Authorization Scheme based on a group in LDAP?
Hi,
I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
Thanks!
I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
Very straightforward....
However, my question now is, how would I tie this in to my authentication scheme?
One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
How would I tie these two schemes together?
Thanks in advance for any help offered....
Similar Messages
-
Hi
i have a app developed in apex.... i'm getting a problem because on the Authorization Scheme. i create a view in oracle that shows if certain user may run the app, however i can't put this working, on apex.
I'm wearing a Authorization Scheme based on PL/SQL Function returning boolean...bust i'm lost to doing that. i make a function in oracle and it works fine.... e also can set the result of that function to a variable, but i can't return no value... e tried to make all function on apex side...but it's not permited... so...
what can i do for the function returns a value!
PS - sorry for the bad english....i'm a newbie in PLSQL, and i'm usig the code:
declare
n number;
begin
n:=usr_system.f_teste('jose.lopes');
end;
I also tried to return n...but gives error
thanksJosé,
The function must return true or false (boolean). So if your f_teste function returns 1 for true and 0 for false, just do something like:declare
n number;
begin
n:=usr_system.f_teste('jose.lopes');
if n = 1 then
return true;
else
return false;
end if;
end;Scott -
Create Authorization Scheme for LDAP Groups
I have installed APEX 4.0 in my staging environment and got the LDAPS to finally work. I can now login to the application with my LAN user name and password. The only problem is so can everyone else on the LAN. So I wanted to create an authorization scheme that would only allow a certain group or groups of LDAP users into the application rather than everyone.
I am at the Create Authorization Scheme page and am kind of stuck. Has anyone done this before and can share some SQL or knowledge?hi larosejh
If you want to do that you must write your own procedures using the dbms_ldap package. I found some code a while back that searches the LDAP. Maybe you can use this to create a function for your authentication.
DECLARE
retval PLS_INTEGER;
my_session DBMS_LDAP.session;
my_attrs DBMS_LDAP.string_collection;
my_message DBMS_LDAP.message;
my_entry DBMS_LDAP.message;
entry_index PLS_INTEGER;
my_dn VARCHAR2(256);
my_attr_name VARCHAR2(256);
my_ber_elmt DBMS_LDAP.ber_element;
attr_index PLS_INTEGER;
i PLS_INTEGER;
my_vals DBMS_LDAP.STRING_COLLECTION ;
ldap_host VARCHAR2(256);
ldap_port VARCHAR2(256);
ldap_user VARCHAR2(256);
ldap_passwd VARCHAR2(256);
ldap_base VARCHAR2(256);
BEGIN
retval := -1;
-- Please customize the following variables as needed
ldap_host := 'host';
ldap_port := '389';
-- In case of update/insert/delete need change ldap_user to other.
-- ldap_user := 'cn=orcladmin';
-- ldap_passwd:= 'welcome';
-- set User and password to NULL for anonymous user.
ldap_user := 'user';
ldap_passwd:= 'password';
ldap_base := 'CN=Users,DC=ee,DC=intern';
-- end of customizable settings
-- Start output Header--
DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
DBMS_OUTPUT.PUT('> DBMS_LDAP Search Example ');
DBMS_OUTPUT.PUT_LINE('');
DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Host ',25,' ') || ': ' || ldap_host);
DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Port ',25,' ') || ': ' || ldap_port);
-- Choosing exceptions to be raised by DBMS_LDAP library.
