Disadvantages of DAD Authentication

Dear Apex users,
Apex is a very nice tool to use, but sometimes it's hard to use features in the database. Almost all the authentication methods log on to the database with a single scheme, except the DAD Authentication Scheme.
This way it's hard to implement security in the database. CDM Ruleframe for example uses USER to fill journaling columns. With Apex this will result in APEX_PUBLIC_USER being the only user to modify the database. When you want to implement this right it's neccessary to change the code generated by CDM Ruleframe. But also the role based security is based on the user(=schema) that is logged on. You can use VPD, but this is much more complicated.
So I was very happy to find out that it is possible to log in as a real database user, being recognized by the database, using the Database Authentication (via DAD without username or password). When I perform htp.p(USER) in Apex it shows the real database user!
Yet the manual warns to only temporarily use this method, I cann't figure out why.
Are there (security?) reasons not to use this method?
Greets, Dik

Dik,
You can always use the expression nvl(v('APP_USER'), user) to identify the authenticated user for journaling and the like.
If you use basic authentication (no username/password in DAD) the session user will be the authenticated user, as you point out. However, you still can't use roles other than to interrogate the roles the current user has been granted and to make decisions based on that.
The User's Guide describes the main disadvantage of this method:
"The main drawback of this approach is burdensome account maintenance, especially if
users do not administer their own passwords, or if their database accounts exist only
to facilitate authentication to your application."
Scott

Similar Messages

Logged Out session can be accessed again After logout (DAD authentication)

Hello,
Please find the details of my problem below:
SCENERIO:
Current Authentication: No Authentication (USING DAD)
Authorization: MYAUTH
Frequency: Once Per Session
declare
lv_retval boolean;
lv_srec pkg_myutil.r_sessionrectype;
begin
begin
-- This is NOT Apex Session. I am checking the entry in a table to make sure user is logged in
-- and the link is not opened directly. In short making sure user opened the Apex link from the
-- Oracle Forms application.
lv_srec :=pkg_myutil.get_session_info(:P1_SID);
if lv_srec.valid_session then
lv_retval := TRUE;
else
lv_retval := FALSE;
end if;
exception
when others then
lv_retval := FALSE;
end;
return lv_retval;
end;
The Application Security property Authorization is set to : MYAUTH
Logout Navigation Bar Entries-URL TARGET: http://myapp.mycompany.com/pls/apex/apex_custom_auth.logout?p_this_app=105&p_next_url=http://mycompany.com
( I cannot put this in the Authentication Logout URL as using -DATABASE- as sentry function (DAD authentication) gives me error: No functional attributes may be set when page sentry function is '-DATABASE-'.))
so i directly modified the navigation bar entry
Now I open the apex link from my forms application, and it Works fine. For example
http://myapp.mycompany.com/pls/QRYONLYDAD/f?p=105:1:2524984933940261::NO::P1_SID:0137099300:
The authorization function takes the P1_SID value and checks in database,finds the entry so returns TRUE to display the page 1 which i call Menu page.
If I click logout, it works and takes me to the Mycompany home page.
My question:
If save that link and try to access it again AFTER LOGOUT, it still displays the page. Although the session is logged out, how come it still allows to access the page? The authorization function also doesn't fire which would have prevented it atleast. How APEX knows it still a valid session even after logout happens?
I can see that Since there is DAD authentication, the login happens automatically........ but I cannot change that method. What other option do i have?
Please help.
Jay

1.) Code for the function:
Basically we are using a private DBMS_PIPE to pass a randomly generated string and read that pipe from Apex using get_session_info. Nothing to do with Apex Session. We just want to make sure the user opened the Apex link from the application.
function get_session_info (p_session_id varchar2) return pkg_myutil.r_sessionrectype is
rv_sessionrec eft.pkg_myutil.r_sessionrectype;
lv_status NUMBER;
lv_app_id varchar2(20);
lv_EMPID VARCHAR2(20);
lv_timeout BINARY_INTEGER := 0; --A timeout of 0 allows you to read without blocking. otherwise the pipe will keep waiting and our purpose won't be solved
lv_rmstatus number;
begin
begin
-- Valid Session theme: If the pipe doesnot exist means the url is not requested from inside the Forms application.
lv_status := DBMS_PIPE.RECEIVE_MESSAGE(p_session_id,lv_timeout);
IF lv_status <> 0 THEN
raise_application_error(-20003,'Error while receiving.Status = ' || lv_status);
END IF;
DBMS_PIPE.UNPACK_MESSAGE(lv_app_id);
DBMS_PIPE.UNPACK_MESSAGE(lv_EMPID);
if lv_EMPID is null then
raise_application_error(-20004,'User EMPID is null in the session info.');
end if;
-- construct return record
rv_sessionrec.session_id:=p_session_id;
rv_sessionrec.valid_session :=TRUE;
-- remove pipe
lv_rmstatus:=DBMS_PIPE.REMOVE_PIPE(p_session_id);
if lv_rmstatus <> 0 then
null; -- think what to do
end if;
exception
when others then
rv_sessionrec.session_id:=p_session_id;
rv_sessionrec.valid_session :=FALSE;
end;
return rv_sessionrec;
end get_session_info;
2.) I guess you are right. But doesn't Apex use the Userid and password hardcoded in the DAD? because it displays the username in DAD on the page footer. But It will authenticate everytime. So I want to put another layer so that my pipe verification code executes everytime which can decide whether to show the page or redirect to a error page.
If i put in a On-Load Before Header Process on Page 1 with the pl/sql code, is there a way there to redirect to different page? I couldn't think of a way to do it. Then i can remove the code from authorization scheme and add to the On-Load process?
Does this help any?
Thanks for your prompt response.
Thanks,
Jay

