Custom authentication scheme: Invalid Session Target

Yesterday I spent a lot of time figuring out what was happening and I'm not sure if this is a bug or a feature...
Create an application with some public pages (1,2,101) and some non-public pages (3,4).
Created a list on page 0 listing all pages but only listing page 3 and 4 when user is logged in.
Created a custom authentication scheme.
Running the application showed me the page 1 and the list containing 1,2,101.
I could navigate to 101 and then log in after which I was taken to page 1 showing only 1,2,101.
I changed page 101 so that it would take me to page 3 after logging in and it did. The list showed me 1,2,101,3,4 and the username was also visible.
I could visit all pages correctly except page 1. Whenever I navigated to page 1 I effectively got logged out.
Finally I discovered that I had set "Invalid Session Target" to page 1 in my authentication scheme.
Is this the intended effect ?

Rene,
When a page is selected in the authentication scheme's Invalid Session Page LOV, it gets designated as "the login page". Whenever this page is rendered, APP_USER is null and APP_SESSION is a new session ID. This accounts for what you saw. It's sort of a quirk more than a bug or feature and we ought to properly document this behavior. If, for some reason, you needed a login page that you could navigate back to (after login) in the current session and using the current APP_USER value, you can deselect the page from the Invalid Session Page LOV in the authentication scheme and instead code this in the Invalid Session URL:
f?p=&APP_ID.:101:&APP_SESSION.
...using 101 as the login page, but it can be any page ID as long as it's a public page.
Scott

Similar Messages

  • Apex Custom Authentication Schema Page Sentry Error

    Hi,
    I am using Application Express 4.0.0. I am struggling with a strange problem while trying to implement custom authentication schema.
    I declare a page sentry function 'page_sentry' which returns TRUE or FALSE based on certain conditions. My page_sentry is as follows:
    FUNCTION PAGE_SENTRY RETURN BOOLEAN
    IS
    l_username VARCHAR2(512);
    l_session_id NUMBER;
    BEGIN
    IF USER != 'APEX_PUBLIC_USER' THEN
    RETURN false;
    END IF;
    l_session_id := wwv_flow_custom_auth_std.get_session_id_from_cookie;
    -- check application session cookie.
    IF wwv_flow_custom_auth_std.is_session_valid THEN
    apex_application.g_instance := l_session_id;
    l_username := wwv_flow_custom_auth_std.get_username;
    wwv_flow_custom_auth.define_user_session(
    p_user => l_username, p_session_id => l_session_id);
    RETURN true;
    ELSE
    --redirect to login page using OWA_UTIL.REDIRECT_URL
    END IF;
    RETURN false;
    END page_sentry;
    And Cookie Name : _AUTH
    At first, It always returned FALSE. I wasn't getting any error. However, even after forcibly returning TRUE from the page_sentry function the redirect was still not happening. I tried to look into what cookies were being set for the same and I found this:
    Name:     ApexLibErrorStack1
    Content:     page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication
    I couldn't find any relevant help for this. Worst of it is I cannot set any cookie from the page_sentry function at all. Please help!

    Hi all.
    Can someone please help me out with the above issue. I am not sure if things are wrong at my end or is this an apex bug.
    --Update:
    The source of my problem perhaps lies in the manner in which I have configured my Oracle HTTP Server. When I disable port HTTP server on port 80 and run apex without it on default port 8080, the custom authentication schema cookie gets set.
    Executing the following with Oracle HTTP Server:
    OWA_UTIL.PRINT_CGI_ENV;
    gives:
    HTTP_COOKIE = ApexLibErrorStack1=page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication.; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL
    And without HTTP Server:
    gives:
    HTTP_COOKIE = WWV_CUSTOM-F_1420403886791332_100=9625AAC49B9951D8;......
    Did I miss something in my HTTP server configuration ?
    Edited by: pc on Jan 2, 2012 3:15 AM

  • Restful Web Services - First Party Authentication with custom authentication schemes

    Hi
    I've successfully enabled security using first party authentication on our Restful web services however these only work with the built in Apex accounts and not other authentication schemes.
    Ideally I'd like to authenticate against LDAP, however when I enable this authentication scheme the restful services don't work as they only support the Apex accounts. 
    Has anyone implemented LDAP authentication for Apex restful web services, either directly or using Glassfish ? Does anyone know if support for custom authentication schemes on the feature roadmap for a future Listener release ?
    I attempted to configure the glassfish application against LDAP but am still working on it.. glassfish never challenged the client to authenticate (it's only to be for the web service endpoints and nothing else), so any pointers on how to set that up for Apex would be appreciated.
    Thanks
    Kes

