Authorization schemes & verifing roles
Hi,
I'm having a hard time understanding how to use authorization schemes. My users log in as Oracle users. Each user is assigned to a role (with specific privileges granted to each type of role). I found that the privileges were not being enforced in the application according to the roles assigned to each user. From what I understand, this is because the SQL is being parsed according to the schema owner, not the individual user. So let's say for example I want to have a Create button only appear on a page if the user is assigned to role A or role B. Do I need to use an authorization scheme for this, or do I perform a query to determine the type of role the user is assigned to, and based on the result, conditionally show the button? I know there are lots of postings on authorization schemes in this forum (and I have read the Help manual), but I still do not understand how to get this working. Thank you.
....later same day...<br><br>
I've been reading/researching all day and it seems like I need to either a) make a table that defines user/role or b) query the database for the role assigned to this user (which I would have to do in choice a also) and then assign it as an application item. I tried option b, by creating an item on page 1 in my application, using this query: <br><br><b>
SELECT granted_role
FROM dba_role_privs
WHERE grantee = :APP_USER;
<br><br></b>
But I am getting this Oracle error message:<b><br>
ORA-00942: table or view does not exist<br>
Error ERR-1019 Error computing item default value: page=1 name=P1_ROLE.</b>
<br><br>
How can I query the dba_role_privs table from within Application Express?
Do I need to GRANT SELECT priviliges to the schema owner to access this table?
Similar Messages
-
WSUS Role on Server 2012 R2 fails - SQL Server Error "Schema Verification Failed SUSDB"
Server is Windows Server 2012R2
After installing the WSUS role with WID, when running the post installation task it installs the SUSDB in single user mode, runs all its scripts but then when it tries to set it it MULTI mode it fails with the error:
Schema Verification Failed SUSDB
If I log onto SQL Management Studio and try to set the database SUSDB to MULTI user mode manually it fails with the same error.
Detaching, deleting the susdb.mdf and .ldf files and re-running the post-installation task fails on the same error.
Uninstalling the WSUS and WID roles, deleting the C:\Windows\WID folder and reinstalling everything once again gives the same error during post installation.
Seems like a nasty bug.
Does anyone have any ideas? Perhaps there is a way to debug "Schema Verification Failed" errors in SQL Server?Hi,
If the WID can't access "C:\Windows\WID\Binn\DBVerify\SUSDBVerify.dll", this issue may occur.
Please change the account of WID to local system account in services.msc, then restart the WID service.
Then try to start the post-install again.
If issue persists, please check the detailed information of WID log.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Authorization Scheme problem using query
Greetings:
I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
The three created authorization schemes are as follows.
My first scheme (set as scheme type: exists SQL Query):
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
APP_GROUP_TYPE != 'READ_ONLY'
This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
My Second scheme (set as scheme type: exists SQL Query):
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
(APP_GROUP_TYPE != 'READ_ONLY'
and
APP_GROUP_TYPE != 'transactional')
The second one, I have added the transactional group as to be explicitly negated access.
My Third scheme
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
(APP_GROUP_TYPE != 'READ_ONLY'
AND
APP_GROUP_TYPE != 'transactional'
AND
APP_GROUP_TYPE != 'general')
the last one, I have added the general group as to be explicitly negated access.
I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
Thanks for your support. Maybe this can help someone on the forums out. -
Page Authorization Scheme OK button not working
Hi All,
I have a Page Level Authorization scheme, which makes a PL/SQL Function call to determine whether the logged in user should have access to the Page. This works well and displays an 'Access denied by Page security check' error message, but the OK Hyperlink that is displayed does not work as I would expect as I am not returned to the calling page.
The pages in question are Popups and when I hover over the OK Hyperlink, the Javascript in the Taskbar shows javascript:window.history.go(-1). Is this the route of my problem, and is there any way around this when using Popup windows?
Thanks,
MikeScott,
Thanks for your response. Yes you have the sequence right: "User clicks on link to popup page from base page and the link is to a forbidden page"
"The basic question is why would you ever show a link to a forbidden page to the user?"
The main reason is time, ideally yes we would like to hide links to forbidden pages but it will take time to implement due to complexity of role combinations and number of pages. So for now, we are confident in our method for denying access to forbidden pages.
The error message that is displayed on the forbidden page is set in the Authorization Scheme, but how do I alter the OK link? Isn't this generated 'behind the scenes'?
Thanks,
Mike -
Hi I'm using custom authenitication scheme sso with ntlm_page_sentry function.