DBMS_LDAP.USE_EXCEPTION := TRUE;
my_session := DBMS_LDAP.init(ldap_host,ldap_port);
DBMS_OUTPUT.PUT_LINE (RPAD('> Ldap session ',25,' ') || ': ' ||
RAWTOHEX(SUBSTR(my_session,1,8)) ||
'(returned from init)');
-- bind to the directory
retval := DBMS_LDAP.simple_bind_s(my_session,
ldap_user, ldap_passwd);
DBMS_OUTPUT.PUT_LINE(RPAD('> simple_bind_s Returns ',25,' ') || ': '
|| TO_CHAR(retval));
-- issue the search
my_attrs(1) := 'dn'; -- retrieve all attributes
retval := DBMS_LDAP.search_s(my_session, ldap_base,
DBMS_LDAP.SCOPE_SUBTREE,
'objectclass=*',
my_attrs,
0,
my_message);
DBMS_OUTPUT.PUT_LINE(RPAD('> search_s Returns ',25,' ') || ': '
|| TO_CHAR(retval));
DBMS_OUTPUT.PUT_LINE (RPAD('> LDAP message ',25,' ') || ': ' ||
RAWTOHEX(SUBSTR(my_message,1,8)) ||
'(returned from search_s)');
-- count the number of entries returned
retval := DBMS_LDAP.count_entries(my_session, my_message);
DBMS_OUTPUT.PUT_LINE(RPAD('> Number of Entries ',25,' ') || ': '
|| TO_CHAR(retval));
DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
-- End output Heading --
-- get the first entry
my_entry := DBMS_LDAP.first_entry(my_session, my_message);
entry_index := 1;
-- Loop through each of the entries one by one
while my_entry IS NOT NULL loop
-- print the current entry
my_dn := DBMS_LDAP.get_dn(my_session, my_entry);
-- DBMS_OUTPUT.PUT_LINE (' entry #' || TO_CHAR(entry_index) ||
-- ' entry ptr: ' || RAWTOHEX(SUBSTR(my_entry,1,8)));
DBMS_OUTPUT.PUT_LINE (' dn: ' || my_dn);
my_attr_name := DBMS_LDAP.first_attribute(my_session,my_entry,
my_ber_elmt);
attr_index := 1;
while my_attr_name IS NOT NULL loop
my_vals := DBMS_LDAP.get_values (my_session, my_entry,
my_attr_name);
if my_vals.COUNT > 0 then
FOR i in my_vals.FIRST..my_vals.LAST loop
DBMS_OUTPUT.PUT_LINE(' ' || my_attr_name || ' : ' ||
SUBSTR(my_vals(i),1,200));
end loop;
end if;
my_attr_name := DBMS_LDAP.next_attribute(my_session,my_entry,
my_ber_elmt);
attr_index := attr_index+1;
end loop;
my_entry := DBMS_LDAP.next_entry(my_session, my_entry);
DBMS_OUTPUT.PUT_LINE(' --------------------------------------------------- ');
entry_index := entry_index+1;
end loop;
-- unbind from the directory
retval := DBMS_LDAP.unbind_s(my_session);
DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
TO_CHAR(retval));
-- Start Output Footer --
DBMS_OUTPUT.PUT_LINE('Directory operation Successful .. exiting');
-- Start Output Footer --
-- Handle Exceptions
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE(' Error code : ' || TO_CHAR(SQLCODE));
DBMS_OUTPUT.PUT_LINE(' Error Message : ' || SQLERRM);
DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');
END;
/ -
Display page items based on Authorization Scheme...
I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
I thought of two possibilities, both I think I'd need help on though!:
1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
accessible by "Edit" or "Admin".
The problem, though, is now "Edit" or "Admin" users will see both columns
2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
I would have no clue how to do this...
Any thoughts?
Kevin L.Kevin
You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
function UsrCustomization()
if ( P_USR_TYPE == 1 )
// mark the item as readonly
// document.getElementById('P1_FIELD_QUESTION').disabled = true;
document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
UsrCustomization();Thanks,
Manish -
WLC 5508 LDAP Windows 2008 Server - auth based on AD groups
hi NG,
i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.
Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.
I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
Checking based upon Users within OUs works fine.
But i have not got all of those users wihin one single OU!
Need help for following: LDAP-Auth based on AD Groups:
Using:
MS-Domain: MY-DOMAIN.CH
AD-GROUP: VPN-USERS
AD-Structure:
MY-DOMAIN.CH
|
GROUPS
|
Administrative Groups
|
VPN-USERS
(-> Member of this Groups (Wireless1, Wirless2, ...)
Server Adress: IP.IP.IP.IP
Port: 389
Enable Server Stats YES
Simple Bind Authenticated
Bind Username LDAP-USER
Bind Password supersecret
Bind Passw. confirm supersecret
User Base DN: ?-1-?
User Attribute: ?-2-?
User Object Type: Person
Server Timeout 2
What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.
I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?
Could some one provide my with an example, since i have not found documentation regarding this topic.