    Hi Gemma,
    unfortunately at the moment you are caught between a rock and a hard place:
    - As you point out there is no way in APEX for a user to self-register themselves, short of developing your own table to store users and configuring APEX custom auth to authenticate against that table
    - Listener can only authenticate against the the APEX user repository, it cannot integrate with custom APEX authentication.
    There may be other options though, by leveraging the authentication capabilities in the JRE and/or WebLogic/GlassFish application servers. We're interested in addressing this use case, so if you wish to investigate further please send me an email ( colm <dot> divilly <at> oracle <dot> com).
    Thanks,
    Colm Divilly

  • Customized authentication scheme unauthorized when using help

    I am receiving an unauthorized message when clicking on help on a label. The message was not being received until the customized authentication scheme was enabled.

    If you still need help with this, please provide all the usual information: a complete description of the situation, an example on apex.oracle.com if possible, your version of apex and database, all custom code, all authentication scheme details, etc.
    Also, please tell us your first name and put it into your handle and/or profile to help us.
    Scott

  • Setting up a custom authentication scheme

    Hello APEX Community,
    I'm working on creating an RSVP site for an upcoming event, but I want to limit the number of "random" users that try to sign in by implementing some sort of password system.
    I am running this on apex.oracle.com...
    What I have currently set up is the following:
    I have a table (user_auth) that stores a list of passwords. I will send individual people one password that they will type in on the login page.
    The issue I have right now is how to implement the authentication scheme...
    Based on the authentication drop down options, I should be choosing "Custom"... But I am stuck at this point...
    I have created a function called "my_authentication" (code provided below) and entered "my_authentication" as the Authentication Function Name, but when I test it, it keeps failing. I left the Login page as is, I don't enter a user name but I enter a valid password from the user_auth table. When I hit Login, it just boots me back to the login page. Do I need anything for Sentry Function?
    create or replace function my_authentication (
      p_username in varchar2 default null,
      p_password in varchar2)
      return boolean
    is
      l_count number;
      l_return_value boolean;
    begin
      select count(*) into l_count from user_auth t where t.user_password = upper(p_password);
      if (l_count > 0) then
        l_return_value := true;
      else
        l_return_value := false;
      end if;
      return l_return_value;
    exception
      when no_data_found then
        return false;
    end my_authentication;Please let me know if you want me to elaborate further...
    Thanks and regards,
    Ivan

    Hi Scott,
    Thanks for replying and sorry it took so long to get a reply back.
    I hope the following makes sense.
    1: When I say "it keeps failing", what happens is when I enter just the password, and hit "Login" it just boots me back to the Login page and no error is displayed.
    2: Yes, I don't have any encryption at all but I have x number of randomly generated strings stored in that table, and what I was hoping to do was have the user enter the password and then have it go and confirm that that is one of the x number of strings in the table.
    The problem I'm starting to realize with this approach is that the passwords are not displayed. Users just see *'s instead. My approach now is to use an Open door authentication and have them enter the password there to log in, and upon logging in, it will assign value to a global value that checks to see if it's a valid password... (passes back user_id for a matching user_password). If the password is invalid, it will pass a -100 or something...
    This seems like a somewhat effective way of getting around the authentication. I guess my next challenge is to figure out how to boot invalid users back to the login page in an Open Door Authentication scheme.
    Ivan

  • Custom Authentication scheme

    Hello,
    I am building a custom auth. scheme that actually checks username/password in a custom table (app_users) [ not DB acocunts] . I have created a package with a login function as follows:
    PROCEDURE login ( p_uname IN VARCHAR2 ,p_password IN VARCHAR2 ,p_session_id IN VARCHAR2 ,p_flow_page IN VARCHAR2 ) IS
    lv_goto_page NUMBER DEFAULT 1;
    BEGIN
    IF UPPER(p_uname) = 'ADMIN' THEN
    lv_goto_page := 1;
    ELSE  lv_goto_page := 100;
    END IF;
    wwv_flow_custom_auth_std.login  (  p_uname => p_uname,
    p_password => p_password,
    p_session_id => p_session_id,
    p_flow_page => p_flow_page || ':' || lv_goto_page  );
    EXCEPTIONWHEN OTHERS THEN
    RAISE;
    END login;
    and a valid_user function in that package that simply returns TRUE if username/password are correct in APP_USERS table.......
    and then I have changed the 101 login page login process to :
    app_security_pkg.login(
    P_UNAME       => :P101_USERNAME,
    P_PASSWORD    => :P101_PASSWORD,
    P_SESSION_ID  => v('APP_SESSION'),
    P_FLOW_PAGE   => :APP_ID||':1'
    +);+
    and created my own auth. scheme and enterd this in the auth. function field :
    return app_security_pkg.valid_user
    My question is , this is not working when I enter a valid username/pass from APP_USERS because I think it still points to oracle's db users .... Where should I make the built in function wwv_flow_custom_auth_std.login point to my APP_USERS table instead ????
    Thanks,
    Sam K

