Page Restriction - Authorization Scheme
I have an application 8736 this application as 3 tabs
TAB1: information TAB2: department TAB3: Admin
TAB3 as a form in which SHOULD be only be view by users which authorisation rights. I have been trying to do this for sometimes now and it is not work. I have a table called users
TABLE:users
username access_level
john919 2
sarah765 0
For the page in TAB3 if you have an access level of 2. You should be able to view this page and if not they you should get an error message saying "sorry you cant view this page".
In this case "john919" should be able to view the page in tab "Tab3" and "sarah765 " SHOULD NOT.
I have this query in the Authorization Scheme and the scheme type: pl/sql function returning boolean
DECLARE
v_access_level NUMBER (2);
BEGIN
IF (:APP_PAGE_ID = 61)
THEN
SELECT MAX (ADMIN_LEVEL)
INTO v_access_level
FROM USERS
WHERE USER_NAME = :APP_USER;
IF v_access_level = 2
THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
ELSE
RETURN TRUE;
END IF;
END
I have never try this before and I have being asking around and alot of people tell me this should check the admin_level in the USERS table using the current username of the person looking in to see if they have access to this page. SO far this is as fail me. Please help
If you only have one access level per user then try changing your authorization scheme code to
DECLARE
v_access_level NUMBER (2);
BEGIN
SELECT ADMIN_LEVEL
INTO v_access_level
FROM USERS
WHERE USER_NAME = :APP_USER;
IF v_access_level = 2
THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
END;
now apply this scheme to tab3
Similar Messages
-
Page Authorization Scheme OK button not working
Hi All,
I have a Page Level Authorization scheme, which makes a PL/SQL Function call to determine whether the logged in user should have access to the Page. This works well and displays an 'Access denied by Page security check' error message, but the OK Hyperlink that is displayed does not work as I would expect as I am not returned to the calling page.
The pages in question are Popups and when I hover over the OK Hyperlink, the Javascript in the Taskbar shows javascript:window.history.go(-1). Is this the route of my problem, and is there any way around this when using Popup windows?
Thanks,
MikeScott,
Thanks for your response. Yes you have the sequence right: "User clicks on link to popup page from base page and the link is to a forbidden page"
"The basic question is why would you ever show a link to a forbidden page to the user?"
The main reason is time, ideally yes we would like to hide links to forbidden pages but it will take time to implement due to complexity of role combinations and number of pages. So for now, we are confident in our method for denying access to forbidden pages.
The error message that is displayed on the forbidden page is set in the Authorization Scheme, but how do I alter the OK link? Isn't this generated 'behind the scenes'?
Thanks,
Mike -
Authorization scheme (using {not} Scheme)
I have build a change password page and every user, except user with a Guest role (= GUEST SCHEME) have access to that page.
I defined a scheme GUEST for users with the GUEST role. When I define the page with Authorization scheme {not}GUEST this isn't working everyone has access to the page, also the guest users.
am I misunderstanding the {not}scheme choice or is something else wrong.
Fred.Fred,
I have solved it with the work around I mentioned before:I read what you said very carefully but thought it reckless to conclude that the workaround was successful because you just said "To work around the problem, I did xyz" without indicating the outcome.
The authorization schemes on navigation tabs fire also on the default login pageYes they do, they fire on every page whether or not the page template accommodates a navigation bar. This looks like a bug to me.
Is there a "authorization scheme report" which shows all the objects where the authorization scheme is defined.Shared Components > Authorization Schemes > Utilization (slightly different in each version).
Scott -
Order of evaluation - Authorization scheme or application computation
APEX 4.2.2
A page has a Evaluate for every page view authorizaton scheme of the type Value of item in Expression 1 = Expression 2 with Expression 1=G_ITEM and Expression 2=1. G_ITEM is set using a Before-Header application computation conditioned to fire when G_ITEM is null.
What I see is that the authorization scheme always returns false and the page is not rendered. Inspecting wwv_flow_data shows that G_ITEM is not there. So it would appear that the authorization scheme is evaluated before the application computation and since it returns false, the engine stops.
Does that sound right? Is this order of evaluation of components documented anywhere? There is a Utilities > Page Events screen but that doesn't include Authorization schemes.
