Custom Authentication Scheme - How To

Similar Messages

• Restful Web Services - First Party Authentication with custom authentication schemes

  Hi
  I've successfully enabled security using first party authentication on our Restful web services however these only work with the built in Apex accounts and not other authentication schemes.
  Ideally I'd like to authenticate against LDAP, however when I enable this authentication scheme the restful services don't work as they only support the Apex accounts. 
  Has anyone implemented LDAP authentication for Apex restful web services, either directly or using Glassfish ? Does anyone know if support for custom authentication schemes on the feature roadmap for a future Listener release ?
  I attempted to configure the glassfish application against LDAP but am still working on it.. glassfish never challenged the client to authenticate (it's only to be for the web service endpoints and nothing else), so any pointers on how to set that up for Apex would be appreciated.
  Thanks
  Kes

  Hi Gemma,
  unfortunately at the moment you are caught between a rock and a hard place:
  - As you point out there is no way in APEX for a user to self-register themselves, short of developing your own table to store users and configuring APEX custom auth to authenticate against that table
  - Listener can only authenticate against the the APEX user repository, it cannot integrate with custom APEX authentication.
  There may be other options though, by leveraging the authentication capabilities in the JRE and/or WebLogic/GlassFish application servers. We're interested in addressing this use case, so if you wish to investigate further please send me an email ( colm <dot> divilly <at> oracle <dot> com).
  Thanks,
  Colm Divilly

• Apex Custom Authentication Schema Page Sentry Error

  Hi,
  I am using Application Express 4.0.0. I am struggling with a strange problem while trying to implement custom authentication schema.
  I declare a page sentry function 'page_sentry' which returns TRUE or FALSE based on certain conditions. My page_sentry is as follows:
  FUNCTION PAGE_SENTRY RETURN BOOLEAN
  IS
  l_username VARCHAR2(512);
  l_session_id NUMBER;
  BEGIN
  IF USER != 'APEX_PUBLIC_USER' THEN
  RETURN false;
  END IF;
  l_session_id := wwv_flow_custom_auth_std.get_session_id_from_cookie;
  -- check application session cookie.
  IF wwv_flow_custom_auth_std.is_session_valid THEN
  apex_application.g_instance := l_session_id;
  l_username := wwv_flow_custom_auth_std.get_username;
  wwv_flow_custom_auth.define_user_session(
  p_user => l_username, p_session_id => l_session_id);
  RETURN true;
  ELSE
  --redirect to login page using OWA_UTIL.REDIRECT_URL
  END IF;
  RETURN false;
  END page_sentry;
  And Cookie Name : _AUTH
  At first, It always returned FALSE. I wasn't getting any error. However, even after forcibly returning TRUE from the page_sentry function the redirect was still not happening. I tried to look into what cookies were being set for the same and I found this:
  Name:     ApexLibErrorStack1
  Content:     page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication
  I couldn't find any relevant help for this. Worst of it is I cannot set any cookie from the page_sentry function at all. Please help!

  Hi all.
  Can someone please help me out with the above issue. I am not sure if things are wrong at my end or is this an apex bug.
  --Update:
  The source of my problem perhaps lies in the manner in which I have configured my Oracle HTTP Server. When I disable port HTTP server on port 80 and run apex without it on default port 8080, the custom authentication schema cookie gets set.
  Executing the following with Oracle HTTP Server:
  OWA_UTIL.PRINT_CGI_ENV;
  gives:
  HTTP_COOKIE = ApexLibErrorStack1=page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication.; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL
  And without HTTP Server:
  gives:
  HTTP_COOKIE = WWV_CUSTOM-F_1420403886791332_100=9625AAC49B9951D8;......
  Did I miss something in my HTTP server configuration ?
  Edited by: pc on Jan 2, 2012 3:15 AM

• Customized authentication scheme unauthorized when using help

  I am receiving an unauthorized message when clicking on help on a label. The message was not being received until the customized authentication scheme was enabled.

  If you still need help with this, please provide all the usual information: a complete description of the situation, an example on apex.oracle.com if possible, your version of apex and database, all custom code, all authentication scheme details, etc.
  Also, please tell us your first name and put it into your handle and/or profile to help us.
  Scott

• Custom authentication scheme: Invalid Session Target

  Yesterday I spent a lot of time figuring out what was happening and I'm not sure if this is a bug or a feature...
  Create an application with some public pages (1,2,101) and some non-public pages (3,4).
  Created a list on page 0 listing all pages but only listing page 3 and 4 when user is logged in.
  Created a custom authentication scheme.
  Running the application showed me the page 1 and the list containing 1,2,101.
  I could navigate to 101 and then log in after which I was taken to page 1 showing only 1,2,101.
  I changed page 101 so that it would take me to page 3 after logging in and it did. The list showed me 1,2,101,3,4 and the username was also visible.
  I could visit all pages correctly except page 1. Whenever I navigated to page 1 I effectively got logged out.
  Finally I discovered that I had set "Invalid Session Target" to page 1 in my authentication scheme.
  Is this the intended effect ?

