application URL. it looks like your login page call may have issues. so check for login url too.
  also check the ORASSO.WWSSO_LS_CONFIGURATION_INFO$ for entries corresponding to Apex application.

• APEX 3.0 with Single Sign On for single application

  Hi All,
  I have been playing around with SSO (IAS 10.1.2) and an APEX application for the past couple of days and am still having problems.
  I have followed the instructions word for word in the various how to documents named in this forum and am now at the point where I successfully redirect to SSO login page > login using a username created in OID (which is the same username/password in my application) > then get redirected back to "http://<MY_SSO_HOST>:7777/sso/auth"..
  Some things about my instance:
  1. Oracle DB > 10g 10.1.2
  2. Oracle IAS > 10g 10.1.2 (different server to above)
  3. APEX 3.0 > trying to run SSO authentication against a single application rather than the whole APEX instance.
  4. I have (after a lot of grief - figured out that the DAD MUST be /pls/somedad and that the port number 80 must be defined in the SSO token regardless - those two little gems got me as far as I am..
  Now I know very little about SSO and am trying to evaluate it for my application (which uses a DB login/password and has to continue to do so for other reasons which I do not control). I am assuming there is some method of synchronizing the OID/SSO repository with my db accounts but haven't yet figured that one out.
  I cannot for the life of me see what's wrong here. Any ideas??

  Thanks Scott..
  Okay let me go through the responses here..
  ...login using a username created in OID (which is the same username/password in my application)
  My application overlays another Oracle application (old client server) which relies on physical database user accounts to perform its own internal grants etc. i.e. it uses where USER = blah all over the place.
  Therefore my application is currently using the internal authentication scheme DATABASE (using DAD to resolve the credentials). In attempting to use SSO I am assuming that SSO must in some way be synched with my database (otherwise how does it pass any password changes applied in SSO to the database?)
  Given that it's a base install (SSO) the only login I have there is the default orcladmin account. So I am trying to figure out how to get SSO to pass an acceptable login name/password to my application. My first attempt has been to create a user in OID that matches the DB login to see if SSO passes these on login - maybe I'm completely missing the point here??
  ...After login you get redirected to "http://<MY_SSO_HOST>:7777/sso/auth"? That's not right..
  I have created/registered the application as per the how to guide using <my app name>.<my host>:<port> and setting the success URL to http://<my host>:<port>/pls/<mydad>/<my schema>.<custom success proc>
  When I fire up my browser and go to http://<my host>/pls/<mydad>/f?p=9900:1 it sends me to the SSO login page. After entering my username and password I then end up with a HTTP 404 - not found page with the URL "http://<MY_SSO_HOST>:7777/sso/auth".
  ..You should think about getting to 10.2 at least, ..
  Agreed but when I tried to upgrade the other day it fell in a big heap - so I backed it out to 10.1 again.
  ..I think I know what you mean. You installed the SSO SDK in a schema local to one workspace..
  That is correct - had to do it as my instance has multiple applications and I want to check it works on this one before breaking anything else!
  ..No, that's not always the case. If you find that putting '80' in works in your configuration and leaving it out doesn't work then put it in..
  I tried initially without the 80 but it threw errors whenever I tried to connect (these errors were APEX ones not SSO). On an off chance I put the 80 in there and presto it worked (in the sense that it redirected me to SSO anyway).
  ..Your application's use of a DB login/password is incongruous with using a different authentication method -- SSO or any other...
  Given the constraints mentioned earlier (answer to first question above) I don't really have much choice. I have an Oracle application that uses DB accounts to authenticate users and authorize thier use of the app modules. What I need to do is 'wrap' and APEX application around this Oracle application to make it SOX compliant (it does not currently enforce password aging/structure etc.) So.. I was thinking that SSO might be the answer.
  If SSO (used with OID) can enforce password aging and policies my intent is to have SSO 'manage' the user passwords for my APEX app (and it's underlying Oracle application). Hence the question about synching SSO with the underlying DB accounts. I thought the whole point of SSO/OID was to allow various enterprise apps to have thier authentication layers 'managed' by SSO - again maybe I'm misinterpreting this..
  ..if your application is working now with a non-SSO authentication scheme, then it should continue to work the same with SSO because after authentication, APP_USER is FRED in both cases..
  Agreed - but how does SSO "know" to let a given user have access to that particular application?
  Paul

• APEX application not able to access

  Hi all,
  I am new in APEX.
  and I have to create the same environment as the client have.
  client only given me sql for importing the application developed in APEX.
  I created workspace and imported the application in that. but the client is using the active directory authentication and now when i am trying to run the application at my environment then i am not able to access the application.
  So could any one of you please guide me what i need to do with the APEX to login to the application with my active directory authentications.
  this is somehow urgent and i am not able to get any help. so could anyone guide me.
  Sanket
  Edited by: user10528895 on Oct 28, 2010 10:46 PM

  Hi ajinkya,
  Thanks for forwording the helping hand.
  but can able to mannage and found some documentas of configuration of LDAP and using the LDAP authentication at my own. and now i configured the LDAP and able to access the application.
  now the next step i am stuch is the authentication is of 2 layer 1 i passed but next is there are some of the authorizations schems created and assigned to the specific users.
  now if i want to get the information of the authentications schems and where the data store then from where i get the information that is my question
  i am using database version 10g 10.2.0 and apex 3.0.1
  Regards,
  Sanket