ThanksHi Christian - I am referring to a page-level authorization scheme set to be evaluated For each page view
Here are some more details...the application has only one UI (Desktop) and Application XX > User Interfaces > User Interface Details > Home URL is set to f?p=&APP_ID.:30:&SESSION.
When I launch the app using f?p=181::::LEVEL9 this is what I get in apex_debug_messages
init cgi_var_name.count=>29
CGI: PATH_INFO = /f
HTTP://xxx/pls/xxx
QUERY_STRING=p=181::::LEVEL9
REQUEST_METHOD=GET
REMOTE_ADDR=xx.xx.xx.xx
REMOTE_USER=foobar
APEX_LISTENER_VERSION=
REFERER=
Cookies:
S H O W: application="181" page="" workspace="" request="" session=""
Reset NLS settings
alter session set NLS_LANGUAGE="AMERICAN"
alter session set NLS_TERRITORY="AMERICA"
alter session set NLS_CALENDAR="GREGORIAN"
alter session set NLS_SORT="BINARY"
alter session set NLS_COMP="BINARY"
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
no characterset conversion needed
...Setting session time_zone to -04:00
reset_nls_environment
reset
reset
Processing page view with session ID = 0
fetch_flow_info
set_html_escaping_mode p_mode=>E
Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
alter session set nls_language="AMERICAN"
alter session set nls_territory="AMERICA"
NLS: CSV charset=WE8MSWIN1252
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
...NLS: Set g_nls_date_format="mm/dd/yyyy"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
NLS: Language=en-us
fetch_flow_info
set_html_escaping_mode p_mode=>E
Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
authenticate_and_init_session p_app_id=>181
fetch_flow_info
set_html_escaping_mode p_mode=>E
set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
detect_user_interface p_application_id=>181
... "Desktop" is the only UI - no autodetection necessary
... setting ui to "DESKTOP"
... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
... page is public:null
Authentication check: Login (NATIVE_CUSTOM)
... no page specified: failure
...fetch session state from database
get_current
... DOES NOT EXIST - ignore
fetch items (exact)
Redirecting to f?p=181:30:
Stop APEX Engine detected
Final commit
I am not sure why the engine stops rendering but I get the Access denied by Page security check error on the screen
Next experiment...launch f?p=181:30:::LEVEL9:
That gets me the following debug stack
init cgi_var_name.count=>28
CGI: PATH_INFO = /f
HTTP://xxx/pls/xxx.xx
QUERY_STRING=p=181:30:::LEVEL9:
REQUEST_METHOD=GET
REMOTE_ADDR=xx.xx.xx.xx
REMOTE_USER=foobar
APEX_LISTENER_VERSION=
REFERER=
Cookies:
S H O W: application="181" page="30" workspace="" request="" session=""
Reset NLS settings
alter session set NLS_LANGUAGE="AMERICAN"
alter session set NLS_TERRITORY="AMERICA"
alter session set NLS_CALENDAR="GREGORIAN"
alter session set NLS_SORT="BINARY"
alter session set NLS_COMP="BINARY"
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
no characterset conversion needed
...Setting session time_zone to -04:00
reset_nls_environment
reset
reset
Processing page view with session ID = 0
fetch_flow_info
set_html_escaping_mode p_mode=>E
Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
alter session set nls_language="AMERICAN"
alter session set nls_territory="AMERICA"
NLS: CSV charset=WE8MSWIN1252
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
...NLS: Set g_nls_date_format="mm/dd/yyyy"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
NLS: Language=en-us
fetch_flow_info
set_html_escaping_mode p_mode=>E
Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
authenticate_and_init_session p_app_id=>181
fetch_flow_info
set_html_escaping_mode p_mode=>E
set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
... page is public:false
Authentication check: Login (NATIVE_CUSTOM)
get_current
... DOES NOT EXIST - ignore
builtin_cookie_sentry p_cookie_name=>ORA_WWV_APP_181
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=
... cookie is not set
... failure, session not found
set_db_session_info
...fetch session state from database
get_current
... DOES NOT EXIST - ignore
fetch items (exact)
execute_native_session_sentry p_type=>NATIVE_CUSTOM