  Rene,
  When a page is selected in the authentication scheme's Invalid Session Page LOV, it gets designated as "the login page". Whenever this page is rendered, APP_USER is null and APP_SESSION is a new session ID. This accounts for what you saw. It's sort of a quirk more than a bug or feature and we ought to properly document this behavior. If, for some reason, you needed a login page that you could navigate back to (after login) in the current session and using the current APP_USER value, you can deselect the page from the Invalid Session Page LOV in the authentication scheme and instead code this in the Invalid Session URL:
  f?p=&APP_ID.:101:&APP_SESSION.
  ...using 101 as the login page, but it can be any page ID as long as it's a public page.
  Scott

• Setting up a custom authentication scheme

  Hello APEX Community,
  I'm working on creating an RSVP site for an upcoming event, but I want to limit the number of "random" users that try to sign in by implementing some sort of password system.
  I am running this on apex.oracle.com...
  What I have currently set up is the following:
  I have a table (user_auth) that stores a list of passwords. I will send individual people one password that they will type in on the login page.
  The issue I have right now is how to implement the authentication scheme...
  Based on the authentication drop down options, I should be choosing "Custom"... But I am stuck at this point...
  I have created a function called "my_authentication" (code provided below) and entered "my_authentication" as the Authentication Function Name, but when I test it, it keeps failing. I left the Login page as is, I don't enter a user name but I enter a valid password from the user_auth table. When I hit Login, it just boots me back to the login page. Do I need anything for Sentry Function?
  create or replace function my_authentication (
    p_username in varchar2 default null,
    p_password in varchar2)
    return boolean
  is
    l_count number;
    l_return_value boolean;
  begin
    select count(*) into l_count from user_auth t where t.user_password = upper(p_password);
    if (l_count > 0) then
      l_return_value := true;
    else
      l_return_value := false;
    end if;
    return l_return_value;
  exception
    when no_data_found then
      return false;
  end my_authentication;Please let me know if you want me to elaborate further...
  Thanks and regards,
  Ivan

  Hi Scott,
  Thanks for replying and sorry it took so long to get a reply back.
  I hope the following makes sense.
  1: When I say "it keeps failing", what happens is when I enter just the password, and hit "Login" it just boots me back to the Login page and no error is displayed.
  2: Yes, I don't have any encryption at all but I have x number of randomly generated strings stored in that table, and what I was hoping to do was have the user enter the password and then have it go and confirm that that is one of the x number of strings in the table.
  The problem I'm starting to realize with this approach is that the passwords are not displayed. Users just see *'s instead. My approach now is to use an Open door authentication and have them enter the password there to log in, and upon logging in, it will assign value to a global value that checks to see if it's a valid password... (passes back user_id for a matching user_password). If the password is invalid, it will pass a -100 or something...
  This seems like a somewhat effective way of getting around the authentication. I guess my next challenge is to figure out how to boot invalid users back to the login page in an Open Door Authentication scheme.
  Ivan

• Custom Authentication Scheme - call SSO or Local Process based on User Name

  Hi,
  We are looking at building a new application that allows employee and public user access.
  For staff we want to use Single Sign On as we have for all our other ApEx applications.
  For public users (who will register to create an account) we want to use our own Custom Authentication Function.
  What I would like to do is to have an Authentication Function along the lines of:
  If username like '%@%'
  then call Custom Function
  else call SSO Funcion.
  How do I call the SSO Authentication Function progamatically?
  Thanks,
  Martin

  Probably I don't explain myself clearly....sorry for that!
  Anyway you are right, the role of the user can change after the user is initially provisioned.
  I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
  1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
  2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
  Is it possible with pre-populate adapter?
  Sorry again for my not very clear explanations.
  Daniele
  Edited by: 886636 on Jan 24, 2012 4:10 AM

