Logout fails Authorization Scheme

Similar Messages

• Authorization Schemes always fails

  I am trying to verify that the user has the correct access in the authorization scheme. No matter what I put it fails. I currently have it set to pl/sql function returning boolean and the code as:
  begin
  return true;
  end;
  I still get the error message for my Authorization Scheme every time. For my application settings I selected the {Not} option, and that fails as well.
  Can someone point me in the right direction?
  Thanks.

  Johnnie,
  If you made this an application level authorization then try checking the page. Frankly I don't know how it could have failed when it says always return true... But try something like the following:
  DECLARE
     l_retval BOOLEAN;
  BEGIN
     l_retval := nv('APP_PAGE_ID') = 101 OR v('APP_USER') IS NOT NULL;
     RETURN l_retval;
  END;The first page is checking to see if the user is on the login page. The second condition is really nothing, you'll want to fix it for your application. If you're still having problems, please post an example application on apex.oracle.com so we can take a look under the hood.
  Regards,
  Dan

• Custom handling of authorization scheme failed errors

  Is there a way I can catch when someone goes to a page they are not authorized to be on (Authorization Scheme used to enforce it) then instead of stopping cold redirect them to the public page of the application and use global notification to inform the user of the fact he or she is not authorized into the selected page instead of going to the red stop sign X page? I have used global notifications before but I am unsure if there is a way to keep my page secure applying the authorization scheme at the page level and do what I am talking about. Any ideas?

  This only happens when the user tampers with the URL, but that does happen.
  You can code your authorization scheme to return true when it detects unauthorized access to a page but first have it use owa_util.redirect_url to go to the notification page of your choosing.
  Scott

• Authorization Scheme problem using query

  Greetings:
  I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
  The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
  The three created authorization schemes are as follows.
  My first scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  APP_GROUP_TYPE != 'READ_ONLY'
  This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
  My Second scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  and
  APP_GROUP_TYPE != 'transactional')
  The second one, I have added the transactional group as to be explicitly negated access.
  My Third scheme
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  AND
  APP_GROUP_TYPE != 'transactional'
  AND
  APP_GROUP_TYPE != 'general')
  the last one, I have added the general group as to be explicitly negated access.
  I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.

  I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
  Thanks for your support. Maybe this can help someone on the forums out.

• Page Restriction - Authorization Scheme

  I have an application 8736 this application as 3 tabs
  TAB1: information  TAB2: department   TAB3: Admin
  TAB3 as a form in which SHOULD be only be view by users which authorisation rights. I have been trying to do this for sometimes now and it is not work. I have a table called users
  TABLE:users
  username    access_level      
  john919             2
  sarah765           0
  For the page in TAB3 if you have an access level of 2. You should be able to view this page and if not they you should get an error message saying "sorry you cant view this page".
  In this case "john919" should be able to view the page in tab "Tab3" and "sarah765 " SHOULD NOT.
  I have this query in the Authorization Scheme and the scheme type: pl/sql function returning boolean
  DECLARE
     v_access_level   NUMBER (2);
  BEGIN
     IF (:APP_PAGE_ID = 61)
     THEN
        SELECT MAX (ADMIN_LEVEL)
          INTO v_access_level
          FROM USERS
         WHERE USER_NAME = :APP_USER;
        IF v_access_level = 2
        THEN
           RETURN TRUE;
        ELSE
           RETURN FALSE;
        END IF;
     ELSE
        RETURN TRUE;
     END IF;
  END
  I have never try this before and I have being asking around and alot of people tell me this should check the admin_level in the USERS table using the current username of the person looking in to see if they have access to this page. SO far this is as fail me. Please help

  If you only have one access level per user then try changing your authorization scheme code to
  DECLARE
     v_access_level   NUMBER (2);
  BEGIN
        SELECT ADMIN_LEVEL
          INTO v_access_level
          FROM USERS
         WHERE USER_NAME = :APP_USER;
        IF v_access_level = 2
        THEN
           RETURN TRUE;
        ELSE
           RETURN FALSE;
        END IF;
  END;
  now apply this scheme to tab3