...Execute Statement: begin declare
begin
wwv_flow.g_boolean := htmldb_public_user.Modntlm_Page_Sentry;
end;
~
get_cookie_properties 181 -> ORA_WWV_APP_181, ,
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=
... cookie is not set
get_cookie_properties 181 -> ORA_WWV_APP_181, ,
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=
... cookie is not set
generate_unique_session_id
remember_deep_link p_url=>f?p=181:30:::LEVEL9:
get_current
... DOES NOT EXIST - ignore
... insert into wwv_flow_sessions$: 7781513768577
create_new
Session created: 7781513768577 user: foobar
save_by_name p_item_name=>FSP_AFTER_LOGIN_URL,p_item_value=>***
set_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_value=>f?p=181:30:7781513768577::LEVEL9:
...Session State: Saved Item "FSP_AFTER_LOGIN_URL" New Value="f?p=181:30:7781513768577::LEVEL9:"
login p_uname=>foobar,p_password=>...,p_session_id=>7781513768577,p_flow_page=>181:30,p_entry_point=>POST-LOGIN,p_preserve_case=>false,p_use_secure_cookie=>false
execute_login p_username=>foobar,p_password=>...,p_current_app_id=>181,p_next_app_id=>181,p_next_page_id=>30,p_post_login=>true,p_builder_login_for_workspace=>
...delaying unrecoverable error to the end of execute_login
create_or_reuse_session
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from db)
...Session ID 7781513768577 can be used
...New Instance Detected -
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
... page is public:false
... POST LOGIN shortcut, no pre-auth and auth process
... Authentication success
... running post_auth_240111674424380819
...Execute Statement: begin declare
procedure post_auth_240111674424380819 is
begin
post_auth_240111674424380819;
end;
end;
Collection - Begin create_collection_from_query_b, Collection Name: AD_GROUPS
Collection - Begin Create Collection, Collection Name: EM_ROLES
save_by_name p_item_name=>G_APP_USER,p_item_value=>***
find_item_by_name p_name=>G_APP_USER
set_substitution_cache p_id=>8993704979413505,p_value=>***,p_name=>G_APP_USER,p_filter=>Y,p_encrypted=>N
...Session State: Saved Item "G_APP_USER" New Value="foobar"
get_item_value p_item=>FSP_AFTER_LOGIN_URL,p_flow=>181,p_instance=>7781513768577
... l_instance=7781513768577,l_flow_id=181,l_sgid=634111608319703,p_item=FSP_AFTER_LOGIN_URL
get_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_session_id=>7781513768577
...value="f?p=181:30:7781513768577::LEVEL9:"
save_by_name p_item_name=>FSP_AFTER_LOGIN_URL,p_item_value=>***
set_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_value=>
...Session State: Saved Item "FSP_AFTER_LOGIN_URL" New Value=""
log_login p_username=>foobar,p_security_group_id=>634111608319703,p_owner=>foobar,p_application_id=>181,p_authentication_method=>Login,p_authentication_result=>0,p_custom_status_text=>
... update session user (foobar) and auth result ()
reset_cache
update_hashed_id -> ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1, sqlrowcount=1
send name=>ORA_WWV_APP_181,value=>ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1,expires=>,path=>,domain=>,secure=>,httponly=>HTTPONLY
Redirecting to f?p=181:30:7781513768577::LEVEL9:
...setting g_unrecoverable_error:=true again
Stop APEX Engine detected
Stop APEX Engine detected
Final commit
init cgi_var_name.count=>29
CGI: PATH_INFO = /f
HTTP://xxx/pls/xxx.xx
QUERY_STRING=p=181:30:7781513768577::LEVEL9:
REQUEST_METHOD=GET
REMOTE_ADDR=xx.xx.xx.xx
REMOTE_USER=foobar
APEX_LISTENER_VERSION=
REFERER=
Cookies:
S H O W: application="181" page="30" workspace="" request="" session="7781513768577"
Reset NLS settings
alter session set NLS_LANGUAGE="AMERICAN"
alter session set NLS_TERRITORY="AMERICA"
alter session set NLS_CALENDAR="GREGORIAN"
alter session set NLS_SORT="BINARY"
alter session set NLS_COMP="BINARY"
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
no characterset conversion needed
...Setting session time_zone to -04:00
reset_nls_environment
reset
reset
fetch_flow_info
set_html_escaping_mode p_mode=>E
Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
alter session set nls_language="AMERICAN"
alter session set nls_territory="AMERICA"
NLS: CSV charset=WE8MSWIN1252
...NLS: Set Decimal separator="."
