Url and DAD authentication

Similar Messages

• Session Timeout and DAD Authentication

  My application uses the authentication scheme 'No authentication (using DAD)'. The users log in from an external program and the user IDs are captured in the variable remote_user. My authorization scheme checks that the user ID exists in a database table. All this seems to work fine.
  However, I need to implement a session timeout on the application. I've followed the steps described in the "Automatic Session Timeouts" utility in the Application Express Studio but when I tried to modify the authentication scheme by adding:
  return auth_pkg.check_timeout;
  to the Session Verify Function I got the following errors:
  No functional attributes may be set when page sentry function is '-DATABASE-'.
  and
  Session verification function may not be specified if page sentry function is specified.
  I'm new to Apex and I don't know where to go from here. Any advice please?
  Thanks
  Maria

  Maria,
  The usual way to do the authentication part is to use a custom page sentry function. Many examples have been posted on the forum based on the ntlm page sentry code. Search for those keywords here (ntml page sentry) and you should find it easily. Then you can modify it by adding the session timeout logic in that function.
  Scott

• SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt

  Hi Experts,
  We have the following requirements:
  1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).
  2. ECC6 user-id's differ from Active Directory user.
  3. User logs in to Active Directory.
  4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.
  5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.
  The following suggested solution was the closest to the requirement (without to much technical detail):
  1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.
  This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.
  2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.
  This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.
  Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).
  Regards.

  AJP,
  The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.
  If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.
  Thankyou,
  Tim

• Issue with DAD authentication and Interactive Reports

  Apex version 3.1.1.00.09
  I have an application which is using DAD authentication. Since changing the authentication model I have noticed that I lose some of the Interactive Report functionality specifically the ability to save reports.
  Post authentication I can get the user info by calling owa_util.get_cgi_env('REMOTE_USER')
  However when I reference V('APP_USER') it returns APEX_PUBLIC_USER. Is this the reason for the loss of interactive report functionality. If so is there a workaround?
  Thanks in advance

  When the authentication model is set to Application Express
  The user test_sso (which has end user rights only) has the ability to Save Report within an Interactive Report.
  When the authentication model is set to DAD
  A user who can authenticate against the DAD does not see the option to Save Report in the Interactive Report actions menu.
  As a developer when viewing the Interactive report I have the option to Save Report*
  Is this correct behaviour? I want the end user to log on to the application seemlessly and still have the ability to save a report.
  Thanks
  Paul

• Logged Out session can be accessed again After logout (DAD authentication)

  Hello,
  Please find the details of my problem below:
  SCENERIO:
  Current Authentication: No Authentication (USING DAD)
  Authorization: MYAUTH
  Frequency: Once Per Session
  declare
  lv_retval boolean;
  lv_srec pkg_myutil.r_sessionrectype;
  begin
  begin
  -- This is NOT Apex Session. I am checking the entry in a table to make sure user is logged in
  -- and the link is not opened directly. In short making sure user opened the Apex link from the
  -- Oracle Forms application.
  lv_srec :=pkg_myutil.get_session_info(:P1_SID);
  if lv_srec.valid_session then
  lv_retval := TRUE;
  else
  lv_retval := FALSE;
  end if;
  exception
  when others then
  lv_retval := FALSE;
  end;
  return lv_retval;
  end;
  The Application Security property Authorization is set to : MYAUTH
  Logout Navigation Bar Entries-URL TARGET: http://myapp.mycompany.com/pls/apex/apex_custom_auth.logout?p_this_app=105&p_next_url=http://mycompany.com
  ( I cannot put this in the Authentication Logout URL as using -DATABASE- as sentry function (DAD authentication) gives me error: No functional attributes may be set when page sentry function is '-DATABASE-'.))
  so i directly modified the navigation bar entry
  Now I open the apex link from my forms application, and it Works fine. For example
  http://myapp.mycompany.com/pls/QRYONLYDAD/f?p=105:1:2524984933940261::NO::P1_SID:0137099300:
  The authorization function takes the P1_SID value and checks in database,finds the entry so returns TRUE to display the page 1 which i call Menu page.
  If I click logout, it works and takes me to the Mycompany home page.
  My question:
  If save that link and try to access it again AFTER LOGOUT, it still displays the page. Although the session is logged out, how come it still allows to access the page? The authorization function also doesn't fire which would have prevented it atleast. How APEX knows it still a valid session even after logout happens?
  I can see that Since there is DAD authentication, the login happens automatically........ but I cannot change that method. What other option do i have?
  Please help.
  Jay

