Setting up a custom authentication scheme
Hello APEX Community,
I'm working on creating an RSVP site for an upcoming event, but I want to limit the number of "random" users that try to sign in by implementing some sort of password system.
I am running this on apex.oracle.com...
What I have currently set up is the following:
I have a table (user_auth) that stores a list of passwords. I will send individual people one password that they will type in on the login page.
The issue I have right now is how to implement the authentication scheme...
Based on the authentication drop down options, I should be choosing "Custom"... But I am stuck at this point...
I have created a function called "my_authentication" (code provided below) and entered "my_authentication" as the Authentication Function Name, but when I test it, it keeps failing. I left the Login page as is, I don't enter a user name but I enter a valid password from the user_auth table. When I hit Login, it just boots me back to the login page. Do I need anything for Sentry Function?
create or replace function my_authentication (
p_username in varchar2 default null,
p_password in varchar2)
return boolean
is
l_count number;
l_return_value boolean;
begin
select count(*) into l_count from user_auth t where t.user_password = upper(p_password);
if (l_count > 0) then
l_return_value := true;
else
l_return_value := false;
end if;
return l_return_value;
exception
when no_data_found then
return false;
end my_authentication;Please let me know if you want me to elaborate further...
Thanks and regards,
Ivan
Hi Scott,
Thanks for replying and sorry it took so long to get a reply back.
I hope the following makes sense.
1: When I say "it keeps failing", what happens is when I enter just the password, and hit "Login" it just boots me back to the Login page and no error is displayed.
2: Yes, I don't have any encryption at all but I have x number of randomly generated strings stored in that table, and what I was hoping to do was have the user enter the password and then have it go and confirm that that is one of the x number of strings in the table.
The problem I'm starting to realize with this approach is that the passwords are not displayed. Users just see *'s instead. My approach now is to use an Open door authentication and have them enter the password there to log in, and upon logging in, it will assign value to a global value that checks to see if it's a valid password... (passes back user_id for a matching user_password). If the password is invalid, it will pass a -100 or something...
This seems like a somewhat effective way of getting around the authentication. I guess my next challenge is to figure out how to boot invalid users back to the login page in an Open Door Authentication scheme.
Ivan
Similar Messages
-
Apex Custom Authentication Schema Page Sentry Error
Hi,
I am using Application Express 4.0.0. I am struggling with a strange problem while trying to implement custom authentication schema.
I declare a page sentry function 'page_sentry' which returns TRUE or FALSE based on certain conditions. My page_sentry is as follows:
FUNCTION PAGE_SENTRY RETURN BOOLEAN
IS
l_username VARCHAR2(512);
l_session_id NUMBER;
BEGIN
IF USER != 'APEX_PUBLIC_USER' THEN
RETURN false;
END IF;
l_session_id := wwv_flow_custom_auth_std.get_session_id_from_cookie;
-- check application session cookie.
IF wwv_flow_custom_auth_std.is_session_valid THEN
apex_application.g_instance := l_session_id;
l_username := wwv_flow_custom_auth_std.get_username;
wwv_flow_custom_auth.define_user_session(
p_user => l_username, p_session_id => l_session_id);
RETURN true;
ELSE
--redirect to login page using OWA_UTIL.REDIRECT_URL
END IF;
RETURN false;
END page_sentry;
And Cookie Name : _AUTH
At first, It always returned FALSE. I wasn't getting any error. However, even after forcibly returning TRUE from the page_sentry function the redirect was still not happening. I tried to look into what cookies were being set for the same and I found this:
Name: ApexLibErrorStack1
Content: page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication
I couldn't find any relevant help for this. Worst of it is I cannot set any cookie from the page_sentry function at all. Please help!Hi all.
Can someone please help me out with the above issue. I am not sure if things are wrong at my end or is this an apex bug.
--Update:
The source of my problem perhaps lies in the manner in which I have configured my Oracle HTTP Server. When I disable port HTTP server on port 80 and run apex without it on default port 8080, the custom authentication schema cookie gets set.
Executing the following with Oracle HTTP Server:
OWA_UTIL.PRINT_CGI_ENV;
gives:
HTTP_COOKIE = ApexLibErrorStack1=page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication.; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL
And without HTTP Server:
gives:
HTTP_COOKIE = WWV_CUSTOM-F_1420403886791332_100=9625AAC49B9951D8;......
Did I miss something in my HTTP server configuration ?