• Authorization schemes

  I am trying to not reinvent the wheel but Oracle DB secuirty as it exists today in APEX. I have successfully setup the authentication using Database account and that works fine, but now I want to have my application only allow special oracle accounts that are signified by Banner, authorized to process the application. I do not want to have to setup any additional security, but use my current DB security that is already setup in the Banner accounts for what can be accessed. I know I have to do something in the Authorization schemes in APEX, but I am not sure what? Any help would be appreciated. Thanks. Joe

  It's quite simple really.
  Create the scheme and the bottom line is that the scheme has to return TRUE or FALSE. TRUE means that they pass the test and can do whatever it is, FALSE means they fail the test and should get an error.
  99.9% of the time I create a boolean-returning function in the database and I call it in the scheme like this (assume myfunction() takes the value of the signed-on user and does something with it to check if this user passes the test or not):
  RETURN myfunction(:APP_USER);If TRUE comes back, they pass security validation, else it will fail them.
  If you are just testing the user name itself, try this:
  RETURN (:APP_USER like '%BANNER');...or whatever else returns TRUE/FALSE to evaluate your test.
  Then, after you define the scheme, attach it to whatever needs protection.
  There is an application-level to place the authorization scheme to restrict all access to all pages but I've never gotten it to effectivelly work because if you do the above example, it will even protect the login page because the APP_USER isn't yet set to the person who is going to log in. So I've always had to put the authorization at each page.
  However you might be able to manage it at the application level if you do it this way (I never tried but I guess this would work...assume 101 is the login page):
  RETURN :APP_PAGE_ID='101' OR (:APP_PAGE_ID != '101' AND :APP_USER like '%BANNER');So anytime page 101 (login) is accessed, the user passes security test to render the page. Else if it's not page 101, their username has to end in BANNER in order to pass the test.

• Customise Authorization Scheme web page

  Hi
  APEX - 4.1
  Oracle - 11gr2
  I have added an Authorization Scheme to my application whereby a check is performed to determine whether or not a user is allowed to access a webpage. If a user tries to access a restricted webpage a new webpage is displayed with
  'Access denied by Application security check' and a red exclamation
  My question is how can I customise this webpage as it differs from my application template (The log out disappears at the top and the topbar moves about between the restriction error webpage and the page it returns back to)?
  Is this possible?
  Thanks
  Rob

  Hi
  Thanks for the help. I located the 'Error Page Template Control' section.
  I am not looking to customise that section, but what I have noticed in firebug is that when I switch to this error page the BODY of the HTML document changes.
  So on a ordinary page you would normally have
    <div id="navbar">
      <div class="app-user">#WELCOME_USER#</div>
      <div class="app-user">Client: Internal</div> -- This is customised be me
      #NAVIGATION_BAR#
      #REGION_POSITION_08#
    </div>whereas on this error page you will have
    <div id="navbar">
      <div class="app-user">#WELCOME_USER#</div>
      <div class="app-user">Client: Internal</div> -- This is customised be me
    </div>Also the topbar seems to change from
     <div id="topbar">#REGION_POSITION_01##REGION_POSITION_04#</div>to
     <div id="topbar"></div>Is this normally? It is these adjustments I want to fix as navbar has the logout link which disappears and the topbar has my menu which messes with the page format on the error page
  Cheers
  Rob

• Order of evaluation - Authorization scheme or application computation

  APEX 4.2.2
  A page has a Evaluate for every page view authorizaton scheme of the type Value of item in Expression 1 = Expression 2 with Expression 1=G_ITEM and Expression 2=1. G_ITEM is set using  a Before-Header application computation conditioned to fire when G_ITEM is null.
  What I see is that the authorization scheme always returns false and the page is not rendered. Inspecting wwv_flow_data shows that G_ITEM is not there. So it would appear that the authorization scheme is evaluated before the application computation and since it returns false, the engine stops.
  Does that sound right? Is this order of evaluation of components documented anywhere? There is a Utilities > Page Events screen but that doesn't include Authorization schemes.
  Thanks