Thank you.Hi,
User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...
Remember that the User Base DN is also used for the admin user.
In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.
Example :
OU=Employees,OU=Humans,DC=Mydomain,DC=CH
This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter
Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.
If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.
That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.
Nicolas
===
Don't forget to rate answers that you find useful -
Authorization Schemes, User Groups
Hi Folks,
I wish to create an authorization scheme and to do so with one of the user groups I defined in
Home>Administration>Manage Application Express Users
How can I set the authorization scheme to achieve this?
Thanks for any and all helpAre you looking for apex_util.current_user_in_group
Create a new authorization scheme... PL/SQL function reuturning boolean
begin
if apex_util.current_user_in_group('MyGroup')
then
return TRUE;
else
return FALSE;
end if;
end;Reference:http://apex.oracle.com/i/doc/AEAPI/apex_util014.htm
Regards,
Shijesh -
Display region based on authorization scheme
I have a region on a page that is displayed based on the 'SFD' authorization scheme.
I log in as a user who matches the 'SFD' authorization scheme. This scheme queries a table called gnt_authorization to determine if the app user does indeed satisfy the condition, and I do.
But when I open the page, the region is not displayed.
Does anyone have any idea why?varad wrote:
Does the region render if you logged in using an account other than 'myloginid' ?
I just took another existing account and updated its authorization in gillnet_tag_authorization so that it now says department SFD and startup_page 15. I committed the change. Then I logged in as this user and the region did not display.
But I wonder if I had to close the browser first before this takes effect because the authorization scheme is checked once per session and I had previously already logged in as that user before making the authorization change.
varad wrote:
Has the right Authorization Scheme been specified for the region ?
Yes, it's set to SFD. -
[Authorization] Entry Qty Based on Material Group
Dear gurus,
I've requirement like this:
In tx. VL02N, in picking tab, picked qty can only be entered by personnel based on material group (there's material no. in that screen, and can be traced to get material group).
Is it possible?
Regards,Hi,
Is it possibl? -
Accessing an item on a page based on authorization scheme
Hi,
I've two authorization schemes :ADMIN and VIEW.I've created a public page which will be accessed by both schemes.But on that page in particular region I want to display an item only for ADMIN not for VIEW scheme.
Thanks,
Mahender.for that region properties , go to conditional display and use this bult in function (after you pick plsql function return boolean) : APEX_UTIL.PUBLIC_CHECK_AUTHORIZATION('your_auth_scheme');
This function return true if current user is in that auth. scheme.
Let me know if that helps,
Sam K. -
ACS 5.3 Group Mapping based on AD group membership
Hi,
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
Thank you,
SamiOk, my case is like this.
I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
I have a case with Cisco engineer now and still in the middle to sort things out.
The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
Wondering whether there is a fix for this.
Thanks. -
ASA WebVPN. How do you restrict access to users in an AD group using LDAP?
Hi All,
I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership. This has been very difficult, even though I beleive it should be easy.
The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
There are two other portals that I would like to restrict access to based on AD group membership. I have set these up to be selected by URL.
The biggest problem is, I have no way of knowing how to go about this. The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
I can only do an all or nothing scenario.
It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use. So how do I go about using them in this scenario? Turning off the aliases or URLs is not really an option right now.
Scenario 1 would work the best for me. Restrict access to profiles/groups based on AD group membership using LDAP.
Scenario 2 would be an ideal longer term solution.
Any thoughts, ideas or assitance would be greatly appreciated.
CheersThis is exactly what i was looking for, and Nelson is correct. When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression. The guide (ther is a button to access this) is really helpful, with a couple of examples. This is what i used:
assert(function()
if ( (type(aaa.ldap.distinguishedName) == "string") and
(string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
then
return true
end
return false
end)()
from the debug dap you can see what Users relates to;
DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
My admin account fails to get me in to the same profile:
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
Thanks
Andrew -
Public and Authenticated App with Authorization Scheme once per session
I have a question . . .
Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
Is this clear?Anton,
It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
Hope this helps,
Scott -
Authorization Scheme problem using query
Greetings:
I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
The three created authorization schemes are as follows.