...NLS: Set NLS Group separator=","
...NLS: Set g_nls_date_format="DD-MON-RR"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
...NLS: Set g_nls_date_format="mm/dd/yyyy"
...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
NLS: Language=en-us
fetch_flow_info
set_html_escaping_mode p_mode=>E
Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
authenticate_and_init_session p_app_id=>181
fetch_flow_info
set_html_escaping_mode p_mode=>E
set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
... page is public:false
Authentication check: Login (NATIVE_CUSTOM)
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from db)
builtin_cookie_sentry p_cookie_name=>ORA_WWV_APP_181
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
... success, session id and security group id matches
... set user and session id in package globals
set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
set_db_session_info
...fetch session state from database
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
fetch items (exact)
... fetched 8993704979413505: name=G_APP_USER, value=foobar
execute_native_session_sentry p_type=>NATIVE_CUSTOM
...Execute Statement: begin declare
begin
wwv_flow.g_boolean := htmldb_public_user.Modntlm_Page_Sentry;
end;
~
get_cookie_properties 181 -> ORA_WWV_APP_181, ,
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
get_cookie_properties 181 -> ORA_WWV_APP_181, ,
get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
... sentry success, no verification specified
... sentry+verification success
create_or_reuse_session
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
...Session ID 7781513768577 can be used
...New Instance Detected -
get_by_cookie_name p_cookie_name=>ORA_WWV_USER_61814286625969
session cookie value for ORA_WWV_USER_61814286625969=
... cookie is not set
get_builder_session_id: builder session=null
...Setting session time_zone to -04:00
...Check for session expiration:
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
get_builtin_global_item_value p_item_name=>FSP_SESSION_TIME,p_session_id=>7781513768577
NO_DATA_FOUND!
set_builtin_global_item_value p_item_name=>FSP_SESSION_TIME,p_value=>20130925091227::
...Session State: Saved Item "FSP_SESSION_TIME" New Value="20130925091227::"
Session: Fetch session header information
get_current
... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
fetch_step_info p_mode=>SHOW
get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
get_theme_id p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
Branch point: Before Header
Authorization Check: "Administrator" Caching: "BY_USER_BY_PAGE_VIEW" Component: "PAGE"
... failed
setting g_primary_language := en-us
Add error onto error stack
...Error data:
......message: Must be Administrator
......additional_info: Access denied by Page security check
......display_location: ON_ERROR_PAGE
......is_internal_error: true
......apex_error_code: APEX.AUTHORIZATION.ACCESS_DENIED
......error_backtrace: ----- PL/SQL Call Stack -----
object line object
handle number name
0x2d7325bc0 556 package body APEX_040200.WWV_FLOW_ERROR
0x2d7325bc0 607 package body APEX_040200.WWV_FLOW_ERROR
0x2d7325bc0 911 package body APEX_040200.WWV_FLOW_ERROR
0x211e95470 488 package body APEX_040200.WWV_FLOW_AUTHORIZATION
0x2dbf01138 6000 package body APEX_040200.WWV_FLOW
0x2db632be8 249 procedure APEX_040200.F
0x267d27130 31 anonymous block
......component.type: APEX_APPLICATION_AUTHORIZATION
......component.id: 19813621888498766
......component.name: Administrator
...Show Error on Error Page
......Performing rollback
render_error_page
wwv_flow_init_htp_buffer
reset
reset
get_grid_template p_page_template_id=>12901127353947285
emit_page_header
Show page template header
handle_common_placeholders p_placeholder=>#TITLE#
get_title
handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
handle_common_placeholders p_placeholder=>#APEX_CSS#