  Hi Christian - I am referring to a page-level authorization scheme set to be evaluated For each page view
  Here are some more details...the application has only one UI (Desktop) and Application XX > User Interfaces > User Interface Details > Home URL is set to f?p=&APP_ID.:30:&SESSION.
  When I launch the app using f?p=181::::LEVEL9 this is what I get in apex_debug_messages
  init cgi_var_name.count=>29
  CGI: PATH_INFO = /f
  HTTP://xxx/pls/xxx
  QUERY_STRING=p=181::::LEVEL9
  REQUEST_METHOD=GET
  REMOTE_ADDR=xx.xx.xx.xx
  REMOTE_USER=foobar
  APEX_LISTENER_VERSION=
  REFERER=
  Cookies:
  S H O W: application="181" page="" workspace="" request="" session=""
  Reset NLS settings
  alter session set NLS_LANGUAGE="AMERICAN"
  alter session set NLS_TERRITORY="AMERICA"
  alter session set NLS_CALENDAR="GREGORIAN"
  alter session set NLS_SORT="BINARY"
  alter session set NLS_COMP="BINARY"
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  no characterset conversion needed
  ...Setting session time_zone to -04:00
  reset_nls_environment
  reset
  reset
  Processing page view with session ID = 0
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
  alter session set nls_language="AMERICAN"
  alter session set nls_territory="AMERICA"
  NLS: CSV charset=WE8MSWIN1252
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
  ...NLS: Set g_nls_date_format="mm/dd/yyyy"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  NLS: Language=en-us
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
  authenticate_and_init_session p_app_id=>181
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
  does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
  detect_user_interface p_application_id=>181
  ... "Desktop" is the only UI - no autodetection necessary
  ... setting ui to "DESKTOP"
  ... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
  ... page is public:null
  Authentication check: Login (NATIVE_CUSTOM)
  ... no page specified: failure
  ...fetch session state from database
  get_current
  ... DOES NOT EXIST - ignore
  fetch items (exact)
  Redirecting to f?p=181:30:
  Stop APEX Engine detected
  Final commit
  I am not sure why the engine stops rendering but I get the Access denied by Page security check error on the screen
  Next experiment...launch f?p=181:30:::LEVEL9:
  That gets me the following debug stack
  init cgi_var_name.count=>28
  CGI: PATH_INFO = /f
  HTTP://xxx/pls/xxx.xx
  QUERY_STRING=p=181:30:::LEVEL9:
  REQUEST_METHOD=GET
  REMOTE_ADDR=xx.xx.xx.xx
  REMOTE_USER=foobar
  APEX_LISTENER_VERSION=
  REFERER=
  Cookies:
  S H O W: application="181" page="30" workspace="" request="" session=""
  Reset NLS settings
  alter session set NLS_LANGUAGE="AMERICAN"
  alter session set NLS_TERRITORY="AMERICA"
  alter session set NLS_CALENDAR="GREGORIAN"
  alter session set NLS_SORT="BINARY"
  alter session set NLS_COMP="BINARY"
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  no characterset conversion needed
  ...Setting session time_zone to -04:00
  reset_nls_environment
  reset
  reset
  Processing page view with session ID = 0
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
  alter session set nls_language="AMERICAN"
  alter session set nls_territory="AMERICA"
  NLS: CSV charset=WE8MSWIN1252
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
  ...NLS: Set g_nls_date_format="mm/dd/yyyy"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  NLS: Language=en-us
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
  authenticate_and_init_session p_app_id=>181
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
  does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
  get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  ... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
  ... page is public:false
  Authentication check: Login (NATIVE_CUSTOM)
  get_current
  ... DOES NOT EXIST - ignore
  builtin_cookie_sentry p_cookie_name=>ORA_WWV_APP_181
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=
  ... cookie is not set
  ... failure, session not found
  set_db_session_info
  ...fetch session state from database
  get_current
  ... DOES NOT EXIST - ignore
  fetch items (exact)
  execute_native_session_sentry p_type=>NATIVE_CUSTOM
  ...Execute Statement: begin declare
  begin
  wwv_flow.g_boolean := htmldb_public_user.Modntlm_Page_Sentry;
  end;
  ~
  get_cookie_properties 181 -> ORA_WWV_APP_181, ,
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=
  ... cookie is not set
  get_cookie_properties 181 -> ORA_WWV_APP_181, ,
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=
  ... cookie is not set
  generate_unique_session_id
  remember_deep_link p_url=>f?p=181:30:::LEVEL9:
  get_current
  ... DOES NOT EXIST - ignore
  ... insert into wwv_flow_sessions$: 7781513768577
  create_new
  Session created: 7781513768577 user: foobar
  save_by_name p_item_name=>FSP_AFTER_LOGIN_URL,p_item_value=>***
  set_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_value=>f?p=181:30:7781513768577::LEVEL9:
  ...Session State: Saved Item "FSP_AFTER_LOGIN_URL" New Value="f?p=181:30:7781513768577::LEVEL9:"
  login p_uname=>foobar,p_password=>...,p_session_id=>7781513768577,p_flow_page=>181:30,p_entry_point=>POST-LOGIN,p_preserve_case=>false,p_use_secure_cookie=>false
  execute_login p_username=>foobar,p_password=>...,p_current_app_id=>181,p_next_app_id=>181,p_next_page_id=>30,p_post_login=>true,p_builder_login_for_workspace=>