Edited by: pc on Jan 2, 2012 3:15 AM -
Restful Web Services - First Party Authentication with custom authentication schemes
Hi
I've successfully enabled security using first party authentication on our Restful web services however these only work with the built in Apex accounts and not other authentication schemes.
Ideally I'd like to authenticate against LDAP, however when I enable this authentication scheme the restful services don't work as they only support the Apex accounts.
Has anyone implemented LDAP authentication for Apex restful web services, either directly or using Glassfish ? Does anyone know if support for custom authentication schemes on the feature roadmap for a future Listener release ?
I attempted to configure the glassfish application against LDAP but am still working on it.. glassfish never challenged the client to authenticate (it's only to be for the web service endpoints and nothing else), so any pointers on how to set that up for Apex would be appreciated.
Thanks
KesHi Gemma,
unfortunately at the moment you are caught between a rock and a hard place:
- As you point out there is no way in APEX for a user to self-register themselves, short of developing your own table to store users and configuring APEX custom auth to authenticate against that table
- Listener can only authenticate against the the APEX user repository, it cannot integrate with custom APEX authentication.
There may be other options though, by leveraging the authentication capabilities in the JRE and/or WebLogic/GlassFish application servers. We're interested in addressing this use case, so if you wish to investigate further please send me an email ( colm <dot> divilly <at> oracle <dot> com).
Thanks,
Colm Divilly -
Custom authentication scheme: Invalid Session Target
Yesterday I spent a lot of time figuring out what was happening and I'm not sure if this is a bug or a feature...
Create an application with some public pages (1,2,101) and some non-public pages (3,4).
Created a list on page 0 listing all pages but only listing page 3 and 4 when user is logged in.
Created a custom authentication scheme.
Running the application showed me the page 1 and the list containing 1,2,101.
I could navigate to 101 and then log in after which I was taken to page 1 showing only 1,2,101.
I changed page 101 so that it would take me to page 3 after logging in and it did. The list showed me 1,2,101,3,4 and the username was also visible.
I could visit all pages correctly except page 1. Whenever I navigated to page 1 I effectively got logged out.
Finally I discovered that I had set "Invalid Session Target" to page 1 in my authentication scheme.
Is this the intended effect ?Rene,
When a page is selected in the authentication scheme's Invalid Session Page LOV, it gets designated as "the login page". Whenever this page is rendered, APP_USER is null and APP_SESSION is a new session ID. This accounts for what you saw. It's sort of a quirk more than a bug or feature and we ought to properly document this behavior. If, for some reason, you needed a login page that you could navigate back to (after login) in the current session and using the current APP_USER value, you can deselect the page from the Invalid Session Page LOV in the authentication scheme and instead code this in the Invalid Session URL:
f?p=&APP_ID.:101:&APP_SESSION.
...using 101 as the login page, but it can be any page ID as long as it's a public page.
Scott -
Customized authentication scheme unauthorized when using help
I am receiving an unauthorized message when clicking on help on a label. The message was not being received until the customized authentication scheme was enabled.
If you still need help with this, please provide all the usual information: a complete description of the situation, an example on apex.oracle.com if possible, your version of apex and database, all custom code, all authentication scheme details, etc.
Also, please tell us your first name and put it into your handle and/or profile to help us.
Scott -
Question about setting cookies and custom authentication
I have a question about setting cookies.
I have two different 'projects' in HTMLDB - we will call them App1 and App2.
I also have two different connection configurations setup in the DADs.conf file. - we will call them Connect1 and Connect2.
App1 is setup to use database authentication (no user is specified in the DAD) and uses Connect1. Once the user successfully logs in, we set a username cookie (this is a persistent connection).
We created a custom authenticatoin scheme for App2 - this scheme checks for the username cookie (set by App1). We would like for App2 to use Connect2 (HTMLDB_PUBLIC_USER is the default user specified and it uses connection pooling).
Is it possible to set a cookie from App1, Connect1 for App2, Connect2 - then redirect to App2 and pick up that cookie?
Here is an example of what we are trying to accomplish:
A user loggs into App1, we set a cookie, and the user is redirected to App2. If the cookie exists, we allow them access to the home page in App2, if no cookie, we redirect back to a 'Login Failed' page in App1. We don't want App2 to use the same database connection as App1 though, we need App2 to use connection pooling.
Is this possible? OR...Is there a better way to accomplish what we want to do?