    Gus,
    The only code I have is for the authentication package and here it is :
    create or replace PACKAGE BODY app_security_pkg AS
    PROCEDURE login ( p_uname IN VARCHAR2 ,p_password IN VARCHAR2 ,p_session_id IN VARCHAR2 ,p_flow_page IN VARCHAR2 ) IS
    lv_goto_page NUMBER DEFAULT 1;
    BEGIN
    IF UPPER(p_uname) = 'sam' THEN // just for test. sam is a username in app_users
    lv_goto_page := 1;
    ELSE lv_goto_page := 100;
    END IF;
    wwv_flow_custom_auth_std.login ( p_uname => p_uname, p_password => p_password, p_session_id => p_session_id, p_flow_page => p_flow_page || ':' || lv_goto_page );
    EXCEPTION WHEN OTHERS THEN
    RAISE;
    END login;
    PROCEDURE add_user ( p_username IN VARCHAR2,p_password IN VARCHAR2) AS
    BEGIN
    INSERT INTO app_users (username, PASSWORD)VALUES (UPPER (p_username),get_hash (TRIM (p_username), p_password));
    COMMIT;
    EXCEPTION WHEN OTHERS THEN ROLLBACK;
    RAISE;
    END add_user;
    FUNCTION get_hash (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN VARCHAR2 AS
    BEGIN
    RETURN DBMS_OBFUSCATION_TOOLKIT.md5 (input_string => UPPER (p_username)||'/'||UPPER (p_password));
    END get_hash;
    PROCEDURE valid_user2 (p_username IN VARCHAR2, p_password IN VARCHAR2) AS
    v_dummy VARCHAR2 (1);
    BEGIN
    SELECT '1' INTO v_dummy FROM app_users
    WHERE UPPER (username) = UPPER (p_username) AND PASSWORD = get_hash (p_username, p_password);
    EXCEPTION WHEN NO_DATA_FOUND THEN
    raise_application_error (-20000, 'Invalid username / password.');
    END valid_user2;
    FUNCTION valid_user (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
    BEGIN
    valid_user2 (UPPER (p_username), p_password);
    RETURN TRUE;
    EXCEPTION WHEN OTHERS THEN
    RETURN FALSE;
    END valid_user;
    END app_security_pkg;and in the shared components >> current auth. scheme is myscheme >> Auth. Function : return app_security_pkg.valid_user
    and in page 101 login process :
    app_security_pkg.login(
    P_UNAME => :P101_USERNAME,
    P_PASSWORD => :P101_PASSWORD,
    P_SESSION_ID => v('APP_SESSION'),
    P_FLOW_PAGE => :APP_ID||':1'
    );Thats it ! I hope this helps you figuring it out ;)
    Thanks,
    Sam

  • Strange problem when using custom authentication schema

    Hello,
    I'm building a custom authentication system for the application. Basically, I followed the blog post from Martin: http://www.talkapex.com/2009/03/custom-authentication-status.html
    However, the authentication seems working fine at the beginning when running the page 101 from Application Builder and log in, but when I log out from the application (redirect back to page 101) and try to log in with the same credentials, it gives error message "Invalid Login Credentials ". Also, when the application is accessed from public (open page 101 directly using another computer), the authentication doesn't work at all.
    Furthermore, I checked the table apex_workspace_access_log and found out that it has "AUTH_SUCCESS" even if using the fake credentials and the login failed (I use "apex_util.set_authentication_result (p_code => 3);" when auth function return false).
    I couldn't find the cause of the problem, then I created the same custom authentication in apex.oracle.com. The problem doesn't appear anymore. To make sure they are same, I have double checked the custom authentication in both the development environment and the apex.oracle.com.
    This is very strange to me and I don't know where to looking for the problem. Could you give me some advice of what may cause this problem. Thanks in advance!

    I found the problem myself. The cause is the VPD, the account table has VPD policy applied, which prevented public access.