  ...delaying unrecoverable error to the end of execute_login
  create_or_reuse_session
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from db)
  ...Session ID 7781513768577 can be used
  ...New Instance Detected -
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  ... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
  ... page is public:false
  ... POST LOGIN shortcut, no pre-auth and auth process
  ... Authentication success
  ... running post_auth_240111674424380819
  ...Execute Statement: begin declare
  procedure post_auth_240111674424380819 is
  begin
  post_auth_240111674424380819;
  end;
  end;
  Collection - Begin create_collection_from_query_b, Collection Name: AD_GROUPS
  Collection - Begin Create Collection, Collection Name: EM_ROLES
  save_by_name p_item_name=>G_APP_USER,p_item_value=>***
  find_item_by_name p_name=>G_APP_USER
  set_substitution_cache p_id=>8993704979413505,p_value=>***,p_name=>G_APP_USER,p_filter=>Y,p_encrypted=>N
  ...Session State: Saved Item "G_APP_USER" New Value="foobar"
  get_item_value  p_item=>FSP_AFTER_LOGIN_URL,p_flow=>181,p_instance=>7781513768577
  ... l_instance=7781513768577,l_flow_id=181,l_sgid=634111608319703,p_item=FSP_AFTER_LOGIN_URL
  get_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_session_id=>7781513768577
  ...value="f?p=181:30:7781513768577::LEVEL9:"
  save_by_name p_item_name=>FSP_AFTER_LOGIN_URL,p_item_value=>***
  set_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_value=>
  ...Session State: Saved Item "FSP_AFTER_LOGIN_URL" New Value=""
  log_login p_username=>foobar,p_security_group_id=>634111608319703,p_owner=>foobar,p_application_id=>181,p_authentication_method=>Login,p_authentication_result=>0,p_custom_status_text=>
  ... update session user (foobar) and auth result ()
  reset_cache
  update_hashed_id -> ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1, sqlrowcount=1
  send name=>ORA_WWV_APP_181,value=>ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1,expires=>,path=>,domain=>,secure=>,httponly=>HTTPONLY
  Redirecting to f?p=181:30:7781513768577::LEVEL9:
  ...setting g_unrecoverable_error:=true again
  Stop APEX Engine detected
  Stop APEX Engine detected
  Final commit
  init cgi_var_name.count=>29
  CGI: PATH_INFO = /f
  HTTP://xxx/pls/xxx.xx
  QUERY_STRING=p=181:30:7781513768577::LEVEL9:
  REQUEST_METHOD=GET
  REMOTE_ADDR=xx.xx.xx.xx
  REMOTE_USER=foobar
  APEX_LISTENER_VERSION=
  REFERER=
  Cookies:
  S H O W: application="181" page="30" workspace="" request="" session="7781513768577"
  Reset NLS settings
  alter session set NLS_LANGUAGE="AMERICAN"
  alter session set NLS_TERRITORY="AMERICA"
  alter session set NLS_CALENDAR="GREGORIAN"
  alter session set NLS_SORT="BINARY"
  alter session set NLS_COMP="BINARY"
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  no characterset conversion needed
  ...Setting session time_zone to -04:00
  reset_nls_environment
  reset
  reset
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
  alter session set nls_language="AMERICAN"
  alter session set nls_territory="AMERICA"
  NLS: CSV charset=WE8MSWIN1252
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
  ...NLS: Set g_nls_date_format="mm/dd/yyyy"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  NLS: Language=en-us
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
  authenticate_and_init_session p_app_id=>181
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
  does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
  get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  ... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
  ... page is public:false
  Authentication check: Login (NATIVE_CUSTOM)
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from db)
  builtin_cookie_sentry p_cookie_name=>ORA_WWV_APP_181
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  ... success, session id and security group id matches
  ... set user and session id in package globals
  set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
  does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
  set_db_session_info
  ...fetch session state from database
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  fetch items (exact)
  ... fetched 8993704979413505: name=G_APP_USER, value=foobar
  execute_native_session_sentry p_type=>NATIVE_CUSTOM
  ...Execute Statement: begin declare
  begin
  wwv_flow.g_boolean := htmldb_public_user.Modntlm_Page_Sentry;
  end;
  ~
  get_cookie_properties 181 -> ORA_WWV_APP_181, ,
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  get_cookie_properties 181 -> ORA_WWV_APP_181, ,
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  ... sentry success, no verification specified
  ... sentry+verification success
  create_or_reuse_session
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  ...Session ID 7781513768577 can be used
  ...New Instance Detected -
  get_by_cookie_name p_cookie_name=>ORA_WWV_USER_61814286625969
  session cookie value for ORA_WWV_USER_61814286625969=
  ... cookie is not set
  get_builder_session_id: builder session=null
  ...Setting session time_zone to -04:00
  ...Check for session expiration:
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  get_builtin_global_item_value p_item_name=>FSP_SESSION_TIME,p_session_id=>7781513768577
  NO_DATA_FOUND!