Issue with DAD authentication and Interactive Reports

Apex version 3.1.1.00.09
I have an application which is using DAD authentication. Since changing the authentication model I have noticed that I lose some of the Interactive Report functionality specifically the ability to save reports.
Post authentication I can get the user info by calling owa_util.get_cgi_env('REMOTE_USER')
However when I reference V('APP_USER') it returns APEX_PUBLIC_USER. Is this the reason for the loss of interactive report functionality. If so is there a workaround?
Thanks in advance

When the authentication model is set to Application Express
The user test_sso (which has end user rights only) has the ability to Save Report within an Interactive Report.
When the authentication model is set to DAD
A user who can authenticate against the DAD does not see the option to Save Report in the Interactive Report actions menu.
As a developer when viewing the Interactive report I have the option to Save Report*
Is this correct behaviour? I want the end user to log on to the application seemlessly and still have the ability to save a report.
Thanks
Paul

Session Timeout and DAD Authentication

My application uses the authentication scheme 'No authentication (using DAD)'. The users log in from an external program and the user IDs are captured in the variable remote_user. My authorization scheme checks that the user ID exists in a database table. All this seems to work fine.
However, I need to implement a session timeout on the application. I've followed the steps described in the "Automatic Session Timeouts" utility in the Application Express Studio but when I tried to modify the authentication scheme by adding:
return auth_pkg.check_timeout;
to the Session Verify Function I got the following errors:
No functional attributes may be set when page sentry function is '-DATABASE-'.
and
Session verification function may not be specified if page sentry function is specified.
I'm new to Apex and I don't know where to go from here. Any advice please?
Thanks
Maria

Maria,
The usual way to do the authentication part is to use a custom page sentry function. Many examples have been posted on the forum based on the ntlm page sentry code. Search for those keywords here (ntml page sentry) and you should find it easily. Then you can modify it by adding the session timeout logic in that function.
Scott

Identification of OS user with DAD authentication scheme

I have following situation:
Authentication scheme : no authentication (I'm using dads.conf which has PlsqlDatabaseUsername APEX_PUBLIC_USER)
APEX/database is on a Unix server
Apex application is run from Windows desktop browsers.
I want to capture desktop's OS user in CREATED BY column of the tables when I create a record. With the current settings (using APP_USER), CREATED BY column is populated with "APEX_PUBLIC_USER" because APP_USER value is populated by whatever is in dads.conf.
Is there a way to populate CREATED BY column with OS user of the desktop using any built-in substitution strings or system variables?
using OS_USER is not an option because it carries UNIX server's OS user (which is "oracle").
Thanks for any insight!
Shiv.

If I use Database account Authentication, then there would not be any issue, because APP_USER or USER will also work.
We don't want user to login again into APEX application since they have already logged onto their desktop using their network/Windows login. We want to carry their network/Windows username and populate CREATED_BY.

