5. Authentication Types
l Apex Authentication
l LDAP
l Database Account
l Open Door
l SSO
l HTTP Header Variable
l No Authentication
6. Apex Authentication – The Good
l Built In
l Users defined in Apex workspace
l Quick & easy setup
l User & group management
l Access to all applications in workspace
9. Database Account – The Good
l Existing Database Accounts
l Handy when migrating from Oracle Forms
l No privileges needed
l Does not create a database session
10. Database Account – The Bad
l Not a good long term solution
l Accounts should be moved to an LDAP or
Custom Authentication Scheme
12. Oracle App. Svr. Single Sign On (OASSO)
l For use with Oracle Application Server
l Authenticate once and have access to many
other applications.
l Register Apex as a OASSO partner application
l Uses OASSO Login Page
14. HTTP Header Variable
l Used in conjunction with a single sign-on server
l Uses value from header variable
l Header variables can be viewed with
owa_util.print_cgi_env;.
15. Authentication
l Apex tracks user throughout the session
● :APP_USER
● &APP_USER.
● V(‘APP_USER’)
l Unauthenticated users show
up as nobody
16. Settings
l Processing points
● Sentry
● Pre Authentication
● Post Authentication (not when quitting browser)
● Session Not Valid
● Cookies
17. Settings
l Processing points
● Sentry
● Pre Authentication
● Post Authentication (not when quitting browser)
● Invalid Session
● Cookies
• Replaces the built-in Apex sentry function
• Called before every page view and asynchronous transaction.
• Returns boolean.
• Ensures session is still valid.
• When FALSE, session is killed and invalid session procedure is called.
18. Settings
l Processing points
● Sentry
● Pre Authentication
● Post Authentication (not when quitting browser)
● Invalid Session
● Cookies
• Fires before authentication function.
• Does not fire with outside authentication (SSO), or no authentication.
19. Settings
l Processing points
● Sentry
● Pre Authentication
● Post Authentication
● Invalid Session
● Cookies
• Fires after user is authenticated, session is registered and cookie is set.
• Good for logging.
• Does not fire with no authentication, or when browser is closed.
20. Settings
l Processing points
● Sentry
● Pre Authentication
● Post Authentication (not when quitting browser)
● Session Not Valid
● Cookies• Fires when sentry returns FALSE
• Good for enforcing business rules. (Can’t log in on Sundays)
• Specifies where user will be re-directed to
21. Session Cookie
l Cross application authentication
l Specify same cookie name in multiple apps
l Include session id in URL
23. Authentication
l All Apex needs is a TRUE or FALSE from an
authentication process
l Apex knows what to do in either case
l Same for all authentication types
25. Authentication Flow
l Each page uses a sentry function to determine
whether the session is valid (session ID +
cookie)
l Sentry returns TRUE/FALSE
l Invalid session gets redirected to Login
(see Application Properties -> User Interfaces)
l Valid (or public) session sees page
27. Login Page Processing
1. Get Username Cookie – reads LOGIN_USERNAME_COOKIE
2. If exists, populate P101_USERNAME
3. Password field does not save state.
4. When login page is submitted, the APEX_AUTHENTICATION
API processes username and password
5. The API calls the current authentication scheme and returns
TRUE or FALSE
6. When TRUE session info is stored in WWV_FLOW_SESSIONS$
7. Finally the page cache for login page is cleared.
8. Browser is redirected to next page
28. Login Page Processing
1. Get Username Cookie – reads LOGIN_USERNAME_COOKIE
2. If exists, populate P101_USERNAME
3. Password field does not save state.
4. When page is submitted
1. The login cookie is set with the username value
2. The APEX_AUTHENTICATION API processes username and
password
3. When API returns TRUE, session info is stored in
WWV_FLOW_SESSIONS$
4. A process clears the page cache
5. Browser is redirected
29. Logout Processing
l Logout can happen at various events
● Logout link is clicked
● Session duration exceeded
● User exits browser
● Session cookie is altered
● Etc.
l These events make session invalid and invoke
the Session Not Valid action
30. Logout Cleanup
l When logout link is clicked, session is
terminated and stored session values get
deleted.
l Any other termination invalidates session state
and a purge job cleans up the stored data later.
(ORACLE_APEX_PURGE_SESSIONS)
38. Custom Authentication
l If function returns TRUE
Redirect to Home URL
Edit Application Properties -> User Interfaces -> User Interfaces -> User Interface Details
39. Password Security
l Store encrypted password in user table.
l dbms_crypto.hash(
utl_raw.cast_to_raw(p_str),2
);
l In authenticaton function: compare encrypted
password to user_table.password.
40. Additional Processing Points
l Pre-Authentication
Before credentials are verified.
l Post-Authentication
Only after credentials are verified.
l Session Verify Function
Additional business rules.
No login throttle
41. Session Verify Function
l Prevent logins on Sundays
Is today
Sunday?
No?
Return True.
Yes?
Return FALSE.
FUNCTION session_is_valid
RETURN boolean
IS
BEGIN
IF <today is Sunday>
THEN
RETURN FALSE;
ELSE
RETURN TRUE;
END IF;
END;
46. Authorization – Application Level
Who gets into the
application.
You may have 1000s
of users, but only a
small group should
have access.
Gatekeeper
51. Group Management
l Apex Authorization
● Authorization Scheme
apex_util.get_groups_user_belongs_to(:APP_USER);
l LDAP
● :AI_LDAP_GROUPS :=
apex_auth.ldap_get_groups_fn(:APP_USER);
l Custom Authorization
● Table based
● Custom function to get group membership
52. Apex Group
declare
l_groups varchar2(1000);
l_arr_groups apex_application_global.vc_arr2;
l_authorized boolean := false;
l_idx pls_integer;
begin
-- get comma separated list of groups user belongs to
l_groups := apex_util.get_groups_user_belongs_to(:APP_USER);
-- convert l_groups into array
l_arr_groups := apex_util.string_to_table(p_string => l_groups
,p_separator => ',');
-- check if vocals group is present
for l_idx in 1..l_arr_groups.count
loop
if (trim(l_arr_groups(l_idx)) = 'vocals')
then l_authorized := true;
end if;
end loop;
return l_authorized;
end;
54. Custom Group
FUNCTION belongs_to_admins (p_username VARCHAR2)
RETURN boolean;
IS
l_yesno VARCHAR2(3);
BEGIN
SELECT NVL(MAX('YES'), 'NO’) INTO l_yesno
FROM my_user_table
WHERE username = p_username
AND usergroup = 'ADMINS';
IF l_yesno = 'YES’ THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
END;
60. Apex Account Privileges
SELECT 1
FROM APEX_WORKSPACE_APEX_USERS
WHERE user_name = :APP_USER
AND is_admin = 'Yes';
Get Account Privileges:
SELECT 1
FROM APEX_WORKSPACE_APEX_USERS
WHERE user_name = :APP_USER
AND is_developer = 'Yes';
67. Invalid Session Detail
l Fires after page sentry
l Specify URL to go when invalid session is
detected.
f?p=KSCOPE13:101:&APP_SESSION.:HELLO_KITTY:&DEBUG.::::
