5. Authentication Types
l Apex Authentication
l LDAP
l Database Account
l Open Door
l OASSO
l HTTP Header Variable
l Custom
l No Authentication
6. Apex Authentication – The Good
l Built In
l Users defined in Apex workspace
l Quick & easy setup
l User & group management
l Access to all applications in workspace
9. Database Account – The Good
l Existing Database Accounts
l Handy when migrating from Oracle Forms
l No privileges needed
l Does not create a database session
10. Database Account – The Bad
l Not a good long term solution
l Accounts should be moved to an LDAP or
Custom Authentication Scheme
12. Oracle App. Svr. Single Sign On (OASSO)
l For use with Oracle Application Server
l Authenticate once and have access to many
other applications.
l Register Apex as a OASSO partner application
l Uses OASSO Login Page
13. HTTP Header Variable
l Used in conjunction with a single sign-on server
that specifies a header variable value for the
current user
16. Authentication
l Apex tracks user and session ID throughout the
session
● :APP_USER :SESSION
● &APP_USER. &SESSION.
● v(‘APP_USER’) v(‘SESSION’)
l Unauthenticated users show
up as nobody
18. Additional Settings
l Pre Authentication
l Post Authentication (not when quitting browser)
l Verify Session
l Cookies
• Fires before authentication function.
• Does not fire with outside authentication (SSO), or no authentication.
19. Additional Settings
l Pre Authentication
l Post Authentication
l Verify Session
l Cookies
• Fires after user is authenticated, session is registered and cookie is set.
• Good for logging.
• Does not fire with no authentication
20. Additional Settings
l Pre Authentication
l Post Authentication
l Verify Session
l Cookies• Good for enforcing business rules. (Can’t log in on Sundays)
21. Session Verify Function
l Prevent logins on Sundays
Is today
Sunday?
No?
Return True.
Yes?
Return FALSE.
FUNCTION session_is_valid
RETURN boolean
IS
BEGIN
IF <today is Sunday>
THEN
RETURN FALSE;
ELSE
RETURN TRUE;
END IF;
END;
22. Settings
l Processing points
● Sentry
● Pre Authentication
● Post Authentication (not when quitting browser)
● Invalid Session
● Cookies
• Replaces the built-in Apex sentry function
• Called before every page view and asynchronous transaction.
• Returns boolean.
• Ensures session is still valid.
• When FALSE, session is killed and invalid session procedure is called.
23. Settings
l Processing points
● Sentry
● Pre Authentication
● Post Authentication
● Invalid Session
● Cookies
• Fires after user is authenticated, session is registered and cookie is set.
• Good for logging.
• Does not fire with no authentication, or when browser is closed.
24. Settings
l Processing points
● Sentry
● Pre Authentication
● Post Authentication (not when quitting browser)
● Session Not Valid
● Cookies• URL/Page when session is not valid
• Verify Function Name:
Good for enforcing business rules. (Can’t log in on Sundays)
25. Session Cookie
l Cross application authentication
l Specify same cookie name in multiple apps
l Include session id in URL
29. Authentication Processing
l All Apex needs is a TRUE or FALSE from an
authentication process
l Apex knows what to do in either case
l Same for all authentication types
31. Authentication Flow
l Each page uses a sentry function to determine
whether the session is valid (session ID +
cookie)
l Sentry returns TRUE/FALSE
l Invalid session gets redirected to elswhere
(see Invalid Session settings)
l Valid session sees page
33. Login Page Processing
1. Get Username Cookie – reads LOGIN_USERNAME_COOKIE
2. If exists, populate P101_USERNAME
3. Password field does not save state.
4. When page is submitted
1. The LOGIN_USERNAME_COOKIE is set with the username value
2. The APEX_AUTHENTICATION API processes username and
password
3. When API returns TRUE, session info is stored in
WWV_FLOW_SESSIONS$
4. Cookie OWA_WWV_APP_nnn is set with hash of session ID
5. A process clears the page cache
5. Browser is redirected
34. Logout Processing
l Logout can happen at various events
● Logout link is clicked
● Session duration exceeded
● User exits browser
● Session cookie is altered
● Etc.
l These events make session invalid
35. Logout Cleanup
l When logout link is clicked
● Post Logout procedure is called
● Session is terminated and stored session values get
deleted.
l Any other termination invalidates session state
and a purge job cleans up the stored data later.
(ORACLE_APEX_PURGE_SESSIONS)
45. Custom Authentication
l If function returns TRUE
Redirect to Home URL
Edit Application Properties -> User Interfaces -> User Interfaces -> User Interface Details
46. Password Security
l Store encrypted password in user table.
l dbms_crypto.hash(
utl_raw.cast_to_raw(p_str),2
);
l In authenticaton function: compare encrypted
password from login page to
user_table.password.
52. Authorization – Application Level
Who gets into the
application.
You may have 1000s
of users, but only a
small group should
have access.
Gatekeeper
53. Gatekeeper
l Restricts application to a subset of
authenticated user.
l Should check whether the user has at least one
role in the application.
58. Group Management
l Apex Authorization
● Authorization Scheme
apex_util.get_groups_user_belongs_to(:APP_USER);
l LDAP
● apex_auth.ldap_get_groups_fn
● apex_ldap.member_of
l Custom Authorization
● Table based
● Custom function to get group membership
59. Apex Group
declare
l_groups varchar2(1000);
l_arr_groups apex_application_global.vc_arr2;
l_authorized boolean := false;
l_idx pls_integer;
begin
-- get comma separated list of groups user belongs to
l_groups := apex_util.get_groups_user_belongs_to(:APP_USER);
-- convert l_groups into array
l_arr_groups := apex_util.string_to_table(p_string => l_groups
,p_separator => ',');
-- check if vocals group is present
for l_idx in 1..l_arr_groups.count
loop
if (trim(l_arr_groups(l_idx)) = 'vocals')
then l_authorized := true;
end if;
end loop;
return l_authorized;
end;
61. Custom Group
FUNCTION belongs_to_admins (p_username VARCHAR2)
RETURN boolean;
IS
l_yesno VARCHAR2(3);
BEGIN
SELECT NVL(MAX('YES'), 'NO’) INTO l_yesno
FROM my_user_table
WHERE username = p_username
AND usergroup = 'ADMINS';
IF l_yesno = 'YES’ THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
END;
66. Apex Account Privileges
SELECT 1
FROM APEX_WORKSPACE_APEX_USERS
WHERE user_name = :APP_USER
AND is_admin = 'Yes';
Get Account Privileges:
SELECT 1
FROM APEX_WORKSPACE_APEX_USERS
WHERE user_name = :APP_USER
AND is_developer = 'Yes';
78. Application Level SSP - URL
Tampering
l Application Level SSP
● Unrestricted
● Arguments Must Have Checksum
● No Arguments Allowed (no values can be passed)
● No URL Access (branch only)
79. Bookmark Expiration
l Item Level
● Application Level (share among users in App)
● User Level (only for user)
● Session Level (only for session, bookmarking not
worth it)