I've an authorization scheme 'Admin control" like this :
declare
v_role varchar2(55);
begin
select role into v_role from user_roles where lower(userid) = lower(:APP_USER);
if v_role = 'ADMIN' then
return true;
else
return false;
end if;
exception
when NO_DATA_FOUND then return false;
end;
In a login page(page:101) :I've a process like this with process point as onload before header:
declare
v_role varchar2(55);
v_nextpage number;
begin
select upper(role) into v_role from sales_inq.user_roles where lower(userid) = lower(:APP_USER);
case v_role
when 'ADMIN' then v_nextpage := 9;
when 'EDIT' then v_nextpage := 1;
when 'VIEW' then v_nextpage := 2;
end case;
owa_util.redirect_url('f?p=' || :APP_ID || ':' || v_nextpage);
exception
when NO_DATA_FOUND then
owa_util.redirect_url('f?p=' || :APP_ID || ':101');
end;
I've assigned "admin control" authorization scheme to page9 and changed authentication to "page requires authentication"
After loginto my system through networkid which is assigned to ADMIN role when I run login page(101) I'm unable to access page 9.Can't I test this in standalone mode in dev instance?For ex:my userid is in user_role table with a role of admin why I can't see that page?
Thanks,
Mahender.
Edited by: user518071 on Oct 8, 2009 12:44 PMHi Scott,
How does the login page get invoked?
I'm trying to implement this authorization scheme for the first time for this UI.
Previous scenario:User needs to login so login page will be displayed automatically
Current scenario:User comes to login screen which is a dummy page without any items or regions and I've created process (on load before header process code mentioned above)which will check the network user's role and branch to corresponding page
Why is there a login page if you have an sso facility?
There is no login page as such but it's common intermediary page for all users which is not displayed but automatically directed to their corresponding page based on the process (on load before header process code mentioned above)
Is there a login page designated as the Session Not Valid Page in the authentication scheme?
No
or let me know how we can do this ?
I've three roles for users :admin,edit,view and it's stored in user_roles table,user with role view can access only his page and user with edit can access all view pages as well as his pages,admin can access all pages.Then next issue is how to test this without using active directory in dev instance by adding security to corresponding pages(ex:admin control,page requires authentication)
Thanks,
Mahender. -
Authorization scheme for display/read only conditions on item level
Hi All,
I have question. I want to use an authorization scheme to manage if users with a certain role have the permission to either update an item or have the persmission to only see the item or that they don't have permission to see it at all.
So, the input for the scheme would be: 1. user role 2. the current page 3. the current item.
The output would be: 0 (update) 1 (read only) 2 (not displayed).
I think I can manage that.
And I can attach this schema to the items.
So far so good.
But how can I make it so that the 0,1 and the 2 will actually do what they need to do?
I have been thinking about making a function like GET_AUTHORISATON(ROLE,PAGE,ITEM) output: 0,1,2 but I still can't figure out how to connect this with the functionality I want to achieve.
Can somebody give me a hint?
AndreThanks Hari,
Thanks, it works, almost, but what if items are mandatory on a page, but not always mandatory?
If a user has a certain role, some fields are manadatory, otherwise not.
Again, a function would do the trick as far as the input and output information
something like IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) but how can I make it work?
I guess a PL/SQL validation like:
IF IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) THEN ITEM IS NOT NULL
END IF;
Andre
PS: personally I think item level security is not something you wish to implement in your system. I prefer different screens for different roles.
Far more straightforeward. Easy for maintenance. When something disfunctions, it's far more easy to pinpoint the location of the cause. -
Trying to use authorization schema but getting ORA-00907: missing right par
Hi,
I am fairly new to HMTLDB. I am busy going through the Issue Tracker Tutorial. I am on the last part of Tutorial. This part involves authorizing a user based on their roles in the company.
I now keep getting the following when I load my pages
ORA-00907: missing right parenthesis
Error ERR-1082 Error in executing authorization scheme code.
How do I go about debugging this error not sure where to start?if this helps I am using this PDF
http://www.oracle.com/technology/products/database/application_express/pdf/issue_tracking_tutorial_1.6_0.pdf
if you open the PDF file I am stuck on page 72-74. The page I am trying to open while i am logged on as FUNKYMONKEY is Page 4 which is in the documentation -
Authorization Scheme vs. "Authorization Scheme"
Hi,
I've just completed building four Authorization Schemes for my app; is_admin, is_pm, is_user, is_read mapping to my concept of roles for admin, pm, user and read-only. Pretty self-explanatory and I set them up across my app so they could perform their various duties. For example, I have a page that all four roles can view, but each role sees a subset of the entire page. Most of what gets hidden as you go down the line of authorization are buttons to add/edit/delete content and some small regions of specialized content.
Each scheme calls a function which in turns make a query to get the appropriate result. So for my main page there are 24 checks to see if the current user has the rights to view certain things. 24? Wow!
So I started thinking (and searching this blog) to find a better way to do that. I didn't really come up with a "better way" but I did have an idea that I'm sure isn't new. I create four sessions variables and set their values ahead of time using the Authorization Scheme code and I'm good to go! Right?
So, some questions:
1. Do I create these variables as Items on a page 0?
2. Are these region level items or page level items?
3. Is my original way of using the Authorization Schemes the right way to do what I'm doing?
Thanks in advance for any advice here!
