I have no authentication required for my application, but want to secure a few pages.
On the page I wish to secure I have specified that user should not be a public user.
When I click a link to the page I do get a login box, but I seem to be able to enter any old rubbish and still proceed to the page.
How do I secure an individual page without a general authentication scheme at application level, so an Apex user account is needed.
It's better to do it the other way around: apply an authentication scheme to your application, then mark individual pages as Public (i.e. not requiring authentication) except for the page that requires authentication.
Related
How to display only the login page of the Oracle Apex admin section for management?
If you enter the login address of the Oracle Apex management department, they will encounter an error
Sorry, this page isn't available oracle apex
If I understand your question correctly, then this is what you want:
An application with no authentication for its pages, but when a user clicks on "Administration" a login screen is shown and user needs to authenticate.
Here is how to create such an application from scratch. In my case I'm creating an empty application (only a home page) with no authentication required and a link to "Administration" that does require login. Test is done on apex 22.1 but this should work on all versions.
Create new application using application wizard. Check the "Features" section so the "Administration" pages are created. No need to add any pages since by default a home page is created. Click "Create Application"
Shared Components > Application Definition > Security. Set "Authorization Scheme" to "no application authorisation required".
Page 1 > Page properties > Security > Authentication > "Page is public". Now when a user accesses the application he will not be prompted for login. Note that when you run the application, there will be no menu option for the "Administration" section. That is because the navigation menu entry for "Administration" has an authorization scheme set.
Shared Components > Lists > Navigation Menu. Edit the "Administration" entry. Set "Authorization" to "No Authorization Required".
Now run the page. You'll see you're not prompted for a login on page 1 and the "Administration" link is visible. When clicking on "Administration" a login screen is shown.
You can restrict access to APEX in general by IP address (see documentation: https://docs.oracle.com/en/database/oracle/application-express/21.2/aeadm/configuring-service-level-security-settings.html#GUID-1952AB59-7DC5-48C3-B4A5-31398CEA1485), but not to the Internal/Admin login page specifically.
To restrict access to a specific, otherwise publicly available page within APEX you'd need to place an IP filter on a reverse HTTP proxy or load balancer in front of APEX, then limit APEX to receiving connections only from that proxy. The problem with that arrangement is that most systems can't determine who a user is or what their role is (management vs user) based solely on their network address.
The pretty much universal use of DHCP to provide network addresses for client systems means that addresses aren't constant or associated with a specific person, and most people wouldn't want to limit access to a specific workstation anyway: your requirement was identity-based, not address-based. The best you could do with a reverse-proxy network restriction would likely be to limit connections to the login page to your internal company network, and even that might not be practical depending on your situation.
All of that is a very round-about way of saying no: there is no practical identity-based way for most systems to limit access to a public login page, because the user's identity can't be established until after they login. The best you can do would be to use a reverse proxy or load balancer to place a blanket, network-based restriction on the login page.
How can I implement this behavior in my website
I need to be logged inside my website to navigate through the website and if I open a new tab, I want to display the login page, also the user logged on the previous tab doesn't have to be logged on the new one.(treat all new tabs like independent session)
when the user is logged a security token is stored on my Session[token], if I open another tab, another user can be logged into the website with another token session.(this has to be don't in the same browser)
There are many ways to do that but each has some limitation. All ways required some short of custom development on client side and server side to manage the data.
Don't use cookie or traditional authentication mechanism as all has cookie per domain so it wan't help.
If you are using HTML5 then you can take advantage of sessionStorage and store different Id ( generate guid) and pass along with each request to identify. ( More secure you have to generate your own encrypted value)
For simple use you can use HiddenField on each tab and get value from Url.
If you are aware of ASP.net cookieless session then you can see that url has sessionid and you have to do something similar.
In MVC you can do such thing by creating custom route.
http://blog.gauffin.org/2012/02/get-a-unique-session-in-each-browser-tab/
I am using MSCRM authenticated through ADFS.I have two active directories A and B.I setup a one-way forest trust between A and B so that users in B can access my resources in A.I currently use ADFS for login.my problem is it is not friendly for a user to key in A\username or B\username to login to my webpage.Therefore I wish to build a custom login screen and maybe provide a radio button for the user to choose whether they belong to domain A or domain B.Because i use MSCRM,am I sort of forced to us ADFS?
MSDN provides a series of entries about ADFS 2.0 Sign-In Pages Customization.
From the linked overview page:
The Sign-In Pages expose extensibility points that allow a developer
to perform the following customizations: Change the accepted and
default authentication types.
Customize the theme of the Sign-In Pages and add a company logo image.
Customize the behavior and layout of Sign-In Pages that are seen by
the end user, such as the Forms Authentication and Home Realm
Discovery pages.
These customizations can be done by modifying the Web.config file of
the Sign-In Pages Web application or by modifying specific pages.
On a side note, as far as I've seen on our customers with IFD environments, you don't need to specify the domain when you sign-in, plain username and password seem to work (I'm not very expert in ADFS, but I understand that it "knows" which domain to authenticate against).
I want to know how can I force a user to log in the the application again if the page is being opened in new tab or new browser.
Edit:-
My apologies I misunderstood the requirement.
I am authenticating the user in my log-in page but not anywhere else. So what is happening because of that, even if i log out of application and type url say bla.com/apple I can access my application.
I figured to prevent this from happening, I have to write a base controller that checks for the right user. Am I moving in the right direction.
Thanks
Addressing the edit -
Authentication can be handled per controller or on individual actions. Simple place the [Authorize] attribute appropriately. This assumes however that somewhere an authentication token is being set. [Authorize] checks against the HttpContext's current User (an IPrincipal).
You mentioned above that you're just validating against a local username and password, in one place, so I'm guessing that no token (session, cookie) are being set?
You have a few options here to get that token stored and persisted across requests:
ASP.Net integrated membership provider (Intro)
A custom MembershipProvider (Example)
Full-on custom flow. (Example)
Each has ups and downs and depends on how exactly you want to handle on-boarding your users. It's hard to answer more specifically because it can be a very large topic (and a very broad question).
Here's the official pages for MVC security.
I'm working on a site that requires the user have a unique username to use all services on the site. They cannot self-change this username for community fairness.
We would like to allow users the simplicity of registering/logging in using their facebook accounts, but this username requirement is obviously a hurdle.
The only idea I have come up with is after the connect process, send the user to a final step page where they enter a username. The only downside to this is that the user has the ability to navigate away before entering a username, meaning we need to add further layers of checks to several site functions to ensure a user has a username, and prompt for one if not.
Any ideas on how to streamline this during the connect process? Any site examples of similar implementations where auxillary info is required to use some or all site features?
Have you looked at Facebook's registration plugin?
The Registration plugin allows users to easily sign up for your
website with their Facebook account. The plugin is a simple iframe
that you can drop into your page. When logged into Facebook, users see
a form that is pre-filled with their Facebook information where
appropriate.
https://developers.facebook.com/docs/plugins/registration/
The plugin also allows you to add custom fields so you could simply add your username field.
There are a load of advanced features including validation, here's an example in the Facebook documentation that includes the username field and checks to see if it's available
https://developers.facebook.com/docs/plugins/registration/advanced/#async