Url and DAD authentication

apex v2.2
Scenario is
Apex users are authenticated using database authentication.
Once authenticated the users may press a column link to a
non apex DAD stored procedure call which then ask for autentication.
sample call is - which executes a report request and pass back a pdf to the browser
http://host:port/<dad>/<package.procedure>?param1=1
Within the apex security model can I somehow bypass the user/pw challenge as the user signed in has permission to execute the call and a public user shouldn't have access
This is the appex DAD
<Location /pls/apex>
SetHandler pls_handler
Order deny,allow
Allow from all
AllowOverride None
PlsqlDatabaseUsername APEX_PUBLIC_USER
PlsqlDatabasePassword xxxxxxxx
PlsqlDatabaseConnectString train:1521:training SIDformat
PlsqlDefaultPage apex
PlsqlDocumentTablename wwv_flow_file_objects$
PlsqlDocumentPath docs
PlsqlDocumentProcedure wwv_flow_file_mgr.process_download
PlsqlAuthenticationMode Basic
PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
</Location>
Any ideas ?
Thanks
Pete

Still no joy!
Currently there's a region with some items and a button
when submitting the button GO, page process GO executes:
htp.init;
apex_application.g_page_text_generated := true;
owa_util.mime_header ('application/x-sql',false);
htp.p('Content-Disposition: attachment; filename=xxxxxxxxxxxx');
owa_util.mime_header('application/pdf', false);
owa_util.http_header_close;
htp.p('Content-Disposition: attachment; filename=test.pdf');
<package>.download_doc(517); -- see below
"some processing takes place" but the document is not being displayed
I've tried the different mime_header and Content-Disposition setttings
Do I need to redirect the content sent from the server somewhere else?
Calling the procedure via mod pl/sql works
Thanks for your reply.
Pete
===
procedure download_doc(p_file_id upload_reports.ur_id%type
,p_mime_type varchar2 default 'application/pdf')
as
l_lob upload_reports.report_blob%type;
l_mime varchar2(30);
begin
select f.report_blob
into l_lob
from upload_reports f
where f.ur_id = p_file_id;
owa_util.mime_header('application/pdf', false);
owa_util.http_header_close;
wpg_docload.download_file(l_lob);
end;

DAD Authentication

I'd like to change my application to verify against database usernames (schema's) and passwords.
And i recognize that to do this I'd change it to "No Authentication (using DAD)".
Assuming I do this, what access rights need to be granted to the users who are going to login via the DAD.
Also how do I using this method to restrict what people can do based on a role approach.

webbsm - What is your first name, please?
See Help setting HTML DB application authentication
No access rights need to be granted to users.
You can create authorization schemes that query the database views that relate roles to users but no roles are actually enabled when your application code runs.
Scott

Why don't I see the DAD I created

Hi,
I created a DAD as below in a oracle 11gR2 SE on Windows 2008 box,
BEGIN
DBMS_EPG.create_dad (
dad_name => 'xml_demo',
path => '\xml_demo\*');
END;
And when I do a http://localhost:8080 on the server itself, I see a page with,
Index of /
Name
home/
public/
sys/
Should I not see the xml_demo at this time?
Appreciate your help.
Thanks,
Sujith

I have created the DAD and here is the output. I still see the same 3 folders as I originally posted.
| XDB protocol ports: |
| XDB is listening for the protocol |
| when the protocol port is non-zero. |
HTTP Port FTP Port
8080 7787
1 row selected.
| DAD virtual-path mappings |
Virtual Path DAD Name
/xml_demo/* xml_demo
1 row selected.
| DAD attributes |
DAD Name DAD Param DAD Value
xml_demo database-username WS_USER
1 row selected.
| DAD authorization: |
| To use static authentication of a user in a DAD, |
| the DAD must be authorized for the user. |
DAD Name User Name
xml_demo WS_USER
1 row selected.
| DAD authentication schemes |
DAD Name User Name Auth Scheme
xml_demo WS_USER Static
1 row selected.
| ANONYMOUS user status: |
| To use static or anonymous authentication in any DAD, |
| the ANONYMOUS account must be unlocked. |
Database User Status
ANONYMOUS EXPIRED
1 row selected.
| ANONYMOUS access to XDB repository: |
| To allow public access to XDB repository without authentication, |
| ANONYMOUS access to the repository must be allowed. |
Allow repository anonymous access?
false
1 row selected.
SQL>

WWW-Authenticate - authentication through browser's pop-up

Is it possible to build authentication using the HTTP authentication mechanism
( http://www.freesoft.org/CIE/RFC/1945/66.htm )
instead of using built-in login page?
Can I read and/or write http headers using OAE?
Thanks in advance,
Arek

Arek,
Yes, search for "basic authentication" in the User's
Guide.
Yes, I have seen this DAD authentication paragraph in the User's Guide, but it doesn't ressolve my problem (unfortunately). I don't have an access to the http server settings, and even I had it wouldn't make a difference for my problem probably.
I will try to be more specific with the desription of my problem.
I have an application, which uses LDAP authentication. Standard login page is used to get user credentials. I created my own auth function, because I have to check if user is a member of special group. And everything works fine.
But now I have a new requirement. Users want to log into application using standard browser's dialog box instead of login page. Why? Because they have a plugin for IE which puts credentials automatically.
I have to check user's login and password in the same way as before, but now I would like to take the data through WWW-Authenticate header (that is the reason I was asking about reading/writing headers).
Is it possible to interact with user in such way?
And if yes, do I have to configure that on the server side?
Regards,
Arek

