We are using a cookie-based system for both user authentication and for
session management. And yes, the top of every procedure requires a call to
the 'MY_AUTHORIZE' function exactly as you have depicted.
<tom_hansen_at_my-deja.com> wrote in message
news:7n5j0v$ao3$1_at_nnrp1.deja.com...
> I am working with a Web application implemented using the PL/SQL
> cartridge of OAS 4.0.7.
>
> Currently, the application authentication is set to PER_PACKAGE, and
> there is an AUTHORIZE function in each package that authorizes
> appropriately for the package.
>
> For many packages, we want the content to be publicly available, so the
> AUTHORIZE always returns true for those.
>
> For others, we use owa_sec.set_protection_realm, etc., and then look up
> the username/password in our own database table, and in that way
> determine if the user exists in our database with that password.
>
> The problem is this: we would like much more control over the
> authentication process, and how the prompts are given to the user.
>
> To that end, we have decided that looking into a cookie-based
> authentication scheme would be best, because it would allow us to write
> our own custom HTML page to prompt for username and password, complete
> with links to a help page, etc. It would also allow us to give the
> user a "logout" link or button from inside the site.
>
> HOWEVER: We are faced with the task of converting the existing
> application. At first I thought I could just rewrite the "AUTHORIZE"
> procedure to check the cookie instead of using "set_protection_realm".
> If the cookie is invalid or does not exist, I figured I could just
> use 'htp.print' in the AUTHORIZE procedure to throw the user to our
> custom-written procedure that would prompt them for username and
> password.
>
> However, that would require that the AUTHORIZE procedure be able to
> abort the invocation of the original procedure that had been
> requested. I don't see any way to do that. If I return FALSE from
> the AUTHORIZE procedure, it causes the browser's authentication prompt
> to come up, which is what I _DON'T_ want.
>
> So, it appears that the only alternative is to write a custom function
> called 'MY_AUTHORIZE' or something, and then call it at the top of all
> procedures in the package like this:
>
> PROCEDURE MYTHING IS
> begin
> if my_authorize = FALSE then return; end if;
> :
> :
> end MYTHING;
>
> Is this true? Are there any other alternatives?
>
> THANKS!
>
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
Received on Thu Jul 22 1999 - 03:34:54 CDT