This is an enhancement to an existing app. Our requirements are to use Database Authentication (setup where pass expires after 60 days or so, cannot reuse last 3 passwords, etc.) - which is already setup and being used by other applications in our organization. All of our users have accounts in the database. We don't want users to have a new username/pass - and we don't want to manage a separate group for HTMLDB apps.
The existing application uses HTMLDB's built in authentication - which uses database username/pass, and it uses connection pooling, but we cannot handle the pass expire stuff in it, unless there's something we're not seeing or understanding - at least that's how our DBA explained it to us.
Any help with this will be appreciated so much. I can send you the code we have if needed.
Thanks!Same problem here. I have so many problems with this remote app. Is there an iTunes API? I would like to write my own remote app that actually works.
-
Custom Authentication Scheme - How To
For anyone who is interested in implementing your own Authentication Scheme, I have published an article on my blog. It covers the basic steps needed and can be extended in any number of ways to suit your additional needs.
http://djmein.blogspot.com/2007/07/custom-authentication-authorisation.html
DuncanHi Duncan,<br><br>
Thanks for your article. <br><br>
Regards,<br>
Gonçalo -
Hello,
I am building a custom auth. scheme that actually checks username/password in a custom table (app_users) [ not DB acocunts] . I have created a package with a login function as follows:
PROCEDURE login ( p_uname IN VARCHAR2 ,p_password IN VARCHAR2 ,p_session_id IN VARCHAR2 ,p_flow_page IN VARCHAR2 ) IS
lv_goto_page NUMBER DEFAULT 1;
BEGIN
IF UPPER(p_uname) = 'ADMIN' THEN
lv_goto_page := 1;
ELSE lv_goto_page := 100;
END IF;
wwv_flow_custom_auth_std.login ( p_uname => p_uname,
p_password => p_password,
p_session_id => p_session_id,
p_flow_page => p_flow_page || ':' || lv_goto_page );
EXCEPTIONWHEN OTHERS THEN
RAISE;
END login;
and a valid_user function in that package that simply returns TRUE if username/password are correct in APP_USERS table.......
and then I have changed the 101 login page login process to :
app_security_pkg.login(
P_UNAME => :P101_USERNAME,
P_PASSWORD => :P101_PASSWORD,
P_SESSION_ID => v('APP_SESSION'),
P_FLOW_PAGE => :APP_ID||':1'
+);+
and created my own auth. scheme and enterd this in the auth. function field :
return app_security_pkg.valid_user
My question is , this is not working when I enter a valid username/pass from APP_USERS because I think it still points to oracle's db users .... Where should I make the built in function wwv_flow_custom_auth_std.login point to my APP_USERS table instead ????
Thanks,
Sam KGus,
The only code I have is for the authentication package and here it is :
create or replace PACKAGE BODY app_security_pkg AS
PROCEDURE login ( p_uname IN VARCHAR2 ,p_password IN VARCHAR2 ,p_session_id IN VARCHAR2 ,p_flow_page IN VARCHAR2 ) IS
lv_goto_page NUMBER DEFAULT 1;
BEGIN
IF UPPER(p_uname) = 'sam' THEN // just for test. sam is a username in app_users
lv_goto_page := 1;
ELSE lv_goto_page := 100;
END IF;
wwv_flow_custom_auth_std.login ( p_uname => p_uname, p_password => p_password, p_session_id => p_session_id, p_flow_page => p_flow_page || ':' || lv_goto_page );
EXCEPTION WHEN OTHERS THEN
RAISE;
END login;
PROCEDURE add_user ( p_username IN VARCHAR2,p_password IN VARCHAR2) AS
BEGIN
INSERT INTO app_users (username, PASSWORD)VALUES (UPPER (p_username),get_hash (TRIM (p_username), p_password));
COMMIT;
EXCEPTION WHEN OTHERS THEN ROLLBACK;
RAISE;
END add_user;
FUNCTION get_hash (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN VARCHAR2 AS
BEGIN
RETURN DBMS_OBFUSCATION_TOOLKIT.md5 (input_string => UPPER (p_username)||'/'||UPPER (p_password));
END get_hash;
PROCEDURE valid_user2 (p_username IN VARCHAR2, p_password IN VARCHAR2) AS
v_dummy VARCHAR2 (1);
BEGIN
SELECT '1' INTO v_dummy FROM app_users
WHERE UPPER (username) = UPPER (p_username) AND PASSWORD = get_hash (p_username, p_password);
EXCEPTION WHEN NO_DATA_FOUND THEN
raise_application_error (-20000, 'Invalid username / password.');
END valid_user2;
FUNCTION valid_user (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
BEGIN
valid_user2 (UPPER (p_username), p_password);
RETURN TRUE;
EXCEPTION WHEN OTHERS THEN
RETURN FALSE;
END valid_user;
END app_security_pkg;and in the shared components >> current auth. scheme is myscheme >> Auth. Function : return app_security_pkg.valid_user
and in page 101 login process :
app_security_pkg.login(
P_UNAME => :P101_USERNAME,
P_PASSWORD => :P101_PASSWORD,
P_SESSION_ID => v('APP_SESSION'),
P_FLOW_PAGE => :APP_ID||':1'
);Thats it ! I hope this helps you figuring it out ;)
Thanks,
Sam -
Setting a OAM custom authentication response
I'm working on OAM 11.1.1.5.0 BP03 and trying to use a custom authentication plugin to add a response to the HTTP header. I need to add information to the HTTP header that cannot be provided by a response on the Protected Resource Policy.