"Maximum Session Length in Seconds" Not Working In Apex 3.2

Hello.
I am using Apex 3.2 and have noticed that pages are session timing out after just 10 minutes of inactivity. I am aware of the new security attributes "Maximum Session Length in Seconds" and "Maximum Session Idle Time in Seconds".
I asked our Apex admin and he reported that these attributes are set to 8 hours on the instance level. Within my own Apex application, these two attributes are not set at all. According to the popup help window associated
with these attributes, if they are not set, then there is no timeout at all that is enforced.
So, does anyone know why my application pages are session timing out after just 10 minutes of inactivity and users are forced to login again?
Thank you.
Elie

Scott,
Thank you for your help on this.
I've uploaded my Apex app called "Online Model", App ID 62063 in my workspace EEG on the Oracle hosted site apex.oracle.com.
Workspace = EEG
Username = [email protected]
Password = galaxy (I'll change the password after you're done helping me)
Orginally, this app had "Database Authentication" set. I changed this to "DAD Authentication" so that you can simply run it without having to login.
If I open up the app in developer mode and simply leave it alone for, say, 30 minutes and then click on the "developer bar" to see the definition of one of the pages, Apex instead prompts me to re-login again into Apex. I've not placed any values in any of the "Session Timeout" fields on any of the pages in this app.
When the same app is run as a user (that is, no "developer bar" appears at bottom of pages), again the page will time out after about 30 minutes of in-activity.
And as mentioned in my original posting, our Apex Admin has the "Administrator Timeout Session" field set to 8 hours.
The Apex 3.2 docs say that if no value is placed in these Timeout Session fields, then there is no timeout imposed.
Thank you for your help. It's much appreciated.
Elie

Express vs Standard Edition One

Is there much difference between the Express Edition and Standard Edition One single cpu? I built a web application using mod_plsql. In load testing the application it works fine with this configuration:
- 1 hyper-threaded CPU 3 MHz xenon
- 1 gig SGA
- Total datafile size is 3G
I was planning on turning off hyper-threading and buying a single cpu SE1 license, however after looking into XE it may be possible to save $5000.
In testing I am using 10gR1 EE with the Companion CD for apache / mod_plsql functionality.
Can XE can do:
- mod_plsql on port 443 (https)
- UTL_HTTP.SET_WALLET for https request on port 443
Is the Companion CD also free?

Brian,
I built a web
application using mod_plsql. In load testing the
application it works fine with this configuration:
- mod_plsql on port 443 (https)See this thread for configuring the Apache for https in front of an XE installation: HTTPS with Oracle XE ?
Porting a mod_plsql application to XE should definitely work in general.
Here are the exceptions to the rule we have experienced / discussed in this forum so far:
1) there might be a bug in the htp.init function (as of the beta release)
htp.init throws exception
If you don't clear the htp buffer between calls, you should be fine.
2) Authentication by CustomOwa is not supported and you need a different way of authenticating your users: DBMS_EPG DAD authentication using CustomOwa
Here is another helpful thread on configuring the DADs:
Using DAD's without specifying a password
Regards,
~Dietmar.

Allow DB user to change their password

Greetings,
DAD authenticated access to HTMLDB 2.0 on 10gR1 on hpux.
I have built a "account" page where among other things the users can change their passwords, I have built the page over anonymous PL/SQL (below). When a DAD authenticated user runs the page via HTMLDB, they get
ORA-01031: insufficient privileges
Error. Yet if I copy the PL_SQL as is into sqlplus and bind it... it works like a charm. Any ideas?
the PL/SQL
DECLARE
BEGIN
if (:P17_NEW_PASSWORD_1 IS NOT NULL) AND (:P17_NEW_PASSWORD_2 IS NOT NULL) AND (:P17_OLD_PASSWORD IS NOT NULL) THEN
if :P17_NEW_PASSWORD_1 != :P17_NEW_PASSWORD_2 then
raise_application_error(-20300,'New passwords do not match');
end if;
execute immediate 'alter user '||user||' identified by '||:P17_NEW_PASSWORD_1||' replace '||:p17_old_password;
htp.p('Password Changed Successfully');
end if; --passwords not null
exception when others then
htp.p('Error changing password:'||sqlerrm);
null;
end;

The application parsing schema (owner) needs ALTER USER privilege. It probably works in SQL*Plus because that schema has obtained the privilege through a role.
Scott

