I am getting this error when I'm trying to use NTLM Page Sentry Function
Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
Error ERR-7621 Could not determine workspace for application (:) on application accept.

I'm using Jason Straub function
http://jastraub.blogspot.com/2008/03/ntlm-http-authentication-and.html

But I made some changes, to get it to work with Oracle9i database.

Message was edited by: Stan
stan_g

See function below.

create or replace function ntlm_page_sentry
return boolean
is
l_username varchar2(512);
l_session_id number;
l_raw raw(1000);
l_domain varchar2(128);
l_user varchar2(128);
l_auth varchar2(512);
l_decode varchar2(2000);
l_off pls_integer := 0;
l_length pls_integer;
l_offset pls_integer;
begin

-- check to ensure that we are running as the correct database user.
if user != 'APEX_PUBLIC_USER' then
return false;
end if;

-- get sessionid.
l_session_id := wwv_flow_custom_auth_std.get_session_id_from_cookie;
-- check application session cookie.
if wwv_flow_custom_auth_std.is_session_valid then
apex_application.g_instance := l_session_id;
l_username := wwv_flow_custom_auth_std.get_username;
wwv_flow_custom_auth.define_user_session(p_user => l_username,
p_session_id => l_session_id);
return true;
else
-- get username using NTLM

l_auth := owa_util.get_cgi_env('AUTHORIZATION');
if l_auth is null then
owa_util.status_line(nstatus => 401,
creason => 'Unauthorized',
bclose_header => false);
htp.p('WWW-Authenticate: NTLM');
owa_util.http_header_close;
wwv_flow.g_unrecoverable_error := TRUE;
return false;
end if;

if substr(l_auth,1,5) = 'NTLM ' and length(l_auth) > 79 then

--l_decode := utl_encode.text_decode(buf => substr(l_auth,6), encoding => UTL_ENCODE.BASE64);

--l_raw := utl_raw.cast_to_raw(l_decode);
-- New Line
l_raw := utl_encode.base64_decode(utl_raw.cast_to_raw(substr(l_auth,6)));
if utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,9,1)) = 1 then

owa_util.status_line(nstatus => 401,
creason => 'Unauthorized',
bclose_header => false);
htp.p('WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAAAICAgAAAAAAAAAAAAAAAA==');
owa_util.http_header_close;
wwv_flow.g_unrecoverable_error := TRUE;
return false;
end if;

l_length := utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,32,1))*256 + utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,31,1));
l_offset := utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,34,1))*256 + utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,33,1));

l_domain := replace(replace(substr(utl_raw.cast_to_varchar2(l_raw),l_offset + 1,l_length),chr(0),null),chr(15),null);

l_length := utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,40,1))*256 + utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,39,1));
l_offset := utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,42,1))*256 + utl_raw.cast_to_binary_integer(utl_raw.substr(l_raw,41,1));

l_user := replace(substr(utl_raw.cast_to_varchar2(l_raw),l_offset,l_length),chr(0),null);

--l_username := l_domain||'\'||l_user;
l_username := l_user;
else
return false;
l_username := 'nobody';

end if;
-- application session cookie not valid --> define a new apex session.
wwv_flow_custom_auth.define_user_session(p_user => l_username,
p_session_id => wwv_flow_custom_auth.get_next_session_id);
-- tell apex engine to quit.
apex_application.g_unrecoverable_error := true;
if owa_util.get_cgi_env('REQUEST_METHOD') = 'GET' then
wwv_flow_custom_auth.remember_deep_link(p_url => 'f?' ||
wwv_flow_utilities.url_decode2(owa_util.get_cgi_env('QUERY_STRING')));
else
wwv_flow_custom_auth.remember_deep_link(p_url => 'f?p=' ||
to_char(apex_application.g_flow_id) || ':' ||
to_char(nvl(apex_application.g_flow_step_id, 0)) || ':' ||
to_char(apex_application.g_instance));
end if;
-- register the session in apex sessions table, set cookie, redirect back.
wwv_flow_custom_auth_std.post_login(p_uname => l_username,
p_session_id => nv('APP_SESSION'), p_flow_page => apex_application.g_flow_id
|| ':' || nvl(apex_application.g_flow_step_id, 0), p_preserve_case => true);
return false;
end if;
end ntlm_page_sentry;

Sorry, I was trying to find a way to debug this function. I took the line out but I'm still getting the same error. What is the best way to debug this error?

Thanks,
Stan

Can you show me some examples on how to do it.
I am also not sure about the expected path.

I'm also getting the error if I try to run any other apex applications. Only when I close the browser window I'm able to run other apex programs

Scott

This function only works on the first page it brings up but once I do any submits on that page I am getting error ERR-7621. This error occurs before the NTLM function call.
How can I debug before Page Sentry Function call?