• Custom Authentication scheme

  Hello,
  I am building a custom auth. scheme that actually checks username/password in a custom table (app_users) [ not DB acocunts] . I have created a package with a login function as follows:
  PROCEDURE login ( p_uname IN VARCHAR2 ,p_password IN VARCHAR2 ,p_session_id IN VARCHAR2 ,p_flow_page IN VARCHAR2 ) IS
  lv_goto_page NUMBER DEFAULT 1;
  BEGIN
  IF UPPER(p_uname) = 'ADMIN' THEN
  lv_goto_page := 1;
  ELSE  lv_goto_page := 100;
  END IF;
  wwv_flow_custom_auth_std.login  (  p_uname => p_uname,
  p_password => p_password,
  p_session_id => p_session_id,
  p_flow_page => p_flow_page || ':' || lv_goto_page  );
  EXCEPTIONWHEN OTHERS THEN
  RAISE;
  END login;
  and a valid_user function in that package that simply returns TRUE if username/password are correct in APP_USERS table.......
  and then I have changed the 101 login page login process to :
  app_security_pkg.login(
  P_UNAME       => :P101_USERNAME,
  P_PASSWORD    => :P101_PASSWORD,
  P_SESSION_ID  => v('APP_SESSION'),
  P_FLOW_PAGE   => :APP_ID||':1'
  +);+
  and created my own auth. scheme and enterd this in the auth. function field :
  return app_security_pkg.valid_user
  My question is , this is not working when I enter a valid username/pass from APP_USERS because I think it still points to oracle's db users .... Where should I make the built in function wwv_flow_custom_auth_std.login point to my APP_USERS table instead ????
  Thanks,
  Sam K

  Gus,
  The only code I have is for the authentication package and here it is :
  create or replace PACKAGE BODY app_security_pkg AS
  PROCEDURE login ( p_uname IN VARCHAR2 ,p_password IN VARCHAR2 ,p_session_id IN VARCHAR2 ,p_flow_page IN VARCHAR2 ) IS
  lv_goto_page NUMBER DEFAULT 1;
  BEGIN
  IF UPPER(p_uname) = 'sam' THEN // just for test. sam is a username in app_users
  lv_goto_page := 1;
  ELSE lv_goto_page := 100;
  END IF;
  wwv_flow_custom_auth_std.login ( p_uname => p_uname, p_password => p_password, p_session_id => p_session_id, p_flow_page => p_flow_page || ':' || lv_goto_page );
  EXCEPTION WHEN OTHERS THEN
  RAISE;
  END login;
  PROCEDURE add_user ( p_username IN VARCHAR2,p_password IN VARCHAR2) AS
  BEGIN
  INSERT INTO app_users (username, PASSWORD)VALUES (UPPER (p_username),get_hash (TRIM (p_username), p_password));
  COMMIT;
  EXCEPTION WHEN OTHERS THEN ROLLBACK;
  RAISE;
  END add_user;
  FUNCTION get_hash (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN VARCHAR2 AS
  BEGIN
  RETURN DBMS_OBFUSCATION_TOOLKIT.md5 (input_string => UPPER (p_username)||'/'||UPPER (p_password));
  END get_hash;
  PROCEDURE valid_user2 (p_username IN VARCHAR2, p_password IN VARCHAR2) AS
  v_dummy VARCHAR2 (1);
  BEGIN
  SELECT '1' INTO v_dummy FROM app_users
  WHERE UPPER (username) = UPPER (p_username) AND PASSWORD = get_hash (p_username, p_password);
  EXCEPTION WHEN NO_DATA_FOUND THEN
  raise_application_error (-20000, 'Invalid username / password.');
  END valid_user2;
  FUNCTION valid_user (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
  BEGIN
  valid_user2 (UPPER (p_username), p_password);
  RETURN TRUE;
  EXCEPTION WHEN OTHERS THEN
  RETURN FALSE;
  END valid_user;
  END app_security_pkg;and in the shared components >> current auth. scheme is myscheme >> Auth. Function : return app_security_pkg.valid_user
  and in page 101 login process :
  app_security_pkg.login(
  P_UNAME => :P101_USERNAME,
  P_PASSWORD => :P101_PASSWORD,
  P_SESSION_ID => v('APP_SESSION'),
  P_FLOW_PAGE => :APP_ID||':1'
  );Thats it ! I hope this helps you figuring it out ;)
  Thanks,
  Sam

