APEX 3.2
Hello all! I've read various other forum posts that contain bits and pieces of information regarding this topic, but haven't found something that encomposses using User Groups and custom auth. I had planned to utilize User Groups in order to separate different sets of users, which I can then further control access using Authorization Schemes.
I'm hoping someone can reply pointing me in the right direction. Here is my scenario:
Two Applications: A and B (same workspace)
Two Users: BOB (User Group = IT and User Group = OTHER) and JOHN (User Group = OTHER)
i. Both users have the ability to access the public Login Page in app A.
ii. Since BOB is a part of User Group = IT, he should have the ability to access both applications A and B.
iii. BOB should be able to click on a link on the nav bar within app A to app B (and visa versa) without being presented the login page again.
iv. Since JOHN is only part of User Group = OTHER, he should only have the ability to access application B. JOHN will not see a link in the nav bar to link back to A.
v. JOHN is authenticated is and redirected to app B when he is successfully authenticated in app A. JOHN should not be able to manipulate the URL and change the &APP_ID. value and get logged into app A.
To create my authentication scheme, I have followed Kishore Ryali's example at: http://apps2fusion.com/at/kr/413-maintaining-authentication-between-apex-applications. I have successfully been able to link the two apps and utilize a common authentication and the same cookie name. My issue is once authenticated, how can I prevent certain users from accessing one or the other app? Do I need to create a custom page Sentry?
Other than what has been setup in Kishore's example, here is what I have in my App A (109) login page. It logs into App A if you are in IT, logs you into App B if you are only OTHER. It currently does not prevent JOHN from getting to App A.
DECLARE
v_groups VARCHAR2(32767);
v_arrgroups apex_application_global.vc_arr2;
v_IT_group BOOLEAN := FALSE;
v_OTHER_group BOOLEAN := FALSE;
BEGIN
-- check the username and password are correct
-- v_login_correct := APEX_UTIL.IS_LOGIN_PASSWORD_VALID(p_username,p_password);
-- get comma delimited string containing each group
v_groups := APEX_UTIL.GET_GROUPS_USER_BELONGS_TO(p_username => UPPER(:P101_USERNAME));
-- retrieve comma delimited string into an arry
v_arrgroups := APEX_UTIL.STRING_TO_TABLE(p_string => v_groups,
p_separator => ',');
-- loop through the array and compare each entry to the constant representing the GROUP
FOR i IN 1..v_arrgroups.COUNT LOOP
IF v_arrgroups(i) = 'IT' THEN
v_IT_group := TRUE;
END IF;
IF v_arrgroups(i) = 'OTHER' THEN
v_OTHER_group := TRUE;
END IF;
END LOOP;
IF v_IT_group = TRUE THEN
-- go to App 109 whether they are only IT or part of IT and Other
wwv_flow_custom_auth_std.login(p_uname => :P101_USERNAME,
p_password => :P101_PASSWORD,
p_session_id => v('APP_SESSION'),
p_flow_page => :APP_ID||':1');
ELSIF v_OTHER_group = TRUE AND v_IT_group = FALSE THEN
-- go to App 110
wwv_flow_custom_auth_std.login(p_uname => :P101_USERNAME,
p_password => :P101_PASSWORD,
p_session_id => v('APP_SESSION'),
p_flow_page => '110'||':1');
END IF;
END;
Your input is much appreciated!
BTW, sorry if my forum "handle" does not appear...I haven't posted in a long time and it's given me a numeric ID.
Thanks,
Dishoom