Implementing cookie-based "authentication" via authorize - PL/SQL Cartridge

From: <tom_hansen_at_my-deja.com>
Date: Wed, 21 Jul 1999 22:53:23 GMT
Message-ID: <7n5j0v$ao3$1_at_nnrp1.deja.com>



[Quoted] I am working with a Web application implemented using the PL/SQL cartridge of OAS 4.0.7.

Currently, the application authentication is set to PER_PACKAGE, and there is an AUTHORIZE function in each package that authorizes appropriately for the package.

For many packages, we want the content to be publicly available, so the AUTHORIZE always returns true for those.

For others, we use owa_sec.set_protection_realm, etc., and then look up the username/password in our own database table, and in that way determine if the user exists in our database with that password.

The problem is this: we would like much more control over the authentication process, and how the prompts are given to the user.

To that end, we have decided that looking into a cookie-based authentication scheme would be best, because it would allow us to write our own custom HTML page to prompt for username and password, complete with links to a help page, etc. It would also allow us to give the user a "logout" link or button from inside the site.

HOWEVER: We are faced with the task of converting the existing application. At first I thought I could just rewrite the "AUTHORIZE" procedure to check the cookie instead of using "set_protection_realm". If the cookie is invalid or does not exist, I figured I could just use 'htp.print' in the AUTHORIZE procedure to throw the user to our custom-written procedure that would prompt them for username and password.

However, that would require that the AUTHORIZE procedure be able to abort the invocation of the original procedure that had been requested. I don't see any way to do that. If I return FALSE from the AUTHORIZE procedure, it causes the browser's authentication prompt to come up, which is what I _DON'T_ want.

So, it appears that the only alternative is to write a custom function called 'MY_AUTHORIZE' or something, and then call it at the top of all procedures in the package like this:

PROCEDURE MYTHING IS
begin

       if my_authorize = FALSE then return; end if;

:
:

end MYTHING;

Is this true? Are there any other alternatives?

THANKS! Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't. Received on Thu Jul 22 1999 - 00:53:23 CEST

Original text of this message