• Strange problem when using custom authentication schema

  Hello,
  I'm building a custom authentication system for the application. Basically, I followed the blog post from Martin: http://www.talkapex.com/2009/03/custom-authentication-status.html
  However, the authentication seems working fine at the beginning when running the page 101 from Application Builder and log in, but when I log out from the application (redirect back to page 101) and try to log in with the same credentials, it gives error message "Invalid Login Credentials ". Also, when the application is accessed from public (open page 101 directly using another computer), the authentication doesn't work at all.
  Furthermore, I checked the table apex_workspace_access_log and found out that it has "AUTH_SUCCESS" even if using the fake credentials and the login failed (I use "apex_util.set_authentication_result (p_code => 3);" when auth function return false).
  I couldn't find the cause of the problem, then I created the same custom authentication in apex.oracle.com. The problem doesn't appear anymore. To make sure they are same, I have double checked the custom authentication in both the development environment and the apex.oracle.com.
  This is very strange to me and I don't know where to looking for the problem. Could you give me some advice of what may cause this problem. Thanks in advance!

  I found the problem myself. The cause is the VPD, the account table has VPD policy applied, which prevented public access.

• Custom Authentication in Apex 4.2

  Hi,
  I am trying to create a custom authentication scheme in apex 4.2. I have a database table which have username and password in it. I am using a function which returns Boolean after checking the username and password. I have checked it from toad and it works fine. But, when i am calling it from custom authentication it doesn't work.
  How can i configure this custom auth into my application,
  Thanks,

  Hello,
  Can you please provide more details. What is not working?
  Have you created new authentication scheme? Before this, does your application had any authentication scheme?
  Best case - create sample application in apex.oracle.com and post credentials so we can have a look
  Useful blog entires.. Custom Authentication in APEX and How to setup Custom Authentication in Oracle APEX
  Regards,
  Hari
  Edited by: Hari_639 on Apr 27, 2013 7:56 PM

• Problems with custom authentication when migrating from 3.2 to 4.1.1

  Hi,
  we’re about to upgrade our APEX instances to 4.1.1 and to migrate our applications. I encountered some problems with our custom authentication schema.
  1.     Recognize already authenticated sessions: in 3.2 the sentry function could return false as long as the user was not authenticated. Public pages could still be displayed (including the login page). The result of the function apex_custom_auth.is_session_valid returned false until once the sentry function returned true. How can I recognize non authenticated sessions in 4.1.1? I looked for the test the Condition “User is the public user (user has not authenticated)” computes on a page but didn’t found the right one. It’s not what docu states here (comparison with the public user): http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/condition001.htm#HTMDB25943. I replaced the test with p_authentication.username = ‘nobody’. It works. But that doesn’t seem to me to be the right way …
  2.     Post_logout lacks session context: the Post Logout Procedure does not receive a session_id and username. Neither the V(‘APP_SESSION’) nor p_authentication.session_id are set. This applies to both plugin authentication schemes and non-plugin custom authentication schemes. Is there another way to obtain the logged-out sessions infos or is this a bug?
  See apex.oracle.com for a demo, workspace WS_MW, gast/gast. Can someone please guide me the way?
  Michael

  Hello again,
  there are no replies until now .... I reviewed some posts regarding custom authentication again and did not find any solution for the issues. Found some that worked with APEX 3.2.1 but not with 4.1.1. I can only work around
  1.) in an insecure way, because the non documented (?) user "nobody" can change and all new sessions will be considered authenticated
  2.) in a way, that ends up in implementing the logout from the non apex environment outside the authentication schema or authentication plugin.
  May be I should contact support for at least the second issue because this doesn't work as documented or am I doing something wrong?
  Michael

• Custom authentication - different user - no edit links

  Hi
  In my apex 3 application I use a custom authentication scheme, in which I validate users against our backoffice tables. However, I don’t have in those tables the database user that I use to develop apex applications.
  When I run my application for the first time in the session (from the application builder tool) I am redirected to the login page and need to login. As I have to login using a different user, I don’t see at the bottom of the pages the edit links and I need to go back a number of times to get back to the app builder page.
  What is the best practice in this case? Is it possible to tell apex not to use the login page if the app is being run from the app builder tool? (or something like that)
  Thanks
  Luis

  Hi Scott
  Thanks for the reply. I understand why this happens, but I was wondering if there was a way to circumvent this limitation, as I can't login as the database user I am using to build the application (because I don't have that user in my custom authentication scheme).
  Of course I could add that user, but as it is maintained by another department (it is a live system and I would have to justify well why I need a new user just for development purposes), I was looking for another quicker, simpler solution.
  Thanks
  Luis

• Create Authentication Scheme From Scretch

  Hi there,
  I have build an application for users, but the problem i ran in to is that when i try to create a new Create Authentication Scheme,
  it doenst let me create one from scratch.
  only two options avaliable are :
  - Based on a pre-configured scheme from the gallery
  - As a copy of an existing authentication scheme
  Can some one maby explain me why i dont have the option to create a scheme from scratch, and what will i need to do to get the option.
  Yours Sincerly,
  Sebastian!