I can see using log entries that my plugin is working but I have a sample JSP landing page that OAM redirects to that just dumps out request.getHeaderNames and I don't see the value set by the plugin.
I was assuming that the PluginResponse class would suit my needs but I've tried every type of PluginAttributeContextType and cannot get it to work.
Is this possible? What code should I have written?
Here's a sample of what I tried:
PluginResponse response = new PluginResponse();
response.setName("OAM_TEST_KEY");
response.setType(PluginAttributeContextType.CLIENT);
response.setValue("TESTVALUE");
context.addResponse(response);Hi Ewan,
Instead of writing a custom plugin and maintaining it in case future upgrades is going to be cumbersome. I would suggest introduce OVD in your environment. Create a Join Adapter. This Adapter would join your LDAP server and AD Server users using employee ID. That way you can use a supported configuration and avoid writing a plugin. Now the user visible to OAM via OVD would have the LDAP attribute of AD username and hence you can set it as a header variable. Or you can setup Sync between your LDAP and AD. Most of the industry standard LDAP servers such as OID, ODSEE etc allow you to sync user information. That way you can fetch AD username attribute to your LDAP server. It doesn't need to have same attribute in your LDAP server. It can be stored in any attribute of LDAP server with a valid value. All you need to do is set header variable using attribute which contains the AD username attribute value.
Regards,
Yagnesh -
Strange problem when using custom authentication schema
Hello,
I'm building a custom authentication system for the application. Basically, I followed the blog post from Martin: http://www.talkapex.com/2009/03/custom-authentication-status.html
However, the authentication seems working fine at the beginning when running the page 101 from Application Builder and log in, but when I log out from the application (redirect back to page 101) and try to log in with the same credentials, it gives error message "Invalid Login Credentials ". Also, when the application is accessed from public (open page 101 directly using another computer), the authentication doesn't work at all.
Furthermore, I checked the table apex_workspace_access_log and found out that it has "AUTH_SUCCESS" even if using the fake credentials and the login failed (I use "apex_util.set_authentication_result (p_code => 3);" when auth function return false).
I couldn't find the cause of the problem, then I created the same custom authentication in apex.oracle.com. The problem doesn't appear anymore. To make sure they are same, I have double checked the custom authentication in both the development environment and the apex.oracle.com.
This is very strange to me and I don't know where to looking for the problem. Could you give me some advice of what may cause this problem. Thanks in advance!I found the problem myself. The cause is the VPD, the account table has VPD policy applied, which prevented public access.
-
Custom Authentication Scheme - call SSO or Local Process based on User Name
Hi,
We are looking at building a new application that allows employee and public user access.
For staff we want to use Single Sign On as we have for all our other ApEx applications.
For public users (who will register to create an account) we want to use our own Custom Authentication Function.
What I would like to do is to have an Authentication Function along the lines of:
If username like '%@%'
then call Custom Function
else call SSO Funcion.
How do I call the SSO Authentication Function progamatically?
Thanks,
MartinProbably I don't explain myself clearly....sorry for that!
Anyway you are right, the role of the user can change after the user is initially provisioned.
I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
Is it possible with pre-populate adapter?
Sorry again for my not very clear explanations.
Daniele
Edited by: 886636 on Jan 24, 2012 4:10 AM -
Issues while setting up custom authenticator for weblogic
whene can I find sample source code for setting up the custom authenticator.
send a test mail at [email protected], will send u d source code!!