My first scheme (set as scheme type: exists SQL Query):
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
APP_GROUP_TYPE != 'READ_ONLY'
This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
My Second scheme (set as scheme type: exists SQL Query):
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
(APP_GROUP_TYPE != 'READ_ONLY'
and
APP_GROUP_TYPE != 'transactional')
The second one, I have added the transactional group as to be explicitly negated access.
My Third scheme
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
(APP_GROUP_TYPE != 'READ_ONLY'
AND
APP_GROUP_TYPE != 'transactional'
AND
APP_GROUP_TYPE != 'general')
the last one, I have added the general group as to be explicitly negated access.
I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
Thanks for your support. Maybe this can help someone on the forums out. -
Can't insert schema-based xmltype into binary xmltype table
I'm having issues trying to use binary storage along with the ALLOW ANYSCHEMA clause. I can't use the XMLSchema-instance mechanism for creating my schema-based XMLType instances, so I'm using CreateSchemaBasedXml. When I try to insert the XMLType into the table, however, it seems to think it's not schema-based and throws an error. I trimmed down my schema for the purposes of this example. Here's the schema (schematest.xsd):
<?xml version="1.0" encoding="Windows-1252"?>
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="FORMINFO">
<xs:complexType>
<xs:sequence>
<xs:element name="SUBJECT">
<xs:complexType>
<xs:sequence>
<xs:element name="ADDR">
<xs:complexType>
<xs:sequence>
<xs:element name="STREET" type="xs:string" />
<xs:element name="CITY" type="xs:string" />
<xs:element name="STATEPROV" type="xs:string" />
<xs:element name="ZIP" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>Here's the instance file (schema testinst.xml):
<?xml version="1.0" encoding="utf-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
</ADDR>
</SUBJECT>
</FORMINFO>I registered the schema and created the test table:
BEGIN
DBMS_XMLSCHEMA.registerschema(
schemaurl => 'http://localhost/schematest.xsd',
schemadoc => bfilename('XMLDIR','schematest.xsd'),
gentables => false,
gentypes => false,
csid => nls_charset_id('AL32UTF8'),
options => DBMS_XMLSCHEMA.REGISTER_BINARYXML);
END;
CREATE TABLE BINARYTEST OF XMLType
XMLTYPE STORE AS BINARY XML
ALLOW ANYSCHEMA;But trying to insert gives me an ORA-44422 error (this is on Oracle 11.1.0.7.0 Enterprise):
SQL> SET SERVEROUTPUT ON
SQL> declare
2 x XMLType;
3 xschema XMLType;
4 begin
5 x := XMLType(bfilename('XMLDIR', 'schematestinst.xml'), nls_charset_id('AL32UTF8'));
6 xschema := x.CreateSchemaBasedXml('http://localhost/schematest.xsd');
7 xschema.SchemaValidate();
8 DBMS_OUTPUT.PUT_LINE('Schema: ' || xschema.GetSchemaURL() || ' Validated: ' || xschema.IsSchemaValidated());
9
10 INSERT INTO BINARYTEST
11 VALUES (xschema);
12 commit;
13 end;
14 /
Schema: http://localhost/schematest.xsd Validated: 1
declare
ERROR at line 1:
ORA-44422: nonschema XML disallowed for this column
ORA-06512: at line 10You can see from my put_line statement that the XMLType object is reporting its schema URL correctly and thinks it's been validated. Changing the table to "ALLOW NONSCHEMA" allows the insert, but it inserts it as a non-schema-based document. Am I skipping a step here?
Thanks,
JimIt might be a bug, but I am not yet sure...
See the following examples...
c:\>C:\oracle\product\11.1.0\db_1\bin\sqlplus.exe /nolog
SQL*Plus: Release 11.1.0.7.0 - Production on Mon Mar 23 22:14:41 2009
Copyright (c) 1982, 2008, Oracle. All rights reserved.
SQL> drop user otn cascade;
User dropped.
SQL> create user otn identified by otn;
User created.
SQL> grant xdbadmin, dba to otn;
Grant succeeded.
SQL> conn otn/otn
connected.
SQL> var schemaPath varchar2(256)
SQL> var schemaURL varchar2(256)
SQL>
SQL> begin
2 :schemaURL := 'http://localhost/schematest.xsd';
3 :schemaPath := '/public/schematest.xsd';
4 end;
5 /
PL/SQL procedure successfully completed.