Urgent: Question about password for user 'anonymous'

Hi, Expert,
My apex run well until I 'alter user anonymous account unlock', 'alter user anonymous identified by oracle'.
After I change the password, I got the '500 Internal Server Error' when I access http://host:port/apex
How can I fix the problem? What should be the Password for 'anonymous'?
Thanks in advance for any kind help!!
Sharon.Ni
Edited by: user536764 on Apr 30, 2011 9:07 AM

The following is output of the epgstat
SQL> @epgstat
| XDB protocol ports: |
| XDB is listening for the protocol |
| when the protocol port is non-zero. |
HTTP Port FTP Port
8080 0
1 row selected.
| DAD virtual-path mappings |
Virtual Path DAD Name
/apex/* APEX
1 row selected.
| DAD attributes |
DAD Name DAD Param DAD Value
APEX database-username ANONYMOUS
default-page apex
document-table-name wwv_flow_file_objects$
request-validation-funct wwv_flow_epg_include_modules.authorize
ion
document-procedure wwv_flow_file_mgr.process_download
nls-language american_america.al32utf8
document-path docs
7 rows selected.
| DAD authorization: |
| To use static authentication of a user in a DAD, |
| the DAD must be authorized for the user. |
no rows selected
| DAD authentication schemes |
DAD Name User Name Auth Scheme
APEX ANONYMOUS Anonymous
1 row selected.
| ANONYMOUS user status: |
| To use static or anonymous authentication in any DAD, |
| the ANONYMOUS account must be unlocked. |
Database User Status
ANONYMOUS OPEN
1 row selected.
| ANONYMOUS access to XDB repository: |
| To allow public access to XDB repository without authentication, |
| ANONYMOUS access to the repository must be allowed. |
Allow repository anonymous access?
false
1 row selected.

What happened to my workspace security?

I used to have to login to my workspace to edit my applications. Now, using any login, I see the edit bar at the bottom of the page. I'm using DADS authentication. This is just a sandbox, but I'm not sure what could possibly have happened. The only settings that seem relevant are application settings, but this is the entire workspace!

Strange. I logged into INTERNAL to view workspaces and possible settings. Logged out. Closed and opened browser. It is not showing the edit bar at the bottom of the running app now.

Annoying XDB login screen

XDB login screen appears all the time when running installed demo applications
11g fresh install on redhat linux, installed demo applications, and every click presents an annoying XDB login screen (which needs to be cancelled to access the application screen).
running rdbms/admin/epgstat.sql reveals that
| ANONYMOUS access to XDB repository: |
| To allow public access to XDB repository without authentication, |
| ANONYMOUS access to the repository must be allowed. |
Allow repository anonymous access?
false
The XDB login screen no longer appears that frequently after running the custom script listed by
Pravednik in this link http://kr.forums.oracle.com/forums/thread.jspa?threadID=641846
QUESTION 1) What is the recommended way to make the Allow repository anonymous access = true ?
The problem still persists when apex the browser attempts to display images from the database.
for example:
http://localhost:port/i/htmldb/builder/db_objects_ctrl.gif
QUESTION 2) how to tell XDB not to authenticate such image access?

<pre>
SQL> @epgstat
| XDB protocol ports: |
| XDB is listening for the protocol |
| when the protocol port is non-zero. |
HTTP Port FTP Port
8090 0
1 row selected.
| DAD virtual-path mappings |
Virtual Path DAD Name
/apex/* APEX
1 row selected.
| DAD attributes |
DAD Name DAD Param DAD Value
APEX database-username ANONYMOUS
default-page apex
document-table-name wwv_flow_file_objects$
request-validation-funct wwv_flow_epg_include_modules.authorize
ion
document-procedure wwv_flow_file_mgr.process_download
nls-language american_america.al32utf8
document-path docs
7 rows selected.
| DAD authorization: |
| To use static authentication of a user in a DAD, |
| the DAD must be authorized for the user. |
no rows selected
| DAD authentication schemes |
DAD Name User Name Auth Scheme
APEX ANONYMOUS Anonymous
1 row selected.
| ANONYMOUS user status: |
| To use static or anonymous authentication in any DAD, |
| the ANONYMOUS account must be unlocked. |
Database User Status
ANONYMOUS OPEN
1 row selected.
| ANONYMOUS access to XDB repository: |
| To allow public access to XDB repository without authentication, |
| ANONYMOUS access to the repository must be allowed. |
Allow repository anonymous access?
true
1 row selected.
SQL>
</pre>

Disadvantages of DAD Authentication

Similar Messages

Maybe you are looking for