-
Problems with custom authentication when migrating from 3.2 to 4.1.1
Hi,
we’re about to upgrade our APEX instances to 4.1.1 and to migrate our applications. I encountered some problems with our custom authentication schema.
1. Recognize already authenticated sessions: in 3.2 the sentry function could return false as long as the user was not authenticated. Public pages could still be displayed (including the login page). The result of the function apex_custom_auth.is_session_valid returned false until once the sentry function returned true. How can I recognize non authenticated sessions in 4.1.1? I looked for the test the Condition “User is the public user (user has not authenticated)” computes on a page but didn’t found the right one. It’s not what docu states here (comparison with the public user): http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/condition001.htm#HTMDB25943. I replaced the test with p_authentication.username = ‘nobody’. It works. But that doesn’t seem to me to be the right way …
2. Post_logout lacks session context: the Post Logout Procedure does not receive a session_id and username. Neither the V(‘APP_SESSION’) nor p_authentication.session_id are set. This applies to both plugin authentication schemes and non-plugin custom authentication schemes. Is there another way to obtain the logged-out sessions infos or is this a bug?
See apex.oracle.com for a demo, workspace WS_MW, gast/gast. Can someone please guide me the way?
MichaelHello again,
there are no replies until now .... I reviewed some posts regarding custom authentication again and did not find any solution for the issues. Found some that worked with APEX 3.2.1 but not with 4.1.1. I can only work around
1.) in an insecure way, because the non documented (?) user "nobody" can change and all new sessions will be considered authenticated
2.) in a way, that ends up in implementing the logout from the non apex environment outside the authentication schema or authentication plugin.
May be I should contact support for at least the second issue because this doesn't work as documented or am I doing something wrong?
Michael -
Custom Authentication in Apex 4.2
Hi,
I am trying to create a custom authentication scheme in apex 4.2. I have a database table which have username and password in it. I am using a function which returns Boolean after checking the username and password. I have checked it from toad and it works fine. But, when i am calling it from custom authentication it doesn't work.
How can i configure this custom auth into my application,
Thanks,Hello,
Can you please provide more details. What is not working?
Have you created new authentication scheme? Before this, does your application had any authentication scheme?
Best case - create sample application in apex.oracle.com and post credentials so we can have a look
Useful blog entires.. Custom Authentication in APEX and How to setup Custom Authentication in Oracle APEX
Regards,
Hari
Edited by: Hari_639 on Apr 27, 2013 7:56 PM -
Custom authentication - different user - no edit links
Hi
In my apex 3 application I use a custom authentication scheme, in which I validate users against our backoffice tables. However, I don’t have in those tables the database user that I use to develop apex applications.
When I run my application for the first time in the session (from the application builder tool) I am redirected to the login page and need to login. As I have to login using a different user, I don’t see at the bottom of the pages the edit links and I need to go back a number of times to get back to the app builder page.
What is the best practice in this case? Is it possible to tell apex not to use the login page if the app is being run from the app builder tool? (or something like that)
Thanks
LuisHi Scott
Thanks for the reply. I understand why this happens, but I was wondering if there was a way to circumvent this limitation, as I can't login as the database user I am using to build the application (because I don't have that user in my custom authentication scheme).
Of course I could add that user, but as it is maintained by another department (it is a live system and I would have to justify well why I need a new user just for development purposes), I was looking for another quicker, simpler solution.
Thanks
Luis
Maybe you are looking for
-
Need help in HR-ABAP programming stuff
Hi Alls I have been assigned to work in HR-ABAP.I have gud exp in normal ABAP but i am totally new for hr-abap.Could please help to me as u guys are helping to others. What are teh basic things i need to know , so i can start working.. Please send m
-
Slow program response, crashes when creating titles and dynamic link issues
Dear reader, I am now trialling Adobe CC OSX with Premiere Pro and After Effects before deciding to subscribe but I am experiencing a lot of issues while working. I am now working on an animation, but editing raw mxf files also gives crashes and slow
-
ITunes says I haven't authorised it on my computer even though I have
It keeps giving me various error messages, such as number 3048, and I can't download my things that I bought on iTunes, including episodes of various TV shows. I've signed in and authorized iTunes multiple times.
-
Stop capture vs stop change set
Hi i am doing some work with cdc stream, whats the diffrence between stopping capture/apply and disabling change set? which one is recomended way of stopping the cdc ? v11.2
-
Issue with displaying multiple line charts in same applet at a time
Can you please help me in displaying the 3 different line charts in a same applet at at a time. And these 3 line charts taking the data from 3 different queries.