  set_builtin_global_item_value p_item_name=>FSP_SESSION_TIME,p_value=>20130925091227::
  ...Session State: Saved Item "FSP_SESSION_TIME" New Value="20130925091227::"
  Session: Fetch session header information
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  fetch_step_info p_mode=>SHOW
  get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_theme_id p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  Branch point: Before Header
  Authorization Check: "Administrator" Caching: "BY_USER_BY_PAGE_VIEW" Component: "PAGE"
  ...  failed
  setting g_primary_language := en-us
  Add error onto error stack
  ...Error data:
  ......message: Must be Administrator
  ......additional_info: Access denied by Page security check
  ......display_location: ON_ERROR_PAGE
  ......is_internal_error: true
  ......apex_error_code: APEX.AUTHORIZATION.ACCESS_DENIED
  ......error_backtrace: ----- PL/SQL Call Stack -----
    object      line  object
    handle    number  name
  0x2d7325bc0       556  package body APEX_040200.WWV_FLOW_ERROR
  0x2d7325bc0       607  package body APEX_040200.WWV_FLOW_ERROR
  0x2d7325bc0       911  package body APEX_040200.WWV_FLOW_ERROR
  0x211e95470       488  package body APEX_040200.WWV_FLOW_AUTHORIZATION
  0x2dbf01138      6000  package body APEX_040200.WWV_FLOW
  0x2db632be8       249  procedure APEX_040200.F
  0x267d27130        31  anonymous block
  ......component.type: APEX_APPLICATION_AUTHORIZATION
  ......component.id: 19813621888498766
  ......component.name: Administrator
  ...Show Error on Error Page
  ......Performing rollback
  render_error_page
  wwv_flow_init_htp_buffer
  reset
  reset
  get_grid_template p_page_template_id=>12901127353947285
  emit_page_header
  Show page template header
  handle_common_placeholders p_placeholder=>#TITLE#
  get_title
  handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
  handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
  handle_common_placeholders p_placeholder=>#APEX_CSS#
  is_desktop_ui p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
  get_ui_type p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
  ...initialize cache
  ... ui type name=DESKTOP
  ... true
  handle_common_placeholders p_placeholder=>#TEMPLATE_CSS#
  handle_common_placeholders p_placeholder=>#THEME_CSS#
  handle_common_placeholders p_placeholder=>#PAGE_CSS#
  handle_common_placeholders p_placeholder=>#APEX_JAVASCRIPT#
  is_desktop_ui p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
  get_ui_type p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
  ...use cache
  ... ui type name=DESKTOP
  ... true
  handle_common_placeholders p_placeholder=>#TEMPLATE_JAVASCRIPT#
  handle_common_placeholders p_placeholder=>#APPLICATION_JAVASCRIPT#
  handle_common_placeholders p_placeholder=>#PAGE_JAVASCRIPT#
  handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
  handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
  handle_common_placeholders p_placeholder=>#ONLOAD#
  handle_common_placeholders p_placeholder=>#OUTDATED_BROWSER#
  handle_common_placeholders p_placeholder=>#FORM_OPEN#
  Rendering form open tag and internal values
  clear_page_checksum
  generate_unique_session_id
  perform p_process_point=>AFTER_ERROR_HEADER
  Processes - point: AFTER_ERROR_HEADER
  handle_common_placeholders p_placeholder=>#REGION_POSITION_07#
  handle_common_placeholders p_placeholder=>#HOME_LINK#
  handle_common_placeholders p_placeholder=>#LOGO#
  handle_common_placeholders p_placeholder=>#NAVIGATION_BAR#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_08#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_04#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_01#
  handle_common_placeholders p_placeholder=>#SUCCESS_MESSAGE#
  handle_common_placeholders p_placeholder=>#NOTIFICATION_MESSAGE#
  handle_common_placeholders p_placeholder=>#GLOBAL_NOTIFICATION#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_02#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_03#
  perform p_process_point=>BEFORE_ERROR_FOOTER
  Processes - point: BEFORE_ERROR_FOOTER
  emit_footer
  Show page footer
  Show page tempate footer
  handle_common_placeholders p_placeholder=>#CUSTOMIZE#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_05#
  handle_common_placeholders p_placeholder=>#APP_VERSION#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_08#
  handle_common_placeholders p_placeholder=>#FORM_CLOSE#
  Rendering form close tag and page checksum
  handle_common_placeholders p_placeholder=>#DEVELOPER_TOOLBAR#
  handle_common_placeholders p_placeholder=>#GENERATED_CSS#
  handle_common_placeholders p_placeholder=>#GENERATED_JAVASCRIPT#
  emit_generated_javascript
  Logging exception in final_exception_handler:
  Sqlerrm: ORA-20987: APEX - Must be Administrator - Access denied by Page security check
  Backtrace: ORA-06512: at "APEX_040200.WWV_FLOW_ERROR", line 861
  ORA-06512: at "APEX_040200.WWV_FLOW_ERROR", line 896
  ORA-06512: at "APEX_040200.WWV_FLOW_AUTHORIZATION", line 501
  ORA-06512: at "APEX_040200.WWV_FLOW", line 6000
  Seems to me that the authorization scheme (which uses the value of the application item) is evaluated before the before-header/unconditional application computation sets the value of the application item and since the authorization scheme fails, show processing stops with an error.
  What say you?