Cheers,
JonJon,
I assume you have a 'employee' table which has columns
username varchar2(50);
emp_role varchar2(1);
Take emp_role as say,'A' for admin,'M' for pm,'U' for user etc...So each user will have a role associated to him.
So you can define the authorization schemes in the application's shared components as
AUTH_PM ->scheme type :Exists sql query ->Evaluation point ->once per page view
select 1 from employee where username = lower(:app_user) and emp_role ='M'
AUTH_ADMIN->scheme type :Exists sql query ->Evaluation point ->once per page view
select 1 from employee where username = lower(:app_user) and emp_role ='A'
AUTH_AD_PM->scheme type :Exists sql query ->Evaluation point ->once per page view
select 1 from employee where username = lower(:app_user) and emp_role in ('A','M) ......etc for all the combinations you are looking for.
Now,AUTH_PM on "delete" button will allow only the users with pm roles only to view the delete button.
Similarly,AUTH_AD_PM on a region will make the region visible to the users with pm and admin roles only.
Thanks,
Anandi -
Hi all,
I have implemented ACL authorization (Restricted only), and have just created a new ACL scheme in my app is the name of "Registration" same copy of EDIT scheme, I have set following users with these roles:
USERS with roles
=============
1. Admin with Administrator.
2. Guest with Registration.
3. Frank with Edit.
I have create a Navigation List entries (for redirection) on my home page with following entries with restricted roles:
Navigation List :
============
Administration (for Administrator only ) assigned 'ADMIN' role
New Registration (for 1 time user registration) assigned 'REGISTRATION' role
Student Schedule (for existing users) assigned 'EDIT' role
Student Semester Result (for existing users) assigned 'EDIT' role
Student Attendance (for existing users) assigned 'EDIT' role
Problem:
========
When I set REGIS role to guest user , all entries of navigation list ( i mentioned above) except Administration Entry are shown on this page.
I want to restrict guest user, who can only see Registration Link only. How can I do this ??
help me out
waiting for your prompt reply
regards n thanks
qamarThanks for your reply scott, at least someone is there to understand it :).
Well ok just forget everything and focus on it, I am using apex version Apex 3.0.1 with Oracle 9.2.0.1.0, my question is simple as i had stated above long time ago, I have added a new scheme/role 'REGIS' as same as EDIT role and changed EDIT to REGIS on that scheme/role, through this I just want to access only guest user to log in temporarily and create its account in our application and log out, and when he registered in our application, a role EDIT will assigned him automatically and he will be able connect our portal with EDIT role now.
I had created a simple HTML page and created a Navigation List on it.
there are 5 list entries on this page .
1. Administration
2. New User Registration.
3. Student schedule.
4. Student results
5. Student attendance.
-Administration
(assigned ADMIN , so only administrator can see this link and all the entries)
-New User Registration
(only guest user with REGIS role can see this link)
-3,4,5
(only registered users with EDIT role can see these links)
I have set these authorization in every list entry with authorization schemes mentioned above.
Q. But the problem in this situation is that when I assign REGIS scheme to my 2 list entry, all other entries (3,4,5) including 2nd entry are also visible to guest user who has REGIS scheme assigned.
I hope now you can understand clearly what I am trying to say and understand it.
Hoping for your prompt reply.
regards
qamarsyed -
Authorization scheme (using {not} Scheme)
I have build a change password page and every user, except user with a Guest role (= GUEST SCHEME) have access to that page.
I defined a scheme GUEST for users with the GUEST role. When I define the page with Authorization scheme {not}GUEST this isn't working everyone has access to the page, also the guest users.
am I misunderstanding the {not}scheme choice or is something else wrong.
Fred.Fred,
I have solved it with the work around I mentioned before:I read what you said very carefully but thought it reckless to conclude that the workaround was successful because you just said "To work around the problem, I did xyz" without indicating the outcome.
The authorization schemes on navigation tabs fire also on the default login pageYes they do, they fire on every page whether or not the page template accommodates a navigation bar. This looks like a bug to me.
Is there a "authorization scheme report" which shows all the objects where the authorization scheme is defined.Shared Components > Authorization Schemes > Utilization (slightly different in each version).
Scott -
Authorization scheme methods/techniques
Hi all,
I'm currently using the Authorization Scheme that came with the Build a Menu Framework Application. Unfortunately, it doesn't work the way I want it to.
Can someone share any other techniques on how to set up a authorization scheme. My application has users divided in different roles where some pages are accessible by 1 role then other pages by another role.
Any suggestions will be appreciated.
Thanks and Regards,
AllenHi,
Let me give you my thoughts on this thread.
You need to be very careful about the use of the term Authentication and Authorization.
Authentication deals with making sure the user is who they say they are (normally by requesting a password).
Authorization deals with making sure a user can only do what they are allowed to do.