Thanks for all your help
Stan

Hi Scott and Stan,

interesting. Came across the same issue yesterday and mailed Jason about this issue.

The above strange behavior only shows in Internet Explorer, in Firefox everything is working fine. But in Internet Explorer I get a

Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.

Error ERR-7621 Could not determine workspace for application (:) on application accept.

error from wwv_flow.accept each time I issue a submit (eg. with a button).
Normal page rendering works, because if I directly modify the URL by entering another page it also works fine.

The other strange behavior is, that if I get back into the APEX Builder and press there somewhere a button which issues a submit, I get the now same error message there too!!! So it looks like that the cookie or something gets screwed up.

I don't know what the wwv_flow.accept does, but it looks like that it does some checks before it calls the page sentry function. I added an exception into the page sentry function as first statement, but it is never raised.
It's really hard to debug that, I think you have easier access to the sources what is done there. Maybe you can give me a hint how I can solve the problem.

I will mail you a simple two page application where you can reproduce the problem.

Thanks
Patrick
PS: I'm working on 3.1

---

My APEX Blog: http://www.inside-oracle-apex.com/
The APEX Builder Plugin: http://builderplugin.oracleapex.info/
The ApexLib Framework: http://apexlib.sourceforge.net/

The IE tools I have are somehow limited. In FF it would be no problem with the "Live HTTP Header" add-on. I will have a look if I can activate something on the web-server to see what's actually transmitted.

Patrick

Hi,

I finally got it working. It's was/is a little bit tricky but here we go.

Read http://www.nabble.com/Empty-POST-requests-on-IE-td15332680.html for more details about this issue.

Here comes the solution:

In the declaration section add

l_htp_buffer    htp.htbuf_arr;
l_htp_rows      INTEGER;
l_url           VARCHAR2(500);

The following code has to be added at the bottom of the function.

-- register the session in apex sessions table, set cookie, redirect back.
wwv_flow_custom_auth_std.post_login(p_uname => l_username,
  p_session_id => nv('APP_SESSION'), p_flow_page => apex_application.g_flow_id||
  ':' || nvl(apex_application.g_flow_step_id, 0), p_preserve_case => true);
 
******** NEW CODE ******
 
-- get HTP output wwv_flow_custom_auth_std.post_login has written,
-- it contains the session cookie we need.
l_htp_rows := 15; /* where and how to get an actual value for irows???? */
htp.get_page
  ( thepage => l_htp_buffer
  , irows   => l_htp_rows
  );
-- reset the HTP buffer so that we can write our own header, ...
htp.init;
-- See http://www.nabble.com/Empty-POST-requests-on-IE-td15332680.html
-- We have to trick IE that he thinks the authentication fails, otherwise
-- he doesn't send any data when issueing a POST because he wants to
-- do the NTLM stuff again
owa_util.status_line
  ( nstatus => 401,
    creason => 'Unauthorized',
    bclose_header => FALSE
  );
-- write the session cookie into our output
FOR ii IN 1 .. l_htp_rows
LOOP
    IF l_htp_buffer(ii) LIKE 'Set-Cookie:%'
    THEN
        htp.p(l_htp_buffer(ii));
    END IF;
END LOOP;
--
l_url := 'f?p='||
         apex_application.g_flow_id||':'||
         nvl(apex_application.g_flow_step_id, 0)||':'||
         apex_application.g_instance;
--
IF WWV_Flow.get_browser_version = 'NSCP'
THEN
    -- Firefox: redirect can be set with a HTTP header attribute
    htp.p('Location: '||l_url);
    owa_util.http_header_close;
ELSE
    -- For IE: The javascript is required so that we are redirected to the page as
    -- the wwv_flow_custom_auth_std.post_login would normally do with the
    -- HTTP 302 redirect
    owa_util.http_header_close;
    htp.p('<html><head>');
    htp.p('<script type="text/javascript">');
    htp.p('  location.href="'||l_url||'";');
    htp.p('</script>');
    htp.p('<noscript>');
    htp.p('<meta http-equiv="Refresh" content="0; URL="'||l_url||'">');
    htp.p('</noscript>');
    htp.p('</head>');
    htp.p('<body>');
    htp.p('You were logged in successfully. Click <a href="'||l_url||'">here</a> to continue.');
    htp.p('</body>');
    htp.p('</html>');
END IF;
 
******** OLD CODE **********
RETURN FALSE;
[...]

The solution worked for me with IE6 und FF.

Patrick

---

My APEX Blog: http://www.inside-oracle-apex.com/
The APEX Builder Plugin: http://builderplugin.oracleapex.info/
The ApexLib Framework: http://apexlib.sourceforge.net/

Update: code contained a debug message