• Browser error on APEX Login Page

  Good morning,
  Version Information:
  - APEX 3.1.1
  - Database 11.1.0.6.0
  - Application Server: 10.1.3
  I'm using the APACHE install on my APP server to connect to APEX.
  When I connect to the APEX_ADMIN login page, after filling in the blanks, I get a browser error message, not an APEX error. The "caution" icon pops up on the status bar at the bottom of the browser window. When I look at the message, it says:
  Line: 34
  Char: 1
  Error: Object expected
  Code: 0
  URL: http://<myservername>:7778/pls/apex/f?p=4550:10:7817059686490562
  That URL, of course is the login page.
  When I checked the status, the install completed successfully. I am listening on port 7778 mainly because those that came before me configured the app server's http.conf with 7778.
  What am I missing?
  Thanks,
  Don.

  Thank you for your responses,
  Yes, I'm pretty sure that my image alias is correct (see my DADS.CONF listing below).
  I am NOT upgrading from 3.0, this is a new, clean install. I'm still checking other possible causes. Not sure where to go next.
  # ============================================================================ # mod_plsql DAD Configuration File # ============================================================================ # 1. Please refer to dads.README for a description of this file # ============================================================================ # Note: This file should typically be included in your plsql.conf file with # the "include" directive. # Hint: You can look at some sample DADs in the dads.README file # ============================================================================
  Alias /i/ "D:\oracle\AppServ\Apache\Apache\images/"
  AddType text/xml xbl
  AddType text/x-component htc
  <Location /pls/apex>
  Order deny,allow
  AllowOverride None
  PlsqlDocumentProcedure wwv_flow_file_mgr.process_download
  PlsqlDocumentPath docs
  PlsqlDatabaseConnectString <myservername>:portno:<servicename> ServiceNameFormat
  PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
  PlsqlAuthenticationMode Basic
  SetHandler pls_handler
  PlsqlDocumentTablename wwv_flow_file_objects$
  PlsqlDatabaseUsername APEX_PUBLIC_USER
  PlsqlDefaultPage apex
  PlsqlDatabasePassword <apexpassword>
  PlsqlRequestValidationFunction wwv_flow_epg_include_modules.authorize
  Allow from all
  </Location>

• APEX SSO and Load balancing: Could not determine workspace for application

  We had a single HTTP Server serving APEX in a 10.2.0.2 database configured with SSO to be used by the developers. APEX has been registered as a partner application and the login url has been CA Siteminder protected so that the SM_USER details are forwarded in the header for the application to use for authorization. Everything is fine so far.
  Now we have added a HTTP Server on another host and have it all set up for APEX and its pointing to the same database. APEX_ADMIN access works as normal, but applications previously using SSO now get the following error after entering the URL.
  Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
  Error ERR-7620 Could not determine workspace for application ().
  Using HTTP Watch I find that the application is not even trying to redirect to the login page.
  What is wrong here?

  APEX has been registered as a partner application as described in
  http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
  In the meantime I found metalink document 368746.1 which describes the cause of this problem. Please read carefully what I wrote, it all works when the the new APEX web server is turned off in the server farm on the load balancer and directed through the original web server. When running regapp.sql the hostname in the listener token was using the virtual hostname. This works fine if the request comes from the original APEX server which proofs that there is nothing wrong with the installation and set up of SSO. When directing the request to the new APEX web server the APEX_ADMIN page still works only existing work spaces using SSO don't seems to work anymore resulting in a error as described in the subject.
  As for metalink document 368746.1 naming the causes of this error:
  - there are no duplicate entries in WWSEC_ENABLER_CONFIG_INFO$
  -LISTENER_TOKEN clearly works for requests coming from the first web server
  -theoretically the web server listener port could be changed from 7777, but port 80 needs to be maintained here as production is mimiced as far down as possible.
  Is there some cache table which can be cleared? How is it that the flows schema (apex engine) can not find the work space when the request comes from a new web server which can however access the APEX_ADMIN pages.
  anyone?

• ORA-01400 - not null column with default value and item with authorization

  I've searched - I would think someone has run into this. APEX 3.0.0.00.20 - I've created a simple form on a table. One of the column is a not null column with a default value. I have a select list on that item, but it has security on it - authorization scheme. So, it checks the user and if that user isn't of the right role, it will not even display that item. However, APEX appears to still send in the column in its sql! So, the default value is useless, it sends in null each time. Even if I set the default at the Item level, I get null. Argg. That's got to be a bug...
  In debug, I do not see the item listed at all. It's not used. That's fine - but why is it trying to insert the value? I would think it would leave it off??? I think because the item is associated with a database column. But, getting around this is ugly. Having to create a hidden item for each one, and then check to see if I need to take the list value... horrible. Any way to get around this???

  I should add - I guess I can always put my own custom process in to replace the DML. Just seems like a simple thing - if the value doesn't appear on the debug, isn't set with any default value... don't include it in the DML.