APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Disable misbehaving users

PericlesJan 23 2025 — edited Jan 23 2025

Hello

A have an application build on Apex 24.1 which for security purposes validate if the user have rights to access each page.

Considering that anybody can point to an specific page changing the URL, each time a page is loaded, in the before header there is a validation that check if the user have privilege to access that page.

Right now, if the validation fails the user is kicked out, and reported but this won't prevent the user log in again and continue with the hacking by trial and error.

To prevent this, I tried to lock and expire the account using the following code

        v_tuser:=:APP_USER;
       apex_custom_auth.set_user('ADMIN');
       apex_custom_auth.login(
           p_uname => 'ADMIN',
           p_password => <ADMIN PASSWORD>,
           p_session_id => :APP_SESSION
           );
       APEX_UTIL.EXPIRE_WORKSPACE_ACCOUNT (p_user_name => v_tuser);
       APEX_UTIL.LOCK_ACCOUNT(p_user_name => v_tuser);
       apex_authentication.logout (
           p_session_id => :APP_SESSION,
               p_app_id => :APP_ID );

But I'm getting this error “User ADMIN requires ADMIN privilege to perform this operation” when try to execute the APEX_UTIL.EXPIRE_WORKSPACE_ACCOUNT procedure.

To allow the execution of these procedures I've already set the Modify This Application and Modify Workspace Repository in the application Security Attributes