  1.) Code for the function:
  Basically we are using a private DBMS_PIPE to pass a randomly generated string and read that pipe from Apex using get_session_info. Nothing to do with Apex Session. We just want to make sure the user opened the Apex link from the application.
  function get_session_info (p_session_id varchar2) return pkg_myutil.r_sessionrectype is
  rv_sessionrec eft.pkg_myutil.r_sessionrectype;
  lv_status NUMBER;
  lv_app_id varchar2(20);
  lv_EMPID VARCHAR2(20);
  lv_timeout BINARY_INTEGER := 0; --A timeout of 0 allows you to read without blocking. otherwise the pipe will keep waiting and our purpose won't be solved
  lv_rmstatus number;
  begin
  begin
  -- Valid Session theme: If the pipe doesnot exist means the url is not requested from inside the Forms application.
  lv_status := DBMS_PIPE.RECEIVE_MESSAGE(p_session_id,lv_timeout);
  IF lv_status <> 0 THEN
  raise_application_error(-20003,'Error while receiving.Status = ' || lv_status);
  END IF;
  DBMS_PIPE.UNPACK_MESSAGE(lv_app_id);
  DBMS_PIPE.UNPACK_MESSAGE(lv_EMPID);
  if lv_EMPID is null then
  raise_application_error(-20004,'User EMPID is null in the session info.');
  end if;
  -- construct return record
  rv_sessionrec.session_id:=p_session_id;
  rv_sessionrec.valid_session :=TRUE;
  -- remove pipe
  lv_rmstatus:=DBMS_PIPE.REMOVE_PIPE(p_session_id);
  if lv_rmstatus <> 0 then
  null; -- think what to do
  end if;
  exception
  when others then
  rv_sessionrec.session_id:=p_session_id;
  rv_sessionrec.valid_session :=FALSE;
  end;
  return rv_sessionrec;
  end get_session_info;
  2.) I guess you are right. But doesn't Apex use the Userid and password hardcoded in the DAD? because it displays the username in DAD on the page footer. But It will authenticate everytime. So I want to put another layer so that my pipe verification code executes everytime which can decide whether to show the page or redirect to a error page.
  If i put in a On-Load Before Header Process on Page 1 with the pl/sql code, is there a way there to redirect to different page? I couldn't think of a way to do it. Then i can remove the code from authorization scheme and add to the On-Load process?
  Does this help any?
  Thanks for your prompt response.
  Thanks,
  Jay

• Get site collection url, site url and list url from a full uri?

  If I have incoming: only URI's of the format http://a.b.c/d/e/f/g/h/i/j/k/l/m/n/o/p.docx
  (And these are coming from multiple farms and multiple site collections) (and i have a web api on some remote server) (and have all the authentication details)
  And I want to query just the single the item via csom : check one column and if value="yes" then download the doc:
  a. how do i get the absolute site url out of it for " clientcontext ctx = new clientcontext(THISURL) "
  b. how do i then get the list uri out of it to push a caml query to to then retrieve it
  I could :
  a. strip off the filename, that is the easy part :)
  b.  I could paste "/_api/contextinfo" behind it and POST it first as a httprequest. Then first get the site and web url and later on
  find a way to find the list url (which is probably the first item behind the fullWebUrl), but it seems weird to mix this in the mix
  Basically im looking for something that tells me what is what in http://a.b.c/d/e/f/g/h/i/j/k/l/m/n/o/p.docx