SQL>
SQL> declare
2 res boolean;
3 xmlSchema xmlType := xmlType('<?xml version="1.0" encoding="Windows-1252"?>
4 <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
5 <xs:element name="FORMINFO">
6 <xs:complexType>
7 <xs:sequence>
8 <xs:element name="SUBJECT">
9 <xs:complexType>
10 <xs:sequence>
11 <xs:element name="ADDR">
12 <xs:complexType>
13 <xs:sequence>
14 <xs:element name="STREET" type="xs:string" />
15 <xs:element name="CITY" type="xs:string" />
16 <xs:element name="STATEPROV" type="xs:string" />
17 <xs:element name="ZIP" type="xs:string" />
18 </xs:sequence>
19 </xs:complexType>
20 </xs:element>
21 </xs:sequence>
22 </xs:complexType>
23 </xs:element>
24 </xs:sequence>
25 </xs:complexType>
26 </xs:element>
27 </xs:schema>');
28 begin
29 if (dbms_xdb.existsResource(:schemaPath)) then
30 dbms_xdb.deleteResource(:schemaPath);
31 end if;
32 res := dbms_xdb.createResource(:schemaPath,xmlSchema);
33 end;
34 /
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete.
SQL> call dbms_xmlschema.deleteSchema(:schemaURL,4);
Call completed.
SQL> BEGIN
2 DBMS_XMLSCHEMA.registerSchema(
3 SCHEMAURL => :SchemaURL,
4 SCHEMADOC => xdbURIType(:SchemaPath).getClob(),
5 LOCAL => FALSE, -- local
6 GENTYPES => FALSE, -- generate object types
7 GENBEAN => FALSE, -- no java beans
8 GENTABLES => FALSE, -- generate object tables
9 OPTIONS => DBMS_XMLSCHEMA.REGISTER_BINARYXML,
10 OWNER => USER
11 );
12 END;
13 /
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete.
SQL> var schemaDoc varchar2(256)
SQL>
SQL> begin
2 :schemaDoc := '/public/schematest.xml';
3 end;
4 /
PL/SQL procedure successfully completed.
SQL>
SQL> ----------------------------------------------------------
SQL>
SQL> -- Create an XML Document in the repository
SQL>
SQL> ----------------------------------------------------------
SQL>
SQL> declare
2 res boolean;
3 xmlDoc xmlType := xmlType('<?xml version="1.0" encoding="utf-8"?>
4 <FORMINFO>
5 <SUBJECT>
6 <ADDR>
7 <STREET>123 Main St</STREET>
8 <CITY>Las Vegas</CITY>
9 <STATEPROV>NV</STATEPROV>
10 <ZIP>12345</ZIP>
11 </ADDR>
12 </SUBJECT>
13 </FORMINFO>');
14 begin
15 if (dbms_xdb.existsResource(:schemaDoc)) then
16 dbms_xdb.deleteResource(:schemaDoc);
17 end if;
18 res := dbms_xdb.createResource(:schemaDoc,xmlDoc);
19 end;
20 /
PL/SQL procedure successfully completed.
SQL>
SQL> ----------------------------------------------------------
SQL>
SQL> -- Ready to test
SQL>
SQL> ----------------------------------------------------------
SQL>
SQL> select * from tab;
no rows selected
SQL> CREATE TABLE BINARYTEST OF XMLType
2 XMLTYPE STORE AS BINARY XML
3 ALLOW ANYSCHEMA;
Table created.
SQL> set long 100000
SQL> select dbms_metadata.get_ddl('TABLE','BINARYTEST',user) from dual;
DBMS_METADATA.GET_DDL('TABLE','BINARYTEST',USER)
CREATE TABLE "OTN"."BINARYTEST" OF "SYS"."XMLTYPE"
OIDINDEX ( PCTFREE 10 INITRANS 2 MAXTRANS 255
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS1 BUFFER_POOL DEFAULT)
TABLESPACE "USERS" )
PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT)
TABLESPACE "USERS"
XMLTYPE COLUMN OBJECT_VALUE STORE AS BASICFILE BINARY XML (
TABLESPACE "USERS" ENABLE STORAGE IN ROW CHUNK 8192 PCTVERSION 10
NOCACHE LOGGING
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
BUFFER_POOL DEFAULT))
DISALLOW NONSCHEMA
ALLOW ANYSCHEMA
1 row selected.