  • Custom Authentication Scheme - How To

    For anyone who is interested in implementing your own Authentication Scheme, I have published an article on my blog. It covers the basic steps needed and can be extended in any number of ways to suit your additional needs.
    http://djmein.blogspot.com/2007/07/custom-authentication-authorisation.html
    Duncan

    Hi Duncan,<br><br>
    Thanks for your article. <br><br>
    Regards,<br>
    Gonçalo

  • Custom Authentication Scheme - call SSO or Local Process based on User Name

    Hi,
    We are looking at building a new application that allows employee and public user access.
    For staff we want to use Single Sign On as we have for all our other ApEx applications.
    For public users (who will register to create an account) we want to use our own Custom Authentication Function.
    What I would like to do is to have an Authentication Function along the lines of:
    If username like '%@%'
    then call Custom Function
    else call SSO Funcion.
    How do I call the SSO Authentication Function progamatically?
    Thanks,
    Martin

    Probably I don't explain myself clearly....sorry for that!
    Anyway you are right, the role of the user can change after the user is initially provisioned.
    I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
    1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
    2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
    Is it possible with pre-populate adapter?
    Sorry again for my not very clear explanations.
    Daniele
    Edited by: 886636 on Jan 24, 2012 4:10 AM

  • Custom authentication - different user - no edit links

    Hi
    In my apex 3 application I use a custom authentication scheme, in which I validate users against our backoffice tables. However, I don’t have in those tables the database user that I use to develop apex applications.
    When I run my application for the first time in the session (from the application builder tool) I am redirected to the login page and need to login. As I have to login using a different user, I don’t see at the bottom of the pages the edit links and I need to go back a number of times to get back to the app builder page.
    What is the best practice in this case? Is it possible to tell apex not to use the login page if the app is being run from the app builder tool? (or something like that)
    Thanks
    Luis

    Hi Scott
    Thanks for the reply. I understand why this happens, but I was wondering if there was a way to circumvent this limitation, as I can't login as the database user I am using to build the application (because I don't have that user in my custom authentication scheme).
    Of course I could add that user, but as it is maintained by another department (it is a live system and I would have to justify well why I need a new user just for development purposes), I was looking for another quicker, simpler solution.
    Thanks
    Luis

  • Create Authentication Scheme From Scretch

    Hi there,
    I have build an application for users, but the problem i ran in to is that when i try to create a new Create Authentication Scheme,
    it doenst let me create one from scratch.
    only two options avaliable are :
    - Based on a pre-configured scheme from the gallery
    - As a copy of an existing authentication scheme
    Can some one maby explain me why i dont have the option to create a scheme from scratch, and what will i need to do to get the option.
    Yours Sincerly,
    Sebastian!

    The scenario is as follow,
    I'm working on a project as for my finals, and the they asked us to make a Authetication login for users.
    I can make groups and users in Apex. I've put some users in a group called: 'Developers'. I want users that are in 'Developers' to be blocked
    from certain pages in the application (they may not access all the pages, only certain pages).
    So i have read the book Pro Oracle Application Express 4 AUTHENTICATION AND USER MANAGEMENT
    and the book says you need to start wich an authentication for users.
    I tried it with several tutorials and still it doesnt work. I'm not that good in programming, I do understand what they are saying but finding everything in apex.oracle is just such a work.
    I did the following.
    Creating the my_users
    apexdemo@10gR2> create table my_users(
    username varchar2(8),
    password varchar2(8)
    insert into user_repository values
    ('john', '1234');
    This was to create a table and add a user into it.
    Next i created a custom Authentication Scheme and added the following code
    create or replace package pkg_auth as
    function authenticate(p_username in varchar2,
    p_password in varchar2) return boolean;
    end;
    create or replace package body pkg_auth as
    function authenticate(p_username in varchar2,
    p_password in varchar2) return boolean is
    -- default the result to 0
    v_result integer := 0;
    begin
    -- store 1 in v_result if a matching row
    -- can be found
    select 1
    into v_result
    from user_repository
    where username = lower(p_username)
    and password = p_password;
    -- return true if a matching record was found
    return(v_result = 1);
    exception
    -- if no record was found then return false
    when no_data_found then
    return false;
    end authenticate;
    end;
    I tried the code with
    declare
    bres boolean := false;
    begin
    -- use the correct username and password
    bres := pkg_auth.authenticate('john', '1234');
    if (bres = true) then
    dbms_output.put_line('Authentication was successful');
    else
    dbms_output.put_line('Authentication failed');
    end if;
    end;
    and it returned : Authentication was successful
    But when i try to login with the user him self i says login credentials invalid
    I dont know what i;m doing wrong or what i'm forgetting here to make it work.