is_desktop_ui p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
get_ui_type p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
...initialize cache
... ui type name=DESKTOP
... true
handle_common_placeholders p_placeholder=>#TEMPLATE_CSS#
handle_common_placeholders p_placeholder=>#THEME_CSS#
handle_common_placeholders p_placeholder=>#PAGE_CSS#
handle_common_placeholders p_placeholder=>#APEX_JAVASCRIPT#
is_desktop_ui p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
get_ui_type p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
...use cache
... ui type name=DESKTOP
... true
handle_common_placeholders p_placeholder=>#TEMPLATE_JAVASCRIPT#
handle_common_placeholders p_placeholder=>#APPLICATION_JAVASCRIPT#
handle_common_placeholders p_placeholder=>#PAGE_JAVASCRIPT#
handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
handle_common_placeholders p_placeholder=>#ONLOAD#
handle_common_placeholders p_placeholder=>#OUTDATED_BROWSER#
handle_common_placeholders p_placeholder=>#FORM_OPEN#
Rendering form open tag and internal values
clear_page_checksum
generate_unique_session_id
perform p_process_point=>AFTER_ERROR_HEADER
Processes - point: AFTER_ERROR_HEADER
handle_common_placeholders p_placeholder=>#REGION_POSITION_07#
handle_common_placeholders p_placeholder=>#HOME_LINK#
handle_common_placeholders p_placeholder=>#LOGO#
handle_common_placeholders p_placeholder=>#NAVIGATION_BAR#
handle_common_placeholders p_placeholder=>#REGION_POSITION_08#
handle_common_placeholders p_placeholder=>#REGION_POSITION_04#
handle_common_placeholders p_placeholder=>#REGION_POSITION_01#
handle_common_placeholders p_placeholder=>#SUCCESS_MESSAGE#
handle_common_placeholders p_placeholder=>#NOTIFICATION_MESSAGE#
handle_common_placeholders p_placeholder=>#GLOBAL_NOTIFICATION#
handle_common_placeholders p_placeholder=>#REGION_POSITION_02#
handle_common_placeholders p_placeholder=>#REGION_POSITION_03#
perform p_process_point=>BEFORE_ERROR_FOOTER
Processes - point: BEFORE_ERROR_FOOTER
emit_footer
Show page footer
Show page tempate footer
handle_common_placeholders p_placeholder=>#CUSTOMIZE#
handle_common_placeholders p_placeholder=>#REGION_POSITION_05#
handle_common_placeholders p_placeholder=>#APP_VERSION#
handle_common_placeholders p_placeholder=>#REGION_POSITION_08#
handle_common_placeholders p_placeholder=>#FORM_CLOSE#
Rendering form close tag and page checksum
handle_common_placeholders p_placeholder=>#DEVELOPER_TOOLBAR#
handle_common_placeholders p_placeholder=>#GENERATED_CSS#
handle_common_placeholders p_placeholder=>#GENERATED_JAVASCRIPT#
emit_generated_javascript
Logging exception in final_exception_handler:
Sqlerrm: ORA-20987: APEX - Must be Administrator - Access denied by Page security check
Backtrace: ORA-06512: at "APEX_040200.WWV_FLOW_ERROR", line 861
ORA-06512: at "APEX_040200.WWV_FLOW_ERROR", line 896
ORA-06512: at "APEX_040200.WWV_FLOW_AUTHORIZATION", line 501
ORA-06512: at "APEX_040200.WWV_FLOW", line 6000
Seems to me that the authorization scheme (which uses the value of the application item) is evaluated before the before-header/unconditional application computation sets the value of the application item and since the authorization scheme fails, show processing stops with an error.
What say you? -
Customise Authorization Scheme web page
Hi
APEX - 4.1
Oracle - 11gr2
I have added an Authorization Scheme to my application whereby a check is performed to determine whether or not a user is allowed to access a webpage. If a user tries to access a restricted webpage a new webpage is displayed with
'Access denied by Application security check' and a red exclamation
My question is how can I customise this webpage as it differs from my application template (The log out disappears at the top and the topbar moves about between the restriction error webpage and the page it returns back to)?
Is this possible?
Thanks
RobHi
Thanks for the help. I located the 'Error Page Template Control' section.