SQL> SET SERVEROUTPUT ON
SQL> declare
2 x XMLType;
3 xschema XMLType;
4 begin
5 x := XMLType(xdbUriType(:SchemaDoc).getClob());
6 xschema := x.CreateSchemaBasedXml('http://localhost/schematest.xsd');
7 xschema.SchemaValidate();
8 DBMS_OUTPUT.PUT_LINE('Schema: ' || xschema.GetSchemaURL() || ' Validated: ' || xschema.IsSchemaValidated());
9
10 INSERT INTO BINARYTEST
11 VALUES (xschema);
12 commit;
13 end;
14 /
Schema: http://localhost/schematest.xsd Validated: 1
declare
ERROR at line 1:
ORA-44422: nonschema XML disallowed for this column
ORA-06512: at line 10
-- ORA-44421: cannot DISALLOW NONSCHEMA without a SCHEMA clause
-- Cause: If no SCHEMA clause (explicit schema or ANYSCHEMA) was specified, nonschema data cannot be disallowed.-
-- Action: Remove DISALLOW NONSCHEMA or add some SCHEMA clause.
SQL> drop table binarytest;
Table dropped.
SQL> CREATE TABLE BINARYTEST OF XMLType
2 XMLTYPE STORE AS BINARY XML
3 ALLOW NONSCHEMA;
Table created.
SQL> select dbms_metadata.get_ddl('TABLE','BINARYTEST',user) from dual;
DBMS_METADATA.GET_DDL('TABLE','BINARYTEST',USER)
CREATE TABLE "OTN"."BINARYTEST" OF "SYS"."XMLTYPE"
OIDINDEX ( PCTFREE 10 INITRANS 2 MAXTRANS 255
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS1 BUFFER_POOL DEFAULT)
TABLESPACE "USERS" )
PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT)
TABLESPACE "USERS"
XMLTYPE COLUMN OBJECT_VALUE STORE AS BASICFILE BINARY XML (
TABLESPACE "USERS" ENABLE STORAGE IN ROW CHUNK 8192 PCTVERSION 10
NOCACHE LOGGING
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
BUFFER_POOL DEFAULT))
ALLOW NONSCHEMA
DISALLOW ANYSCHEMA
1 row selected.
SQL> declare
2 x XMLType;
3 xschema XMLType;
4 begin
5 x := XMLType(xdbUriType(:SchemaDoc).getClob());
6 xschema := x.CreateSchemaBasedXml('http://localhost/schematest.xsd');
7 xschema.SchemaValidate();
8 DBMS_OUTPUT.PUT_LINE('Schema: ' || xschema.GetSchemaURL() || ' Validated: ' || xschema.IsSchemaValidated());
9
10 INSERT INTO BINARYTEST
11 VALUES (xschema);
12 commit;
13 end;
14 /
Schema: http://localhost/schematest.xsd Validated: 1
PL/SQL procedure successfully completed.
SQL> select * from binarytest;
SYS_NC_ROWINFO$
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
</ADDR>
</SUBJECT>
</FORMINFO>
1 row selected.
SQL> SET SERVEROUTPUT ON
SQL> declare
2 x XMLType;
3 xschema XMLType;
4 begin
5 x := XMLType(xdbUriType(:SchemaDoc).getClob());
6
7 dbms_output.put_line(x.getstringval());
8
9 xschema := x.CreateSchemaBasedXml('http://localhost/schematest.xsd');
10
11 dbms_output.put_line(xschema.getstringval());
12
13 xschema.SchemaValidate();
14 DBMS_OUTPUT.PUT_LINE('Schema: ' || xschema.GetSchemaURL() || ' Validated: ' || xschema.IsSchemaValidated());
15
16 INSERT INTO BINARYTEST
17 VALUES (xschema);
18 commit;
19 end;
20 /
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las
Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
</ADDR>
</SUBJECT>
</FORMINFO>
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las
Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
</ADDR>
</SUBJECT>
</FORMINFO>
Schema: http://localhost/schematest.xsd Validated: 1
PL/SQL procedure successfully completed.