• Report Link + Authorization Scheme

  I have an authorization scheme that checks whether a certain person has privileges to edit a record on Page 2 by referring to the :P2_ID in the authorization scheme. Page 1 has a report with a report link, but the user can see both items they are able to edit and items they are not. I know I can make the link dynamically in the sql but wanted to see if there was an easy way to use an authorization scheme, but pass the #REPORT_COL# value in the report over to an authorization scheme to show or hide the icon for me so I can get the link out of the sql.

  Great example Scott! However, I'd would caution the other Sc0tt that calling functions in a SQL statement is fine for a small number of rows, but can CRUSH performance for medium to large result sets. Even if the function is fast, you're still context-switching between SQL and PL/SQL for every row. Make sure you test this with the volume of data you expect your users to encounter. If it's a problem, you might force the user to apply some filters before running the query.
  If you're running 11g you can at least minimize the hit of the function with "Function Result Cache". Even if you're not on 11g yet, you can use the following code in 10g and it will switch-on result cache when you compile it in 11g:
  create or replace function auth_user(p_key in number)
       return varchar2
       $IF not dbms_db_version.ver_le_10_2 $THEN
            result_cache
       $END
  as
  begin
      pkg.g_value := p_key;
      if apex_application.public_security_check (p_security_scheme => 'AUTH_USER_COLUMN') then
          return '1';
      else
          return '0';
      end if;
  end;
  / If it is a reasonable result set, Scott's solution is perfect.
  Thanks,
  Tyler

• Display page items based on Authorization Scheme...