  Sorry, GetList is only available in the O365 version of Microsoft.SharePoint.Client. If you could test for a root site collection and if there is not one then take the scheme ... + Uri.segments[0] and then get the context. After that you can use
  the GetFileByServerRelativeUrl. The following demonstrates this.
  public static void GetFileList()
  string fileUrl = "http://basesmc15/teamonesubone/teamsubonesubone/Shared%20Documents/folderholder/newauthor6.pdf";
  Uri fileUri = new Uri(fileUrl);
  Uri webUrl;
  ClientContext rootContext = new ClientContext(fileUri.Scheme + Uri.SchemeDelimiter + fileUri.Host);
  webUrl = Web.WebUrlFromPageUrlDirect(rootContext, fileUri);
  ClientContext subContext = new ClientContext(webUrl.ToString());
  File file = subContext.Web.GetFileByServerRelativeUrl(fileUri.AbsolutePath);
  List list = file.ListItemAllFields.ParentList;
  subContext.Load(list);
  subContext.ExecuteQuery();
  Blog | SharePoint Field Notes Dev Tools |
  SPFastDeploy | SPRemoteAPIExplorer

• Username and Password authentication

  Hi,
  I am new to both JDBC and MSSQL. I've been connecting to msSQL server without providing username and password (DriverManager.getConnection(String url)). I am wondering how to enforce the username and password authentication so that username and password have to be verified before a connection is made. Thanks in advance.

  but where can I get the username & password? I can get
  the connection even with any username & password, why?Hi WeiHang,
  This is regarding the options you have set in the SQL Server. You have to choose from Windows NT authentication and SQL Server Authentication. If you give SQL Server authentication you have mentioned the username and password and you can connect to database simple using DSN(if you are using JDBC-ODBC). However if you choose WindowsNT authentication you donot specify the user name and password there and you have to enter the same at runtime.
  Hope this can help you

• Redirect to custom url after successful authentication by OAM

  Hello,
  I need to redirect the user to some custom url instead of original requested url after successful authentication in OAM 11.1.2 (11g release2).
  The requirement in my case is depending upon the user type and the region(one of the user's ldap attributes) it belongs to, it should be redirected to one of the 2 available applications.
  I have tried implementing the same using custom authentication plugin in which I have used RedirectionActionContext class.
  I have also tried setting plugin response as REDIRECT and specifying the custom page url.
  I have also tried changing the "resource_url" parameter in authentication context.
  However, none of above approaches are working.
  Can anybody help me?
  Thanks,
  Purva

  Hello,
  I have exactly the same requirement. Have you solved the problem?
  Thanks,
  Purva

• Clear VS Plain and other authentication methods

  I tried this setup, Jeff... gets me to the login page fine... but doesn't seem to recognize any of my email logins (all which are virtual).
  I have a website setup as MAIL.MYDOMAIN.COM... port 80...performance cache OFF... and pointing to /usr/share/squirrelmail. I tried these settings with OPTIONS-->WebMail both checked and unchecked. Doesn't seem to make any difference.
  However, I had disabled CLEAR in Advanced->Security->Authentication after reading another poster's comments regarding his server becoming a spam relay. Enabling CLEAR again made your SM setup work.
  So, now.. what do I do to make this setup work with an AUTH scheme other than "Clear"? And how does "Plain" differ from "Clear"?
  Thanks for the education.
  As Alex mentioned, turn off the performance cache.
  You can change the port in ServerAdmin to something
  else (you mentioned 8010, which is fine).
  You may need to create a seperate Site for Webmail if
  you don't have one already.
  To take this a step further....
  My preferred (non-SSL) setup is this:
  - Assuming you already have DNS of mail.domain.com
  - Create a site for mail.domain.com (port 80)
  - In Sites/General, port 80
  - In Sites/General Web Folder
  "/usr/share/squirrelmail"
  - In Sites/Options, turn off Perf Cache.
  If you do the above, when you hit
  http://mail.domain.com
  You will go straight to Squirrelmail without having
  to add a /webmail to your url and without having to
  use a different port #.
  Jeff

  Since you disabled "clear", you will need to configure SquirrelMail to use Cram-MD5.
  To do so run:
  sudo /etc/squirrelmail/config/conf.pl
  and adjust your IMAP and SMTP settings

• SCOM 2012 R2 - How to create a Web Application Monitor for an URL requiring certificate authentication

  Hi All,
  It looks like in SCOM 2012 there are two ways to monitor a web application (URL monitoring):
  Way no 1: (Using the Web Application Transaction Monitoring template)
  Way no 2: (Using the Web
  Application Availability Monitoring template)
  We have created some monitors using
  Web Application Availability Monitoring to check if URL is up without any authentication method.
  However, we have few URLs for which we need Client Certificates to be used for accessing them but found no option in SCOM 2012 to configured the certificates. 
  I have searched a lot on the Tech Net library but no clue.  Does anyone know how to successfully monitor an URL requiring certificate authentication on SCOM 2012 ? or, at least, using no matter which method?
  Thanks.
  Regards,
  Raju.