SQL> create table ORtest of xmltype
2 xmlschema "http://localhost/schematest.xsd" element "FORMINFO"
3 ;
Table created.
SQL> declare
2 x XMLType;
3 xschema XMLType;
4 begin
5 x := XMLType(xdbUriType(:SchemaDoc).getClob());
6
7 dbms_output.put_line(x.getstringval());
8
9 xschema := x.CreateSchemaBasedXml('http://localhost/schematest.xsd');
10
11 dbms_output.put_line(xschema.getstringval());
12
13 xschema.SchemaValidate();
14 DBMS_OUTPUT.PUT_LINE('Schema: ' || xschema.GetSchemaURL() || ' Validated: ' || xschema.IsSchemaValid());
15
16 INSERT INTO ORTEST
17 VALUES (xschema);
18 commit;
19 end;
20 /
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las
Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
</ADDR>
</SUBJECT>
</FORMINFO>
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las
Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
</ADDR>
</SUBJECT>
</FORMINFO>
Schema: http://localhost/schematest.xsd Validated: 1
PL/SQL procedure successfully completed.
SQL> declare
2 x XMLType;
3 xschema XMLType;
4 begin
5 x := XMLType(xdbUriType(:SchemaDoc).getClob());
6
7 dbms_output.put_line(x.getstringval());
8
9 xschema := x.CreateSchemaBasedXml('http://localhost/schematest.xsd');
10
11 dbms_output.put_line(xschema.getstringval());
12
13 xschema.SchemaValidate();
14 DBMS_OUTPUT.PUT_LINE('Schema: ' || xschema.GetSchemaURL() || ' Validated: ' || xschema.IsSchemaValid());
15
16 INSERT INTO BIN_ONE_SCHEMA
17 VALUES (xschema);
18 commit;
19 end;
20 /
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las
Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
</ADDR>
</SUBJECT>
</FORMINFO>
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las
Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
</ADDR>
</SUBJECT>
</FORMINFO>
Schema: http://localhost/schematest.xsd Validated: 1
PL/SQL procedure successfully completed.
SQL> ----------------------------------------------------------
SQL>
SQL> -- Create an XML Document in the repository
SQL>
SQL> ----------------------------------------------------------
SQL>
SQL> declare
2 res boolean;
3 xmlDoc xmlType := xmlType('<?xml version="1.0" encoding="utf-8"?>
4 <FORMINFO>
5 <SUBJECT>
6 <ADDR>
7 <STREET>123 Main St</STREET>
8 <CITY>Las Vegas</CITY>
9 <STATEPROV>NV</STATEPROV>
10 <ZIP>12345</ZIP>
11 <ONE_TO_MANY>say what?</ONE_TO_MANY>
12 </ADDR>
13 </SUBJECT>
14 </FORMINFO>');
15 begin
16 if (dbms_xdb.existsResource(:schemaDoc)) then
17 dbms_xdb.deleteResource(:schemaDoc);
18 end if;
19 res := dbms_xdb.createResource(:schemaDoc,xmlDoc);
20 end;
21 /
PL/SQL procedure successfully completed.
SQL> declare
2 x XMLType;
3 xschema XMLType;
4 begin
5 x := XMLType(xdbUriType(:SchemaDoc).getClob());
6
7 dbms_output.put_line(x.getstringval());
8
9 xschema := x.CreateSchemaBasedXml('http://localhost/schematest.xsd');
10
11 dbms_output.put_line(xschema.getstringval());
12
13 xschema.SchemaValidate();
14 DBMS_OUTPUT.PUT_LINE('Schema: ' || xschema.GetSchemaURL() || ' Validated: ' || xschema.IsSchemaValid());
15
16 INSERT INTO BIN_ONE_SCHEMA
17 VALUES (xschema);
18 commit;
19 end;
20 /
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las
Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
<ONE_TO_MANY>say what?</ONE_TO_MANY>
</ADDR>
</SUBJECT>
</FORMINFO>
<?xml version="1.0" encoding="UTF-8"?>
<FORMINFO>
<SUBJECT>
<ADDR>
<STREET>123 Main St</STREET>
<CITY>Las
Vegas</CITY>
<STATEPROV>NV</STATEPROV>
<ZIP>12345</ZIP>
<ONE_TO_MANY>say what?</ONE_TO_MANY>
</ADDR>
</SUBJECT>
</FORMINFO>
declare
ERROR at line 1:
ORA-31154: invalid XML document
ORA-19202: Error occurred in XML processing
LSX-00213: only 0 occurrences of particle "ADDR", minimum is 1
ORA-06512: at "SYS.XMLTYPE", line 354
ORA-06512: at line 13
SQL> -
Hi I'm using custom authenitication scheme sso with ntlm_page_sentry function.