  The scenario is as follow,
  I'm working on a project as for my finals, and the they asked us to make a Authetication login for users.
  I can make groups and users in Apex. I've put some users in a group called: 'Developers'. I want users that are in 'Developers' to be blocked
  from certain pages in the application (they may not access all the pages, only certain pages).
  So i have read the book Pro Oracle Application Express 4 AUTHENTICATION AND USER MANAGEMENT
  and the book says you need to start wich an authentication for users.
  I tried it with several tutorials and still it doesnt work. I'm not that good in programming, I do understand what they are saying but finding everything in apex.oracle is just such a work.
  I did the following.
  Creating the my_users
  apexdemo@10gR2> create table my_users(
  username varchar2(8),
  password varchar2(8)
  insert into user_repository values
  ('john', '1234');
  This was to create a table and add a user into it.
  Next i created a custom Authentication Scheme and added the following code
  create or replace package pkg_auth as
  function authenticate(p_username in varchar2,
  p_password in varchar2) return boolean;
  end;
  create or replace package body pkg_auth as
  function authenticate(p_username in varchar2,
  p_password in varchar2) return boolean is
  -- default the result to 0
  v_result integer := 0;
  begin
  -- store 1 in v_result if a matching row
  -- can be found
  select 1
  into v_result
  from user_repository
  where username = lower(p_username)
  and password = p_password;
  -- return true if a matching record was found
  return(v_result = 1);
  exception
  -- if no record was found then return false
  when no_data_found then
  return false;
  end authenticate;
  end;
  I tried the code with
  declare
  bres boolean := false;
  begin
  -- use the correct username and password
  bres := pkg_auth.authenticate('john', '1234');
  if (bres = true) then
  dbms_output.put_line('Authentication was successful');
  else
  dbms_output.put_line('Authentication failed');
  end if;
  end;
  and it returned : Authentication was successful
  But when i try to login with the user him self i says login credentials invalid
  I dont know what i;m doing wrong or what i'm forgetting here to make it work.

• How to create an database account authentication scheme in apex

  Dear
  I have an apex installation (embeded) on oracle 11g.
  I want to create a database account authentication scheme in apex. I have seen the page with different tab like name,subsription,source,session not valid, login processing, logout URL,session cookie attributes and comments.
  I want to know what are the things to be specifed on these tabs and the effects. I have gone thru the documentation 'Application Builder User’s Guide Release 4.1' , but the functionalities of these tabs are not mentioned.
  Please help.
  Dennis
  Edited by: Dennis John on Feb 28, 2012 10:57 PM

  Thanks to dear Jit
  I am new to apex.
  I have gone thru that documents but I couldn't find any detailed documentation about the database account authentication scheme configuration
  The database account authentication scheme creation interface will show tabs like name,subsription,source,session not valid, login processing, logout URL,session cookie attributes and comments.
  I want to know what are the things to be specifed on these tabs and how it will reflect in the login. The specified documentation is not giving any detail about the above mentioned tabs of authentication scheme creation iwizard.
  And also I want to know how the applciation user will be mapped to the database account?
  As per my understanding a database user (for each run time user) is required for to authenticate the apex run time login other than the applciation schema user (holds the objects of applicaiton)
  run time user means - end user who uses the applcaition, not the developer.
  Please help.
  Dennis

• How to implement Custom Authentication and Authorization in Oracle SOA 11g

  Can anyone please tell me, how to implement Custom Authentication in Oracle SOA 11g ?
  Because in Oracle SOA 10.1.3.4 , i have implemented this custom authentication and authorization by implementing BPMAuthenticationService, BPMAuthorizationService, BPMIdentityService to verify againt my database systems.
  implementation classes like the mentioned below
  1).
  public class SampleAuthenticationService extends SampleServiceBase implements BPMAuthenticationService {
  2).
  public class SampleAuthorizationService extends SampleServiceBase implements BPMAuthorizationService {
  3).
  public class SampleIdentityService extends SampleServiceBase implements BPMIdentityService {
  Please help me to implement the authentication and authorization in Oracle SOA 11g .
  thanks in advance

  To start with please go through following document
  http://docs.oracle.com/cd/E21764_01/integration.1111/e10231/adptr_jms.htm
  http://docs.oracle.com/cd/E23943_01/integration.1111/e10231/adptr_file.htm
  Regards
  Arpit