  I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
  Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
  I thought of two possibilities, both I think I'd need help on though!:
  1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
  accessible by "Edit" or "Admin".
  The problem, though, is now "Edit" or "Admin" users will see both columns
  2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
  I would have no clue how to do this...
  Any thoughts?
  Kevin L.

  Kevin
  You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
  function UsrCustomization()
       if ( P_USR_TYPE == 1 )
            // mark the item as readonly
            // document.getElementById('P1_FIELD_QUESTION').disabled = true;
            document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
  UsrCustomization();Thanks,
  Manish

• Error in executing authorization scheme code

  I run my application on APEX.ORACLE.COm and I immediatly get the following error:
  ORA-06550: line 13, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line 12, column 14: PL/SQL: SQL Statement ignored ORA-06550: line 16, column 19: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 16, column 5: PL/SQL: Statement ignored ORA-06550: line 17, column 15: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 17, column 5: PL/SQL: Statement ignored ORA-06550: line 25, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line
  Error ERR-1082 Error in executing authorization scheme code.
  Here are the login credentials:
  Workspace: RGWORK
  Application: Online Certification Application Prototype - 21405
  User: TESTER
  Password: test123
  The application s/b public . I am not able to identify the invalid authorization scheme. I checked all the authorization schemes in the Shared Components > Security > Authorization Schemes and can't find the culprit.
  Can someone assist please?
  Thank you,
  Robert
  My Blog: http://apexjscss.blogspot.com

  Your Authorization Scheme "Access control - administrator" has this line of code that uses a table that isn't there (or RGTEST has no access to):
  select id, application_mode
  from apex_adm.apex_access_setup
  This Authorization Scheme is used in the Admin tab.
  If you run the page in debug mode you'll see (amongst a lot of other stuff):
  0.19: Authorization Check: "11204012643155257465" User: "nobody" Component: "tab"
  0.20: Show ERROR page...
  That pointed me to the Tab section...and there it was!

• Using Page Text Item in an Authorization Scheme

  Hello,
  I will be having a text item is every page say, Px_RESP_ID (hidden and its value set in an earlier page), and want to use its value in an authorization scheme to verify if the user has an access to the page.
  I'm using the following SQL in the authorization scheme -
  Apex Version: Apex 3.2
  Scheme Type: Exists SQL Query
  SQL:
  SELECT 1
  FROM zs_users zu
  , zs_responsibilities zr
  , zs_user_resp_groups zur
  WHERE
  zu.user_name = :APP_USER
  AND zr.resp_id = '&P'||:APP_PAGE_ID||'_RESP_ID.'
  AND zu.user_id = zur.user_id
  AND zr.resp_id = zur.resp_id
  For some reason this approach is not working. Any ideas to help me move forward will be greatly appreciated.
  Regards,
  Seshu

  AFAIK an application item, or maybe a page 0 item, is the only way to do this (as those items effectively exist across all pages of an application). Unfortunately since authorization schemes are application-level, you can't really effectively reference page items at runtime since you aren't necessarily on that page.
  The other option is an ugly one. Instead of creating one auth scheme (e.g.: "user_has_whatever_authority"), create one for every page (e.g.: "user_has_whatever_authority_1", "user_has_whatever_authority_2", etc.) and attach each auth scheme to each page by matching up the number in the name with the page. But this is a maintenance nightmare and terrible style IMHO, but it'll work. Your colleagues will hate you for it when you're gone though.

• Authorization scheme for users stored in a database table?