For Authentication you have a number of options. If none of the standard ApEx Authentication schemes work for you then you can create your own:
Create a database function that accepts a username and a password and returns TRUE or FALSE. For testing our applications we use a very simple function:
create or replace function "TESTING_SIGNON_FNC"
(p_username in VARCHAR2,
p_password in VARCHAR2)
return BOOLEAN
is
CURSOR c_valid_password
IS
SELECT 1 FROM DUAL
WHERE UPPER(p_username) = UPPER(p_password);
l_valid_password NUMBER;
BEGIN
OPEN c_valid_password;
FETCH c_valid_password INTO l_valid_password;
IF c_valid_password%FOUND THEN
CLOSE c_valid_password;
RETURN TRUE;
END IF;
CLOSE c_valid_password;
RETURN FALSE;
END;
Change the select to use whatever method you like.
Then Create an Authentization Scheme with an 'Authentication Function' of 'return TESTING_SIGNON_FNC;'
For Authorization you need to decide how you will control who can do what and how you maintain this. In our applications we need users (Administrators) of the application to be able to grant / revoke access to certain areas via the application UI.
The solution we have developed has five database tables:
SEC_PERSON
SEC_ROLES
SEC_FUNCTIONS
SEC_ROLE_FUNCTIONS
SEC_PERSON_ROLES
SEC_PERSON holds the Person Details
SEC_FUNCTIONS has the functions that we want to be able to grant ('create project' for instance)
SEC_ROLES has the roles that we want to be able to Grant to people ('Project Manager' for instance)
SEC_ROLE_FUNCTIONS has the functions assigned to a Role ('Project Manager' can 'Create Project')
SEC_PERSON_ROLES has the roles a person has ('Fred' is a 'Project Manager')
We have pages on each table to allow users to maintain the data.
In ApEx we then define Authorization Schemes for each function we want to control:
TPA-PRJ-PRJ-FED (TPA Application - Projects - Project Control - Full Edit) with the following SQL:
select
1
from
sec_person p,
sec_person_roles pr,
sec_roles r,
sec_role_functions rf,
sec_functions f
where
f.function_code = 'TPA-PRJ-PRJ-FED'
and
p.person_id = pr.person_id and
pr.role_id = r.role_id and
r.role_id = rf.role_id and
rf.function_id = f.function_id and
p.delete_flag = 'N' and
pr.delete_flag = 'N' and
r.delete_flag = 'N' and
rf.delete_flag = 'N' and
r.delete_flag = 'N' and
sysdate between p.start_date and nvl(p.end_date,sysdate) and
sysdate between pr.start_date and nvl(pr.end_date,sysdate) and
sysdate between r.start_date and nvl(r.end_date,sysdate) and
sysdate between rf.start_date and nvl(rf.end_date,sysdate) and
sysdate between f.start_date and nvl(f.end_date,sysdate) and
p.username = :APP_USER
This Authorization scheme can then be applied to Tabs, Pages, Buttons, Columns etc. as required.
Difficult to explain all this without pictures but I hope this helps.
Martin -
Parameters to authorization schemes
I apologize for the fact that this question is so so so like a number of others..
I want to build an application that allows for a half a dozen or so different roles and that easily allows roles to be added. An individual page or component may allow access to a subset of these roles. To allow any combination of roles to be specified would seem to require the creation of 64 authorization schemes. A number which doubles for every additional role created.
I appreciate that in practice I will only need to create authorization schemes for those combinations I actually use but this does nevertheless seem rather cumbersome. An authorization scheme can easily determine the user and the current page but can it determine the component that is being authorized? If it could I might be able to build a drive table and have a single authorization scheme that did a lookup. If only I could just pass an argument to the authorization scheme...
Any advice welcomeI took a somewhat different approach. I also needed to provide a menu of applications that a given person could access, and I needed to accomodate a number of existing authorization techniques already in use in my pre-APEX world. Most of these use Oracle Roles, but in some cases more complex, task specific PL/SQL functions.
I stepped outside of the APEX world and built a table of applications (that tie back into the apex application world), and each of my apex applications call the same authentication function:
begin
return apex_registry_maint.validate;
end;
Which really looks like:
function Validate
return boolean
is
app_id number;
uname varchar2(32);
app_page_id number;
begin
app_page_id := v('APP_PAGE_ID');
app_id := v('APP_ID');
if app_page_id = 101 then return true; end if;
uname := v('APP_USER');
return check_access(app_id, uname);
end Validate;
This essentially lets me call my authorization function with parameters such as the application id and page number, but still live "outside" of the APEX space.
The full package can be seen at:
http://www.rpi.edu/campus/rpi/simon/misc/Tables/SIMON_APEX.APEX_REGISTRY_MAINT.html
(I have 15 years of legacy applications I am moving into APEX, lots of history and inexperience with APEX are driving this approach. I am not claiming it to be a good approach, just one that works for me) -
Order of evaluation - Authorization scheme or application computation
APEX 4.2.2
A page has a Evaluate for every page view authorizaton scheme of the type Value of item in Expression 1 = Expression 2 with Expression 1=G_ITEM and Expression 2=1. G_ITEM is set using a Before-Header application computation conditioned to fire when G_ITEM is null.