I am not looking to customise that section, but what I have noticed in firebug is that when I switch to this error page the BODY of the HTML document changes.
So on a ordinary page you would normally have
<div id="navbar">
<div class="app-user">#WELCOME_USER#</div>
<div class="app-user">Client: Internal</div> -- This is customised be me
#NAVIGATION_BAR#
#REGION_POSITION_08#
</div>whereas on this error page you will have
<div id="navbar">
<div class="app-user">#WELCOME_USER#</div>
<div class="app-user">Client: Internal</div> -- This is customised be me
</div>Also the topbar seems to change from
<div id="topbar">#REGION_POSITION_01##REGION_POSITION_04#</div>to
<div id="topbar"></div>Is this normally? It is these adjustments I want to fix as navbar has the logout link which disappears and the topbar has my menu which messes with the page format on the error page
Cheers
Rob -
Display page items based on Authorization Scheme...
I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
I thought of two possibilities, both I think I'd need help on though!:
1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
accessible by "Edit" or "Admin".
The problem, though, is now "Edit" or "Admin" users will see both columns
2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
I would have no clue how to do this...
Any thoughts?
Kevin L.Kevin
You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
function UsrCustomization()
if ( P_USR_TYPE == 1 )
// mark the item as readonly
// document.getElementById('P1_FIELD_QUESTION').disabled = true;
document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
UsrCustomization();Thanks,
Manish -
Using Page Text Item in an Authorization Scheme
Hello,
I will be having a text item is every page say, Px_RESP_ID (hidden and its value set in an earlier page), and want to use its value in an authorization scheme to verify if the user has an access to the page.
I'm using the following SQL in the authorization scheme -
Apex Version: Apex 3.2
Scheme Type: Exists SQL Query
SQL:
SELECT 1
FROM zs_users zu
, zs_responsibilities zr
, zs_user_resp_groups zur
WHERE
zu.user_name = :APP_USER
AND zr.resp_id = '&P'||:APP_PAGE_ID||'_RESP_ID.'
AND zu.user_id = zur.user_id
AND zr.resp_id = zur.resp_id
For some reason this approach is not working. Any ideas to help me move forward will be greatly appreciated.
Regards,
SeshuAFAIK an application item, or maybe a page 0 item, is the only way to do this (as those items effectively exist across all pages of an application). Unfortunately since authorization schemes are application-level, you can't really effectively reference page items at runtime since you aren't necessarily on that page.
The other option is an ugly one. Instead of creating one auth scheme (e.g.: "user_has_whatever_authority"), create one for every page (e.g.: "user_has_whatever_authority_1", "user_has_whatever_authority_2", etc.) and attach each auth scheme to each page by matching up the number in the name with the page. But this is a maintenance nightmare and terrible style IMHO, but it'll work. Your colleagues will hate you for it when you're gone though. -
Authorization Scheme for Application - Login Page?
Hi,
When I set an Authorization Scheme at Application level, HTML DB prevents access to my login page. Is there a way around this?
Thanks,
Stephen BaishyaIf you follow the above route you have to run the check on each page view.
If you leave as per session the first time you run the authorisation check on the login page it returns true and the user will be allowed onto the application!
I'm looking for an alternative way to run the authZ check after the authN check passes the credentials to validate the user access right to the app. I'll post my findings later ...
cheers
Craig -
Page 0 security: authorization scheme not applied to other pages
the page 0 security: authorization scheme not applied to other pages (neither as an override for existing pages nor as a default for new pages).
how is this intended to work?mcstock,
Can you clarify your question please? Can you give specific steps to reproduce this issue that you are inquiring about?
Thanks.
Joel -
Accessing an item on a page based on authorization scheme
Hi,
I've two authorization schemes :ADMIN and VIEW.I've created a public page which will be accessed by both schemes.But on that page in particular region I want to display an item only for ADMIN not for VIEW scheme.
Thanks,
Mahender.for that region properties , go to conditional display and use this bult in function (after you pick plsql function return boolean) : APEX_UTIL.PUBLIC_CHECK_AUTHORIZATION('your_auth_scheme');
This function return true if current user is in that auth. scheme.