  Hi,
  Based on my research, it is not possible by using the built-in monitoring templates. Both of them handles “normal”, server-side, SSL-certs, and the transaction monitor handles basic/digest/NTLM authentication, but client certificate based authentication
  is not a configurable option.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Regular and Client-authenticated HTTPS?

  Hello guys,
  I am having trouble editing the deployment descriptor. This is the first time I deal with HTTPS, and I have tried to solve my problem by reading documentation on my own (namely, the servlet specification 2.4).
  I am developing a web application to be run on Tomcat 6 with JRE 6. I need to secure my application; certain parts need to be accessed via regular HTTPS (i.e. without client-certificate authentication); other parts need to be accessed via client-certificate authenticated HTTPS. I am not all that sure if I am modifying my web.xml correctly. I also want to restrict the access method to POST (i.e. I want to deny GET requests to these pages).
  Right now, I have added the following to my web.xml:
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>client-certificate authenticated pages</web-resource-name>
            <url-pattern>*.cca</url-pattern>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>cca_user</role-name>
       </auth-constraint>
       <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>regular https pages</web-resource-name>
            <url-pattern>*.rh</url-pattern>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>rh_user</role-name>
       </auth-constraint>
       <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
  </security-constraint>As you can probably notice, the two instances of <security-constraint> are almost identical. So here are the problems:
  1. Something must be missing before the difference between client-certificate-authenticated https and regular https is established.
  2. Since I want to force the use of client-certificate-authenticated https on requests to *.cca, I must let the application server know which client identity I am expecting. I still have no clue how to do that.
  3. I put <http-method>POST</http-method> in both instances of <security-constraint>, but I doubt it does what I mean it to do. It probably means to apply the security constraint only if the matching URLs are accessed via POST (i.e. no security is required when these pages are accessed via GET). This is not the behaviour that I want.
  Can somebody help me with the above problems?
  Edited by: SwordAngel on Jul 30, 2008 4:15 AM

  Hi Jacob,
  Take a look at the simple, one way SSL example [1] however it sounds
  like you want to have the client provide a cert back to the server,
  implying two-way SSL. You can find a two-way example here [2].
  Regards,
  Bruce
  [1]
  http://webservice.bea.com/simpleSSL.zip
  [2]
  http://webservice.bea.com/SSL2way.zip
  Jacob Anderson wrote:
  >
  Got some web services that are document and document wrapped. Have generated the
  client stubs using <clientgen> ANT task from BEA. Time to run a test against
  the web services, but they have to run on HTTPS. When I invoked my web service
  using the HTTPS://.... URL, I got this:
  [java] 5) testQuoteStubs(com.arrow.arrowsoap.client.QuoteServiceClientTest)
  weblogic.webservice.tools.wsdlp.WSDLParseException: Failed to retrieve WSDL from
  https://localhost:7002/QuoteService?WSDL. Please check the URL and make sure
  th
  at it is a valid XML file [javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIF
  ICATE - A corrupt or unuseable certificate was received.]
  Cool. So how do I assign a default CERT to the https client? This is on a developer
  instance of WL 8.1. I don't want to run the test on HTTP b/c I need to see how
  it works with HTTPS (need to simulate a bona fide downstream user). Any help
  is greatly appreciated.
  Thanks
  -Jake

• Disadvantages of DAD Authentication

  Dear Apex users,
  Apex is a very nice tool to use, but sometimes it's hard to use features in the database. Almost all the authentication methods log on to the database with a single scheme, except the DAD Authentication Scheme.
  This way it's hard to implement security in the database. CDM Ruleframe for example uses USER to fill journaling columns. With Apex this will result in APEX_PUBLIC_USER being the only user to modify the database. When you want to implement this right it's neccessary to change the code generated by CDM Ruleframe. But also the role based security is based on the user(=schema) that is logged on. You can use VPD, but this is much more complicated.
  So I was very happy to find out that it is possible to log in as a real database user, being recognized by the database, using the Database Authentication (via DAD without username or password). When I perform htp.p(USER) in Apex it shows the real database user!
  Yet the manual warns to only temporarily use this method, I cann't figure out why.
  Are there (security?) reasons not to use this method?
  Greets, Dik