What I see is that the authorization scheme always returns false and the page is not rendered. Inspecting wwv_flow_data shows that G_ITEM is not there. So it would appear that the authorization scheme is evaluated before the application computation and since it returns false, the engine stops.
Does that sound right? Is this order of evaluation of components documented anywhere? There is a Utilities > Page Events screen but that doesn't include Authorization schemes.
ThanksHi Christian - I am referring to a page-level authorization scheme set to be evaluated For each page view
Here are some more details...the application has only one UI (Desktop) and Application XX > User Interfaces > User Interface Details > Home URL is set to f?p=&APP_ID.:30:&SESSION.
When I launch the app using f?p=181::::LEVEL9 this is what I get in apex_debug_messages
init cgi_var_name.count=>29
CGI: PATH_INFO = /f
HTTP://xxx/pls/xxx
QUERY_STRING=p=181::::LEVEL9
REQUEST_METHOD=GET
REMOTE_ADDR=xx.xx.xx.xx
REMOTE_USER=foobar
APEX_LISTENER_VERSION=
REFERER=
Cookies:
S H O W: application="181" page="" workspace="" request="" session=""
Reset NLS settings
alter session set NLS_LANGUAGE="AMERICAN"
alter session set NLS_TERRITORY="AMERICA"
alter session set NLS_CALENDAR="GREGORIAN"
alter session set NLS_SORT="BINARY"
alter session set NLS_COMP="BINARY"
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
no characterset conversion needed
...Setting session time_zone to -04:00
reset_nls_environment
reset
reset
Processing page view with session ID = 0
fetch_flow_info
set_html_escaping_mode p_mode=>E
Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
alter session set nls_language="AMERICAN"
alter session set nls_territory="AMERICA"
NLS: CSV charset=WE8MSWIN1252
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
...NLS: Set g_nls_date_format="mm/dd/yyyy"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
NLS: Language=en-us
fetch_flow_info
set_html_escaping_mode p_mode=>E
Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
authenticate_and_init_session p_app_id=>181
fetch_flow_info
set_html_escaping_mode p_mode=>E
set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
detect_user_interface p_application_id=>181
... "Desktop" is the only UI - no autodetection necessary
... setting ui to "DESKTOP"
... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
... page is public:null
Authentication check: Login (NATIVE_CUSTOM)
... no page specified: failure
...fetch session state from database
get_current
... DOES NOT EXIST - ignore
fetch items (exact)
Redirecting to f?p=181:30:
Stop APEX Engine detected
Final commit
I am not sure why the engine stops rendering but I get the Access denied by Page security check error on the screen
Next experiment...launch f?p=181:30:::LEVEL9:
That gets me the following debug stack
init cgi_var_name.count=>28
CGI: PATH_INFO = /f
HTTP://xxx/pls/xxx.xx
QUERY_STRING=p=181:30:::LEVEL9:
REQUEST_METHOD=GET
REMOTE_ADDR=xx.xx.xx.xx
REMOTE_USER=foobar
APEX_LISTENER_VERSION=
REFERER=
Cookies:
S H O W: application="181" page="30" workspace="" request="" session=""
Reset NLS settings
alter session set NLS_LANGUAGE="AMERICAN"
alter session set NLS_TERRITORY="AMERICA"
alter session set NLS_CALENDAR="GREGORIAN"
alter session set NLS_SORT="BINARY"
alter session set NLS_COMP="BINARY"
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
no characterset conversion needed
...Setting session time_zone to -04:00
reset_nls_environment
reset
reset
Processing page view with session ID = 0
fetch_flow_info
set_html_escaping_mode p_mode=>E
Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
alter session set nls_language="AMERICAN"
alter session set nls_territory="AMERICA"
NLS: CSV charset=WE8MSWIN1252
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
...NLS: Set g_nls_date_format="mm/dd/yyyy"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
NLS: Language=en-us
fetch_flow_info
set_html_escaping_mode p_mode=>E
Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
authenticate_and_init_session p_app_id=>181
fetch_flow_info
set_html_escaping_mode p_mode=>E
set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
... page is public:false
Authentication check: Login (NATIVE_CUSTOM)
get_current
... DOES NOT EXIST - ignore
builtin_cookie_sentry p_cookie_name=>ORA_WWV_APP_181
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=
... cookie is not set
... failure, session not found
set_db_session_info
...fetch session state from database
get_current
... DOES NOT EXIST - ignore
fetch items (exact)
execute_native_session_sentry p_type=>NATIVE_CUSTOM
...Execute Statement: begin declare
begin
wwv_flow.g_boolean := htmldb_public_user.Modntlm_Page_Sentry;
end;
~
get_cookie_properties 181 -> ORA_WWV_APP_181, ,
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=
... cookie is not set
get_cookie_properties 181 -> ORA_WWV_APP_181, ,
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=
... cookie is not set
generate_unique_session_id
remember_deep_link p_url=>f?p=181:30:::LEVEL9:
get_current
... DOES NOT EXIST - ignore
... insert into wwv_flow_sessions$: 7781513768577
create_new
Session created: 7781513768577 user: foobar
save_by_name p_item_name=>FSP_AFTER_LOGIN_URL,p_item_value=>***
set_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_value=>f?p=181:30:7781513768577::LEVEL9:
...Session State: Saved Item "FSP_AFTER_LOGIN_URL" New Value="f?p=181:30:7781513768577::LEVEL9:"
login p_uname=>foobar,p_password=>...,p_session_id=>7781513768577,p_flow_page=>181:30,p_entry_point=>POST-LOGIN,p_preserve_case=>false,p_use_secure_cookie=>false
execute_login p_username=>foobar,p_password=>...,p_current_app_id=>181,p_next_app_id=>181,p_next_page_id=>30,p_post_login=>true,p_builder_login_for_workspace=>
...delaying unrecoverable error to the end of execute_login
create_or_reuse_session
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from db)
...Session ID 7781513768577 can be used
...New Instance Detected -
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
... page is public:false
... POST LOGIN shortcut, no pre-auth and auth process
... Authentication success
... running post_auth_240111674424380819
...Execute Statement: begin declare
procedure post_auth_240111674424380819 is
begin
post_auth_240111674424380819;
end;
end;
Collection - Begin create_collection_from_query_b, Collection Name: AD_GROUPS
Collection - Begin Create Collection, Collection Name: EM_ROLES
save_by_name p_item_name=>G_APP_USER,p_item_value=>***
find_item_by_name p_name=>G_APP_USER
set_substitution_cache p_id=>8993704979413505,p_value=>***,p_name=>G_APP_USER,p_filter=>Y,p_encrypted=>N
...Session State: Saved Item "G_APP_USER" New Value="foobar"
get_item_value p_item=>FSP_AFTER_LOGIN_URL,p_flow=>181,p_instance=>7781513768577
... l_instance=7781513768577,l_flow_id=181,l_sgid=634111608319703,p_item=FSP_AFTER_LOGIN_URL
get_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_session_id=>7781513768577
...value="f?p=181:30:7781513768577::LEVEL9:"
save_by_name p_item_name=>FSP_AFTER_LOGIN_URL,p_item_value=>***
set_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_value=>
...Session State: Saved Item "FSP_AFTER_LOGIN_URL" New Value=""
log_login p_username=>foobar,p_security_group_id=>634111608319703,p_owner=>foobar,p_application_id=>181,p_authentication_method=>Login,p_authentication_result=>0,p_custom_status_text=>
... update session user (foobar) and auth result ()
reset_cache
update_hashed_id -> ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1, sqlrowcount=1
send name=>ORA_WWV_APP_181,value=>ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1,expires=>,path=>,domain=>,secure=>,httponly=>HTTPONLY
Redirecting to f?p=181:30:7781513768577::LEVEL9:
...setting g_unrecoverable_error:=true again
Stop APEX Engine detected
Stop APEX Engine detected
Final commit
init cgi_var_name.count=>29
CGI: PATH_INFO = /f
HTTP://xxx/pls/xxx.xx
QUERY_STRING=p=181:30:7781513768577::LEVEL9:
REQUEST_METHOD=GET
REMOTE_ADDR=xx.xx.xx.xx
REMOTE_USER=foobar
APEX_LISTENER_VERSION=
REFERER=
Cookies:
S H O W: application="181" page="30" workspace="" request="" session="7781513768577"
Reset NLS settings
alter session set NLS_LANGUAGE="AMERICAN"
alter session set NLS_TERRITORY="AMERICA"
alter session set NLS_CALENDAR="GREGORIAN"
alter session set NLS_SORT="BINARY"
alter session set NLS_COMP="BINARY"
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
no characterset conversion needed
...Setting session time_zone to -04:00
reset_nls_environment
reset
reset
fetch_flow_info
set_html_escaping_mode p_mode=>E
Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
alter session set nls_language="AMERICAN"
alter session set nls_territory="AMERICA"
NLS: CSV charset=WE8MSWIN1252
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
...NLS: Set g_nls_date_format="mm/dd/yyyy"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
NLS: Language=en-us
fetch_flow_info
set_html_escaping_mode p_mode=>E
Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
authenticate_and_init_session p_app_id=>181
fetch_flow_info
set_html_escaping_mode p_mode=>E
set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
... page is public:false
Authentication check: Login (NATIVE_CUSTOM)
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from db)
builtin_cookie_sentry p_cookie_name=>ORA_WWV_APP_181
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
... success, session id and security group id matches
... set user and session id in package globals
set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
set_db_session_info
...fetch session state from database
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
fetch items (exact)
... fetched 8993704979413505: name=G_APP_USER, value=foobar
execute_native_session_sentry p_type=>NATIVE_CUSTOM
...Execute Statement: begin declare
begin
wwv_flow.g_boolean := htmldb_public_user.Modntlm_Page_Sentry;
end;
~
get_cookie_properties 181 -> ORA_WWV_APP_181, ,
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
get_cookie_properties 181 -> ORA_WWV_APP_181, ,
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
... sentry success, no verification specified
... sentry+verification success
create_or_reuse_session
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
...Session ID 7781513768577 can be used
...New Instance Detected -
get_by_cookie_name p_cookie_name=>ORA_WWV_USER_61814286625969
session cookie value for ORA_WWV_USER_61814286625969=
... cookie is not set
get_builder_session_id: builder session=null
...Setting session time_zone to -04:00
...Check for session expiration:
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
get_builtin_global_item_value p_item_name=>FSP_SESSION_TIME,p_session_id=>7781513768577
NO_DATA_FOUND!
