login page of the Oracle Apex admin - oracle

How to display only the login page of the Oracle Apex admin section for management?
If you enter the login address of the Oracle Apex management department, they will encounter an error
Sorry, this page isn't available oracle apex

If I understand your question correctly, then this is what you want:
An application with no authentication for its pages, but when a user clicks on "Administration" a login screen is shown and user needs to authenticate.
Here is how to create such an application from scratch. In my case I'm creating an empty application (only a home page) with no authentication required and a link to "Administration" that does require login. Test is done on apex 22.1 but this should work on all versions.
Create new application using application wizard. Check the "Features" section so the "Administration" pages are created. No need to add any pages since by default a home page is created. Click "Create Application"
Shared Components > Application Definition > Security. Set "Authorization Scheme" to "no application authorisation required".
Page 1 > Page properties > Security > Authentication > "Page is public". Now when a user accesses the application he will not be prompted for login. Note that when you run the application, there will be no menu option for the "Administration" section. That is because the navigation menu entry for "Administration" has an authorization scheme set.
Shared Components > Lists > Navigation Menu. Edit the "Administration" entry. Set "Authorization" to "No Authorization Required".
Now run the page. You'll see you're not prompted for a login on page 1 and the "Administration" link is visible. When clicking on "Administration" a login screen is shown.

You can restrict access to APEX in general by IP address (see documentation: https://docs.oracle.com/en/database/oracle/application-express/21.2/aeadm/configuring-service-level-security-settings.html#GUID-1952AB59-7DC5-48C3-B4A5-31398CEA1485), but not to the Internal/Admin login page specifically.
To restrict access to a specific, otherwise publicly available page within APEX you'd need to place an IP filter on a reverse HTTP proxy or load balancer in front of APEX, then limit APEX to receiving connections only from that proxy. The problem with that arrangement is that most systems can't determine who a user is or what their role is (management vs user) based solely on their network address.
The pretty much universal use of DHCP to provide network addresses for client systems means that addresses aren't constant or associated with a specific person, and most people wouldn't want to limit access to a specific workstation anyway: your requirement was identity-based, not address-based. The best you could do with a reverse-proxy network restriction would likely be to limit connections to the login page to your internal company network, and even that might not be practical depending on your situation.
All of that is a very round-about way of saying no: there is no practical identity-based way for most systems to limit access to a public login page, because the user's identity can't be established until after they login. The best you can do would be to use a reverse proxy or load balancer to place a blanket, network-based restriction on the login page.

Related

Oracle Apex: redirect to the page user requested after login

I am using Oracle APEX 5.0 on Oracle 12c. I have a situation where a user opens a link to an apex page from his email and he is redirected to the login page because there is no session exists.
e.g. the link that user clicks is:
http://host:port/apex/f?p=app_id:page:::::ITEM1,ITEM2:VAL1,VAL2
After clicking this link the user is moved to the login page. My question is after a successful login, how can we redirect him to the link he originally tried to access along with the parameters and values originally passed?
Yes, there's a way; follow this path:
Edit application properties >> Security tab >> Session management >> Deep linking >> set it to "Enabled"
From the documentation:
This attribute enables or prevents deep linking to an application.
Options include:
Enabled - The URL to a specific page ultimately redirects there, possibly after the user has to logged in.
Disabled - If the URL does not contain a valid session ID, Application Express redirects to the application's home page.
For example, browsers often save the URLs of opened tabs and try to
restore the sessions after a restart, causing a deep link. This
behavior may be undesirable (for example if a URL points to a page in
the middle of a multi-step wizard). By selecting Disable, Application
Express starts a new session and redirects to the application's home
page.
Note you can override this application setting at page-level.

How are user privileges implemented in multi-user websites securely?

An “Add Link” button is added to the page by JavaScript after the user is authenticated (sign in). The user clicks on the “Add Link” button which opens up a form (implementable by JavaScript) for the user to fill out and submit. When the form is submitted an Ajax request is sent to the server, the server stores the newly added link into a database. How are user privileges implemented in multi-user websites securely? Are they implemented on the client side or on the server side, or a combination of both?
A little of both, but generally speaking more on the server side. A user that authenticates might get a session ID key which they can store locally or else they are tracked by the server (presumably by IP address). That user has some permissions associated with their account in a database on the server. Those permissions are then read when the user attempts to perform a restricted action.

Can I bypass/skip the ADFS login screen and use my own custom login screen to access MSCRM?

I am using MSCRM authenticated through ADFS.I have two active directories A and B.I setup a one-way forest trust between A and B so that users in B can access my resources in A.I currently use ADFS for login.my problem is it is not friendly for a user to key in A\username or B\username to login to my webpage.Therefore I wish to build a custom login screen and maybe provide a radio button for the user to choose whether they belong to domain A or domain B.Because i use MSCRM,am I sort of forced to us ADFS?
MSDN provides a series of entries about ADFS 2.0 Sign-In Pages Customization.
From the linked overview page:
The Sign-In Pages expose extensibility points that allow a developer
to perform the following customizations: Change the accepted and
default authentication types.
Customize the theme of the Sign-In Pages and add a company logo image.
Customize the behavior and layout of Sign-In Pages that are seen by
the end user, such as the Forms Authentication and Home Realm
Discovery pages.
These customizations can be done by modifying the Web.config file of
the Sign-In Pages Web application or by modifying specific pages.
On a side note, as far as I've seen on our customers with IFD environments, you don't need to specify the domain when you sign-in, plain username and password seem to work (I'm not very expert in ADFS, but I understand that it "knows" which domain to authenticate against).

use Joomla 3.0 project on intranet

I am using joomla 3.0 and i want to when user open joomla 3.0 site then first open only login page then after login he can access website.
Thanks For Advance
You can put the site in offline mode.
So the site will display the login page.
Remember to grant permissions to the users to access the offline site!
If you want to "protect" the whole site with login the best option is to turn the site off and then the user will need to login after opening the intranet page. Its probably the cleanest way how to to it without modules/plugins.
As we are doing it in my company (we are also running intranet on Joomla!) is, that all the articles are set to registred and the landing page of intranet just contain warm welcome and login form.
One thing to mention: Forcing this login for viewing some article/other content is not secure at all, mostly the local instalation will run on database with root access without pass (default setting) and with unecrypted database easily accessible. This is something to consider. If you are running this intranet in small company with loyal employees or without sensitive information you should be fine if not you should put more stress on the security issues.

How to secure a single page in Oracle Apex

I have no authentication required for my application, but want to secure a few pages.
On the page I wish to secure I have specified that user should not be a public user.
When I click a link to the page I do get a login box, but I seem to be able to enter any old rubbish and still proceed to the page.
How do I secure an individual page without a general authentication scheme at application level, so an Apex user account is needed.
It's better to do it the other way around: apply an authentication scheme to your application, then mark individual pages as Public (i.e. not requiring authentication) except for the page that requires authentication.

Resources