Let me know if that helps,
Sam K. -
Best Approach to create Security / Authorization Schema for an APEX Apps
Hi,
I am planning to create a Security / Authorization Schema for an APEX Application.
Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
I am looking for following features...
1. users LOGIN and then user's name is stored in APEX_USER...
2. Based on the user, I want to restrict the Application on following levels.
- TABS
- TABS - Page1 (Report
- Page2 (Form)
- Page2 (Region1)
- Page2 (Region1, Button1)
- Page2 (Region1, Items,....)
AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
Also what should be the FRONT end, we should have to enter these detail...
SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
Thanks,
DeepakHi Raghu,
thanks for the detial info.
so that means..I should have 2 table...
master table (2 columns - username, password)
username password
user1 xxxx
user2 xxxx2nd table (2 columns - username, chq_disp_option)
- In this table, we don't have Y/N Flag you mentioned..
- If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
- so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
- suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
username chq_disp_option
user1 re_region1
user1 re_region2
user1 tb_main
user1 Page1
user1 Page5
---- ---- - how you are defining unique name for Regions..i mean in static ID or the Title
- is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
Thanks,
Deepak -
I am trying to not reinvent the wheel but Oracle DB secuirty as it exists today in APEX. I have successfully setup the authentication using Database account and that works fine, but now I want to have my application only allow special oracle accounts that are signified by Banner, authorized to process the application. I do not want to have to setup any additional security, but use my current DB security that is already setup in the Banner accounts for what can be accessed. I know I have to do something in the Authorization schemes in APEX, but I am not sure what? Any help would be appreciated. Thanks. Joe
It's quite simple really.
Create the scheme and the bottom line is that the scheme has to return TRUE or FALSE. TRUE means that they pass the test and can do whatever it is, FALSE means they fail the test and should get an error.
99.9% of the time I create a boolean-returning function in the database and I call it in the scheme like this (assume myfunction() takes the value of the signed-on user and does something with it to check if this user passes the test or not):
RETURN myfunction(:APP_USER);If TRUE comes back, they pass security validation, else it will fail them.
If you are just testing the user name itself, try this:
RETURN (:APP_USER like '%BANNER');...or whatever else returns TRUE/FALSE to evaluate your test.
Then, after you define the scheme, attach it to whatever needs protection.
There is an application-level to place the authorization scheme to restrict all access to all pages but I've never gotten it to effectivelly work because if you do the above example, it will even protect the login page because the APP_USER isn't yet set to the person who is going to log in. So I've always had to put the authorization at each page.
However you might be able to manage it at the application level if you do it this way (I never tried but I guess this would work...assume 101 is the login page):
RETURN :APP_PAGE_ID='101' OR (:APP_PAGE_ID != '101' AND :APP_USER like '%BANNER');So anytime page 101 (login) is accessed, the user passes security test to render the page. Else if it's not page 101, their username has to end in BANNER in order to pass the test. -
Hi all,
I have implemented ACL authorization (Restricted only), and have just created a new ACL scheme in my app is the name of "Registration" same copy of EDIT scheme, I have set following users with these roles:
USERS with roles
=============
1. Admin with Administrator.
2. Guest with Registration.
3. Frank with Edit.
I have create a Navigation List entries (for redirection) on my home page with following entries with restricted roles:
Navigation List :
============
Administration (for Administrator only ) assigned 'ADMIN' role
New Registration (for 1 time user registration) assigned 'REGISTRATION' role
Student Schedule (for existing users) assigned 'EDIT' role
Student Semester Result (for existing users) assigned 'EDIT' role
Student Attendance (for existing users) assigned 'EDIT' role
Problem:
========
When I set REGIS role to guest user , all entries of navigation list ( i mentioned above) except Administration Entry are shown on this page.
I want to restrict guest user, who can only see Registration Link only. How can I do this ??
help me out
waiting for your prompt reply
regards n thanks
qamarThanks for your reply scott, at least someone is there to understand it :).