  • Problems with custom authentication when migrating from 3.2 to 4.1.1

    Hi,
    we’re about to upgrade our APEX instances to 4.1.1 and to migrate our applications. I encountered some problems with our custom authentication schema.
    1.     Recognize already authenticated sessions: in 3.2 the sentry function could return false as long as the user was not authenticated. Public pages could still be displayed (including the login page). The result of the function apex_custom_auth.is_session_valid returned false until once the sentry function returned true. How can I recognize non authenticated sessions in 4.1.1? I looked for the test the Condition “User is the public user (user has not authenticated)” computes on a page but didn’t found the right one. It’s not what docu states here (comparison with the public user): http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/condition001.htm#HTMDB25943. I replaced the test with p_authentication.username = ‘nobody’. It works. But that doesn’t seem to me to be the right way …
    2.     Post_logout lacks session context: the Post Logout Procedure does not receive a session_id and username. Neither the V(‘APP_SESSION’) nor p_authentication.session_id are set. This applies to both plugin authentication schemes and non-plugin custom authentication schemes. Is there another way to obtain the logged-out sessions infos or is this a bug?
    See apex.oracle.com for a demo, workspace WS_MW, gast/gast. Can someone please guide me the way?
    Michael

    Hello again,
    there are no replies until now .... I reviewed some posts regarding custom authentication again and did not find any solution for the issues. Found some that worked with APEX 3.2.1 but not with 4.1.1. I can only work around
    1.) in an insecure way, because the non documented (?) user "nobody" can change and all new sessions will be considered authenticated
    2.) in a way, that ends up in implementing the logout from the non apex environment outside the authentication schema or authentication plugin.
    May be I should contact support for at least the second issue because this doesn't work as documented or am I doing something wrong?
    Michael

  • Custom Authentication in Apex 4.2

    Hi,
    I am trying to create a custom authentication scheme in apex 4.2. I have a database table which have username and password in it. I am using a function which returns Boolean after checking the username and password. I have checked it from toad and it works fine. But, when i am calling it from custom authentication it doesn't work.
    How can i configure this custom auth into my application,
    Thanks,

    Hello,
    Can you please provide more details. What is not working?
    Have you created new authentication scheme? Before this, does your application had any authentication scheme?
    Best case - create sample application in apex.oracle.com and post credentials so we can have a look
    Useful blog entires.. Custom Authentication in APEX and How to setup Custom Authentication in Oracle APEX
    Regards,
    Hari
    Edited by: Hari_639 on Apr 27, 2013 7:56 PM

  • Authentication Fault: Invalid User Session Token

    Hi,
    I am trying to protect a call to third party webservices using OWSM and OAM. I followed the steps mentioned in Oracle Web Services Manager
    Deployment Guide to integrate OAM in OWSM, but not able to make any break through. I am getting following error if I test my web service using OWSM's inbuilt test tool:
    <SOAP-ENV:Envelope
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Body>
    <SOAP-ENV:Fault>
    <faultcode
    xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.AuthorizationFault</faultcode>
    <faultstring>Authentication Fault: Invalid User Session Token</faultstring>
    null</SOAP-ENV:Fault>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    In gateway.log file, I get following oneliner message:
    security.SimpleXMLCredsExtractor - SimpleXMLCredsExtractor failed to Extract creds.
    I am using standalone OWSM installation.
    Installed OAM SDK on the same machine of OWSM.
    Added OAM SDK libraries into OWSM's path.
    Please advise as I have already wasted 3-4 weeks into it.
    .. Paresh
    Edited by: user10301925 on Sep 29, 2009 2:24 AM
    Edited by: user10301925 on Sep 29, 2009 2:24 AM

    Hi,
    Yes, I have registered the service in OWSM and calling that service through OWSM testing tool only...
    Following is the request message:
    <?xml version="1.0" encoding="UTF-8" ?>
    - <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    - <soap:Header>
    - <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    - <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:Username>owsmuser</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome11</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
    </soap:Header>
    - <soap:Body xmlns:ns1="http://service/">
    <ns1:getDateTime />
    </soap:Body>
    </soap:Envelope>
    Please advise.
    .. Paresh

  • Define HTTP Session Attribute in a Custom Authenticator

    Hello everyone I developed sucessefully a Custom Authenticator for WLS10 that interacts with a web service.
    But now I need to provide an object to the web applications with the some user information.
    I was wondering defining the object in the HTTP Session but I dont know how to do it via de LoginModule of the custom authenticator.
    Can anyone provide me some tips?
    thanks in advance.

    What kind of user information do you need to pass on to the webapplication ? username can be retrieved by request.getRemoteUser() (after successful login).
    May be you need to clarify little bit more on what you want to achieve.
    -Utpal

Maybe you are looking for