Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

APEX does not unlock LOCKED(TIMED) DB accounts after PASSWORD_LOCK_TIME expires

Wouter de WaardOct 1 2018

Dear Collegues,

Working on an application I discovered some unwanted behaviour: The application uses the APEX "Database accounts" authentication scheme for its authentication.

When a user enters an invalid password he gets locked out (as expected).mAfter the "automatic lock out time" expires (set with the account profile) APEX still does not allow the user to log in.

Other tools like SQLcl, SQL DEV or Oracle*Forms allow the user to log in again as soon as the limit set in password_lock_time expires.

The login page in APEX shows "account locked" but there is no way to unlock the account through APEX.,Logging in through the database using SQLcl or SQLPLUS or even Oracle*Forms unlocks the account. In that case logging through APEX is also possible again.

I detected no difference in behaviour when the lockout is caused by failed login through SQLcl , SQL Developer or APEX

Since users in the production environment have no other application than this APEX application, I would very much like APEX to allow login after the lockout timer has expired.

Does anyone know if this is normal behaviour or maybe a glitch in the APEX logon procedure when is uses DB accounts?

To pinpoint the problem I created a profile and a user; assigned the profile to the user and logged in using the wrong password to trigger the Locked(Timed) status and have a reasonable lockout timer value.

On my Vbox using SYS I executed:

create user my_user identified by oracle

/

grant connect, resource to my_user

/

create profile my_profile

  limit

   sessions_per_user          unlimited

   failed_login_attempts      2

   password_life_time         unlimited

   password_reuse_time        60

   password_reuse_max         unlimited

   password_verify_function   ORA12C_VERIFY_FUNCTION

   password_lock_time         1/24/60

   password_grace_time        10

   inactive_account_time      30

/

alter user my_user account unlock profile my_profile

/

After logging in 3 times using the wrong password I check the lockout status using:

select username

     , account_status

     , to_char(lock_date,'dd-mon-yyyy hh24:mi:ss') locktime

     , profile

from   dba_users

where username = 'MY_USER'

/

USERNAME ACCOUNT_STATUS LOCKTIMEPROFILE
MY_USER LOCKED(TIMED)01-oct-2018 09:04:55MY_PROFILE

 

In this situation I let the timer expire (1 minute) and try to login again.

I created an application (# 100) with DB authentication. The application has only one page with report of the table dual

I log in to this application with URL http://192.168.56.1:8080/ords/f?p=100

APEX just keeps on showing the message "Account locked"

After logging in with either SQLcl, SQLPlus or Oracle*Forms the account gets unlocked and in that situation APEX also allows

logins for that account.

Any thoughts on this matter are greatly appreciated

regards

Wouter
Comments
Post Details
Added on Oct 1 2018
#apex-discussions
0 comments
1,378 views