set_builtin_global_item_value p_item_name=>FSP_SESSION_TIME,p_value=>20130925091227::
...Session State: Saved Item "FSP_SESSION_TIME" New Value="20130925091227::"
Session: Fetch session header information
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
fetch_step_info p_mode=>SHOW
get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_theme_id p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
Branch point: Before Header
Authorization Check: "Administrator" Caching: "BY_USER_BY_PAGE_VIEW" Component: "PAGE"
... failed
setting g_primary_language := en-us
Add error onto error stack
...Error data:
......message: Must be Administrator
......additional_info: Access denied by Page security check
......display_location: ON_ERROR_PAGE
......is_internal_error: true
......apex_error_code: APEX.AUTHORIZATION.ACCESS_DENIED
......error_backtrace: ----- PL/SQL Call Stack -----
object line object
handle number name
0x2d7325bc0 556 package body APEX_040200.WWV_FLOW_ERROR
0x2d7325bc0 607 package body APEX_040200.WWV_FLOW_ERROR
0x2d7325bc0 911 package body APEX_040200.WWV_FLOW_ERROR
0x211e95470 488 package body APEX_040200.WWV_FLOW_AUTHORIZATION
0x2dbf01138 6000 package body APEX_040200.WWV_FLOW
0x2db632be8 249 procedure APEX_040200.F
0x267d27130 31 anonymous block
......component.type: APEX_APPLICATION_AUTHORIZATION
......component.id: 19813621888498766
......component.name: Administrator
...Show Error on Error Page
......Performing rollback
render_error_page
wwv_flow_init_htp_buffer
reset
reset
get_grid_template p_page_template_id=>12901127353947285
emit_page_header
Show page template header
handle_common_placeholders p_placeholder=>#TITLE#
get_title
handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
handle_common_placeholders p_placeholder=>#APEX_CSS#
is_desktop_ui p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
get_ui_type p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
...initialize cache
... ui type name=DESKTOP
... true
handle_common_placeholders p_placeholder=>#TEMPLATE_CSS#
handle_common_placeholders p_placeholder=>#THEME_CSS#
handle_common_placeholders p_placeholder=>#PAGE_CSS#
handle_common_placeholders p_placeholder=>#APEX_JAVASCRIPT#
is_desktop_ui p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
get_ui_type p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
...use cache
... ui type name=DESKTOP
... true
handle_common_placeholders p_placeholder=>#TEMPLATE_JAVASCRIPT#
handle_common_placeholders p_placeholder=>#APPLICATION_JAVASCRIPT#
handle_common_placeholders p_placeholder=>#PAGE_JAVASCRIPT#
handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
handle_common_placeholders p_placeholder=>#ONLOAD#
handle_common_placeholders p_placeholder=>#OUTDATED_BROWSER#
handle_common_placeholders p_placeholder=>#FORM_OPEN#
Rendering form open tag and internal values
clear_page_checksum
generate_unique_session_id
perform p_process_point=>AFTER_ERROR_HEADER
Processes - point: AFTER_ERROR_HEADER
handle_common_placeholders p_placeholder=>#REGION_POSITION_07#
handle_common_placeholders p_placeholder=>#HOME_LINK#
handle_common_placeholders p_placeholder=>#LOGO#
handle_common_placeholders p_placeholder=>#NAVIGATION_BAR#
handle_common_placeholders p_placeholder=>#REGION_POSITION_08#
handle_common_placeholders p_placeholder=>#REGION_POSITION_04#
handle_common_placeholders p_placeholder=>#REGION_POSITION_01#
handle_common_placeholders p_placeholder=>#SUCCESS_MESSAGE#
handle_common_placeholders p_placeholder=>#NOTIFICATION_MESSAGE#
handle_common_placeholders p_placeholder=>#GLOBAL_NOTIFICATION#
handle_common_placeholders p_placeholder=>#REGION_POSITION_02#
handle_common_placeholders p_placeholder=>#REGION_POSITION_03#
perform p_process_point=>BEFORE_ERROR_FOOTER
Processes - point: BEFORE_ERROR_FOOTER
emit_footer
Show page footer
Show page tempate footer
handle_common_placeholders p_placeholder=>#CUSTOMIZE#
handle_common_placeholders p_placeholder=>#REGION_POSITION_05#
handle_common_placeholders p_placeholder=>#APP_VERSION#
handle_common_placeholders p_placeholder=>#REGION_POSITION_08#
handle_common_placeholders p_placeholder=>#FORM_CLOSE#
Rendering form close tag and page checksum
handle_common_placeholders p_placeholder=>#DEVELOPER_TOOLBAR#
handle_common_placeholders p_placeholder=>#GENERATED_CSS#
handle_common_placeholders p_placeholder=>#GENERATED_JAVASCRIPT#
emit_generated_javascript
Logging exception in final_exception_handler:
Sqlerrm: ORA-20987: APEX - Must be Administrator - Access denied by Page security check