Well ok just forget everything and focus on it, I am using apex version Apex 3.0.1 with Oracle 9.2.0.1.0, my question is simple as i had stated above long time ago, I have added a new scheme/role 'REGIS' as same as EDIT role and changed EDIT to REGIS on that scheme/role, through this I just want to access only guest user to log in temporarily and create its account in our application and log out, and when he registered in our application, a role EDIT will assigned him automatically and he will be able connect our portal with EDIT role now.
I had created a simple HTML page and created a Navigation List on it.
there are 5 list entries on this page .
1. Administration
2. New User Registration.
3. Student schedule.
4. Student results
5. Student attendance.
-Administration
(assigned ADMIN , so only administrator can see this link and all the entries)
-New User Registration
(only guest user with REGIS role can see this link)
-3,4,5
(only registered users with EDIT role can see these links)
I have set these authorization in every list entry with authorization schemes mentioned above.
Q. But the problem in this situation is that when I assign REGIS scheme to my 2 list entry, all other entries (3,4,5) including 2nd entry are also visible to guest user who has REGIS scheme assigned.
I hope now you can understand clearly what I am trying to say and understand it.
Hoping for your prompt reply.
regards
qamarsyed -
Authorization Scheme using the APEX Authentication Scheme
How would you build an authentication scheme that is using the APEX Authorization scheme. All users are belonging to a group which could be Oracle, External or Developer and I'd like to hide certain pages from the External users.
I am not sure if I can grab the group name from some V('..') function and make something work?
Cheers,
AndyI'll give it a try again, sorry for not being able to describe the problem better!
I am using the APEX built in authorization and authentication to make my life simple with regards to user mgmt. So all the users are managed using the Home>Administration>Manage Application Express Users. Every user belongs to an APEX group (Home>Administration>Manage Application Express Users>User Groups). For example:
User A belongs to Group External
User B belongs to Group Oracle
User C belongs to Group Admin
Now, there are certaing pages in my application that I want to restrict from the Group External (but the Group Admin and Group Oracle can see them).
So my question is really how would I build such an Authorization Scheme to accomplish this? Not suer about which APEX API functions I should use to get this data and how to build the function.
I hope this makes more sense?
Andy -
Authorization scheme violation message not translatable?
Hello team,
could you please confirm that the authorization scheme violation message is not included in the translatable text for some reason?
I can't find it in the list of texts to be translated even after seeding the application.
Bye,
Flavio
http://oraclequirks.blogspot.com/search/label/ApexHello gents,
it's curious because after doing some tests i was almost convinced it was a sort of "feature".
From the behavior of the application i see that the authorization code is not duplicated in a translated application as it happens for most other components, as a result if i modify the authorization violation message, the change becomes effective immediately across all translations.
In view of this fact i developed the fancy theory that this was a security measure to prevent that a non-updated translated application could serve as a "trojan horse" to access a restricted page in virtue of the lack of control...
Anyway, i'm glad to hear that my theory is a nonsense :-D
Bye,
Flavio
http://oraclequirks.blogspot.com/search/label/Apex
Maybe you are looking for
-
Hard drive dead - no Applecare - what to do?
Help! Had iMac more than a year and stupidly didn't buy Applecare. Had 'Invalid Node structure' occur yesterday through Disk Utility and it hasn't started up since. Used DiskWarrior to get all my data off it but now I can't erase and install with my
-
Unable to see JSF pages in Design View after upgrade to Netbean 6.1
Hi: I have a Sun Java Studio Creator Update 2 Project and I upgraded to Netbean 6.1 according to Sun's migration guide. It compiles and runs OK, but i can not see any page in design view at all. Any one has any idea? thanks
-
DSFW 11.2 and View 6.0.2
I am planning on upgrading my Horizon View installation to 6.0.x. I'm currently running View 5.0 with DSFW 11.2, Window 7SP1-64 and ZCM 11.2a Has anyone tried to use DSFW 11.2 with VMware View 6 or higher? Have you had any issues getting them configu
-
Hi I'm trying to test/deploy my application. In the application I use a custom library for logging (log4j). I have successfully included the library in the Model and used in the code. The code compile but when i try to deploy in the integrated weblog
-
i just bought a new computer today and when i reloaded the software a message came up saying i need to de-activate the other computer or in 30 days i will lose my software or some crap like that how on earth can i de-activate my old computer when it