I've an authorization scheme 'Admin control" like this :
declare
v_role varchar2(55);
begin
select role into v_role from user_roles where lower(userid) = lower(:APP_USER);
if v_role = 'ADMIN' then
return true;
else
return false;
end if;
exception
when NO_DATA_FOUND then return false;
end;
In a login page(page:101) :I've a process like this with process point as onload before header:
declare
v_role varchar2(55);
v_nextpage number;
begin
select upper(role) into v_role from sales_inq.user_roles where lower(userid) = lower(:APP_USER);
case v_role
when 'ADMIN' then v_nextpage := 9;
when 'EDIT' then v_nextpage := 1;
when 'VIEW' then v_nextpage := 2;
end case;
owa_util.redirect_url('f?p=' || :APP_ID || ':' || v_nextpage);
exception
when NO_DATA_FOUND then
owa_util.redirect_url('f?p=' || :APP_ID || ':101');
end;
I've assigned "admin control" authorization scheme to page9 and changed authentication to "page requires authentication"
After loginto my system through networkid which is assigned to ADMIN role when I run login page(101) I'm unable to access page 9.Can't I test this in standalone mode in dev instance?For ex:my userid is in user_role table with a role of admin why I can't see that page?
Thanks,
Mahender.
Edited by: user518071 on Oct 8, 2009 12:44 PMHi Scott,
How does the login page get invoked?
I'm trying to implement this authorization scheme for the first time for this UI.
Previous scenario:User needs to login so login page will be displayed automatically
Current scenario:User comes to login screen which is a dummy page without any items or regions and I've created process (on load before header process code mentioned above)which will check the network user's role and branch to corresponding page
Why is there a login page if you have an sso facility?
There is no login page as such but it's common intermediary page for all users which is not displayed but automatically directed to their corresponding page based on the process (on load before header process code mentioned above)
Is there a login page designated as the Session Not Valid Page in the authentication scheme?
No
or let me know how we can do this ?
I've three roles for users :admin,edit,view and it's stored in user_roles table,user with role view can access only his page and user with edit can access all view pages as well as his pages,admin can access all pages.Then next issue is how to test this without using active directory in dev instance by adding security to corresponding pages(ex:admin control,page requires authentication)
Thanks,
Mahender.
Maybe you are looking for
-
This morning, I purchased an HP laptop bundle form Best Buy #1133. It was an open-box sale, but was marked as "HP Laptop Bundle" and "No Missing Assessories". When I arrived home and opened the box, only the laptop and cord were included. Since I
-
Can't connect Forms 6i to Oracle 11g on Windows Server 2008 SE
Hi everyone, I have Oracle 10g working pretty well with Forms 6i, but now I have installed Oracle 11g on another server and I'm trying to connect Forms 6i to my other Oracle 11g server, but Forms 6i never gets connected. Is there any trick to make it
-
Z Channel of Quad Encoder Signal
Okay guys, I've got one for yous.... Here's what must be done: I have to use a PCI 6602 to generate all six channels of a quad encoder signal. This signal must be of variable frequency, and have the capability to be ramped. By ramped I mean I must be
-
I have a year-old iMac and Macbook, both on 10.7.3. Every time the iMac goes to sleep I lose wi-fi from Airport Express. No problem with the Macbook or my iPad. It seems a lot Mac users are having the same problem. Is there a solution? Does App
-
Adobe Flash Script Error Mozilla
When I attempt to download Adobe Flash on my Mozilla Browser, I get a Script Error window from Internet Explorer? Why is it interfering with the download?