Backtrace: ORA-06512: at "APEX_040200.WWV_FLOW_ERROR", line 861
ORA-06512: at "APEX_040200.WWV_FLOW_ERROR", line 896
ORA-06512: at "APEX_040200.WWV_FLOW_AUTHORIZATION", line 501
ORA-06512: at "APEX_040200.WWV_FLOW", line 6000
Seems to me that the authorization scheme (which uses the value of the application item) is evaluated before the before-header/unconditional application computation sets the value of the application item and since the authorization scheme fails, show processing stops with an error.
What say you? -
Report Link + Authorization Scheme
I have an authorization scheme that checks whether a certain person has privileges to edit a record on Page 2 by referring to the :P2_ID in the authorization scheme. Page 1 has a report with a report link, but the user can see both items they are able to edit and items they are not. I know I can make the link dynamically in the sql but wanted to see if there was an easy way to use an authorization scheme, but pass the #REPORT_COL# value in the report over to an authorization scheme to show or hide the icon for me so I can get the link out of the sql.
Great example Scott! However, I'd would caution the other Sc0tt that calling functions in a SQL statement is fine for a small number of rows, but can CRUSH performance for medium to large result sets. Even if the function is fast, you're still context-switching between SQL and PL/SQL for every row. Make sure you test this with the volume of data you expect your users to encounter. If it's a problem, you might force the user to apply some filters before running the query.
If you're running 11g you can at least minimize the hit of the function with "Function Result Cache". Even if you're not on 11g yet, you can use the following code in 10g and it will switch-on result cache when you compile it in 11g:
create or replace function auth_user(p_key in number)
return varchar2
$IF not dbms_db_version.ver_le_10_2 $THEN
result_cache
$END
as
begin
pkg.g_value := p_key;
if apex_application.public_security_check (p_security_scheme => 'AUTH_USER_COLUMN') then
return '1';
else
return '0';
end if;
end;
/ If it is a reasonable result set, Scott's solution is perfect.
Thanks,
Tyler -
Display page items based on Authorization Scheme...
I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
I thought of two possibilities, both I think I'd need help on though!:
1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
accessible by "Edit" or "Admin".
The problem, though, is now "Edit" or "Admin" users will see both columns
2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
I would have no clue how to do this...
Any thoughts?
Kevin L.Kevin
You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
function UsrCustomization()
if ( P_USR_TYPE == 1 )
// mark the item as readonly
// document.getElementById('P1_FIELD_QUESTION').disabled = true;
document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
UsrCustomization();Thanks,
Manish
Maybe you are looking for
-
My photos are not streaming from my iPhone 4 to my iPad 7. The settings are correct and it always has before I had a recent holiday in Cuba. Those photos didn't stream and now new photos since home in Vancouver, Canada are not? Both are updated to I
-
Can't display COPA datasource...message table entry doesn't exist
Hi, I am trying to display my COPA datasource and it's giving me a message stating it can't because a table entry is missing. In debugging I can see the table entry it's reading is tkebwlgn. I've tried everything, but cannot display/delete this. Any
-
11g BI Publisher - How to stop a report you started online?
We recently migrated from 10g to 11g (Oracle BI Publisher 11.1.1.7.0 (build:20130303.1415) ). In the old 10g version, once a report started you could select the Cancel link to the right side of the waiting clock, but that option is not available in
-
HELP, objects wont move in Photoshop elements 12
Hey there , it was working fine hours ago i have trouble shooted everything adobes awful support has told me to. Reseted the settings and all that jazz. Problem is still occurring. If i select a layer image (im pasting in a picture of a car to a back
-
I can't open firefox 3.6.8 in my macbook, MacOS 10.6.4.
I even tried safe mode but still can't open it. After click the icon in the dock, it just bounced once or twice and nothing would happen. For safe mode, I tried to block all the plugins and extensions, still not working.