  Dik,
  You can always use the expression nvl(v('APP_USER'), user) to identify the authenticated user for journaling and the like.
  If you use basic authentication (no username/password in DAD) the session user will be the authenticated user, as you point out. However, you still can't use roles other than to interrogate the roles the current user has been granted and to make decisions based on that.
  The User's Guide describes the main disadvantage of this method:
  "The main drawback of this approach is burdensome account maintenance, especially if
  users do not administer their own passwords, or if their database accounts exist only
  to facilitate authentication to your application."
  Scott

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Why is it that when I change the contacts on my phone, it changes them on my mom and dad's as well?

  My family and I recently got iPhones for Christmas. One for my dad, one for my mom, and one for me.  We also have an iPad 2.  They are all hooked up to iCloud via one username.  When we got the phones, we had trouble transferring our contacts from our old verizon phones to our new apple ones but we eventually got the contacts we needed.  At first, my mom's phone was not connected to the iCloud account shared by the rest of us and the iPad.  She wanted the calendar from the iPad so I deleted the account on her phone and added the iCloud account that the iPad was using.  All was fine until my dad and I realized that our contacts were wiped from our phones and replaced with my mom's.  I then started painstakingly deleted my moms contacts and replacing them on my own on my phone.  However, contacts were being deleted from my mom and dad's phone at the same time.  It's almost like the three phones are constantly synching with each other.  It would be ideal if we could get all of our contacts back the way they were before my mom changed her account but we would settle for this constant synching to stop. Please give us some direction here, we are new to this. Thanks in advance!

  Why is it that when I change the contacts on my phone, it changes them on my mom and dad's as well?
  Because, as you said "They are all hooked up to iCloud via one username. ". That is exactly what iCloud does.
  You need independent iCloud accounts for each person to maintain independent contact lists.

• Read file from URL and save to FTP

  Hi,
  I have worked in java few years back, now I am out of touch. My friend asked me to create an applet program for him which he can use to download a file from remote location to his ftp server.
  For e.g.
  File
  http://www.demo.com/filename.avi
  Saved to
  ftp://username:password@ftpsite_address/foldername
  I was searching for the classes which I can use to achieve this functionality.
  To save to FTP
  URL url = new URL("ftp://username:[email protected]/folder/filename");
  URLConnection urlconnection = url.openConnection();
  long l = urlconnection.getContentLength();
  OutputStream outputstream = null;
  outputstream = urlconnection.getOutputStream();Using the above code I can get the outputstream to which I can write.
  I am now stuck here, have some doubts.
  What all classes should I use to read a file like
  http://www.demo.com/filename.avi
  I know I can use URL to open connection to URLS and then streams to read the url.
  I am interested in knowing the class which I should use to read any type of file. File can be zip/avi/rar or anything else.
  What all method of the class should I use to read the file which will support all type of files.
  Which classes should I use to write the files. The files are going to be huge in terms of size.
  I have searched everywhere but every place different classes are used.
  Any help is appreciated.

  Ok now I have started coding but facing a problem.
  [PHP]try {
       URL url = new URL("http://url_to_file/test.txt");
       URLConnection urlconnection = url.openConnection();
       long l = urlconnection.getContentLength();
       fTextArea.append("Content Length = " + l);
       BufferedReader in = new BufferedReader(new InputStreamReader(url.openStream()));
       String line;
       while ((line = in.readLine()) != null)
            fTextArea.append("\n"+line);
       in.close();
  } catch (Exception e) {
  fTextArea.append(e);
  return;
  [PHP]
  When I run this code locally it works fine but when run in browser it shows security exception
  java.security.AccessControlException: access denied (java.net.SocketPermission site:80 connect,resolve)
  What should I do to resolve this error. Sorry for being such a noob but do not have much info about this.