  Hello!
  I'm trying to find out how to make an authorization scheme for database users.
  I first made an authentication scheme for my current application, I named it "Authentication for database accounts", and the scheme type is "Database Accounts".
  A word of explanation:_
  I have a table in my database, named "USERS". Inside this table, I have the following columns:
  - USERID (NUMBER)
  - USERNAME (VARCHAR2(50))
  - PASSWORD (VARCHAR2(50))
  - EMAIL (VARCHAR2(200))
  For this question, I'll take an example user. The username is USER and the password is USER. Email and UserID don't matter here, but let's just say the UserID is 1.
  What I want:_
  When you go to the application, and you are requested to log in (page 101), then I want a user to be able to log in with the data that has been stored in the USERS table.
  So, on the login page, the user will enter USER as username, and USER as password. The authorization scheme then needs to check whether or not this username and password match the data in the USERS table. If it does, then it must sign the user in with the credentials the user entered (those being USER and USER).
  I also want the UserID to be stored somewhere in the application (if possible, in an application item).
  How do I do this? I've never made an authorization scheme before... I'm not too good with PL/SQL either, but I'm working on that part.
  Any help is greatly appreciated.

  I'm trying to find out how to make an authorization scheme for database users. I think there may be some confusion here. An authorization scheme gives the user access to different parts of an Apex Application. Database users are the users that you use to login to the database, for example with sqlplus.
  From the rest of your post it sounds like you need a custom authentication scheme to validate users against a custom table. For this you need to create a custom authentication scheme and select use my custom function to authenticate. Exactly how you set up the authentication scheme depends on the version of Apex you are using. But an example of validate user function you could use is given below:
  function validate_login (
     p_username   in   varchar2
  , p_password   in   varchar2) return boolean
  is
  v_result varchar2(1);
  begin
  select null into v_result
  from USERS
  where userid = p_username
  and password = p_password;
  return true;
  when no_data_found then return false;
  end validate_login;Once the user has successfully logged on the userid will be in the APP_USER apex substitution string.
  And for Application Express Account Credentials, does this mean an admin must make each new user by hand?If you using Apex account credentials the user details are stored within the Apex tables. You can create users using the Apex admin application or by using the APEX_UTIL.create_user api.
  Rod West

• Public and Authenticated App with Authorization Scheme once per session

  I have a question . . .
  Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
  It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
  This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
  Is this clear?

  Anton,
  It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
  What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
  Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
  OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
  General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
  In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
  Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
  Hope this helps,
  Scott

• Unexpected problem with authorization scheme of type plsql function

  Hi,
  I have created one authorization scheme of type plsql function returning boolean. Authorization scheme is for pages only. p2_user_priviledge is a textbox on home page which extract privilege (list of pagenos) for login user from database. Home page has no authorization required. AUTHORIZATION SCHEME always returns false. I am not able to trace problem in my code. same code works fine for a textbox's default returning 'c'.
  ----- CODE FOR AUTHORIZATION SCHEME------------------------------------------------------------
  declare
  pageid varchar2(10);
  privilege varchar2(300);
  c number(3);
  begin
  pageid := ':P'||to_char(:app_page_id)||':' ; ---Pageno get stored in format  *:P2:*
  privilege := trim(:p2_user_priviledge); ++------Contain list of privilege like    :P2:P13:P67:P23:  etc+++ select instr(privilege,pageid) into c from dual;
  if c>0 then
  return true;
  else
  return false;
  end if;
  end;
  One more problem is again related to authorization scheme.
  I created one application and one authorization scheme (auth_aug) which worked finely. Then after some days i added 10 more pages to same application, But now autho_aug was always returning false for new pages. So i copied code from 'autho_aug' to new scheme 'autho_sept', & it worked for new pages. I don't understand if code is same for both scheme, why required to use two different schemes.
  Now i have added few more pages to application, and facing problem mentioned earlier.
  any solution for both the problems.....

  Hi,
  Let me clear my problem once again.
  -->Home page i.e. P2 does not use authorization, So it is displayed along with text item :p2_user_privilege.
  -->Then user click on one of the links , Now page :P70: should get displayed.
  P70 is using authorization scheme.
  -->But :p2_user_priviledge value is not accessible at authorization scheme, I dont know why.
  I could not find out where to create Application item , as suggested by you.
  & not able to find Developer menu , session at home page as suggested earlier.
  And one more question, my application at runtime display
  X en us
  at bottom
  How to make it
  USER: X Language: en us
  Like in development environment.
  Hope I have cleared my problem, waiting for reply.
  Edited by: TEJU on Nov 17, 2008 9:25 AM