more apex stuff

I am currently designing an authentication and authorization scheme for use with our Active Directory LDAP environment at work. It is a daunting task, considering that the apex.ldap functions don't work very well (or at all in some cases) with MS AD. The DBMS_LDAP routines however do work well; you just need to put in more elbow-grease to make things work.

I plan on posting my code here once I have finished, but I'd thought I'd list the requirements here, partly because it helps to make lists to sort through complex problems, and partly because I have nothing else to post here.

Security is an extremely hot topic at work, as I am sure it is at your place of business. We get audited all the time, and being defence contractors doesn't make it any easier. We have lots of rules around account activities, passwords, and group memberships. On top of that, when developing in the realm of the web app, we have further rules on cookies and sessions, among other things, that make life just that much harder for your average developer.

I am not going to go into minute detail, but the security model I am working with needs to fit into these parameters:

1. Access must be controlled by user id and group membership in AD
2. Application access must be multi-layered so that not all users have the same access (in such cases that it is required).
3. Once an application is deployed, security maintenance must be kept to a minimum to reduce total cost of ownership.

These seem simple enough, but when you flesh them out into code, things can get pretty hairy pretty quickly.

The model that I keep returning to in my mind is something like this:

1. Groups must be created in AD for each application and each access type, ie APP_Developers, or APP_Editors, or APP_Users.
2. Each APEX app must use the same authentication scheme..
3. At login, each app must validate the user against LDAP. Each app must maintain a table of the LDAP groups and the users in them for use in the authorization or sentry scheme.
4. This all has to happen automatically. (ugh).

Sadly, every time I start working on this problem, I think of another way to do it. It's hard being an obsessive/compulsive attention-deficit person. It means you obsess all the time over all sorts of different things, sometimes in parallel.

I do have the code for checking group membership (one group only) before logging into the app. So I know it can be done. Now I need to make it flexible, and incorporate more group checks.

I will post code shortly of what I've got, it's nothing you couldn't find elsewhere most likely, although I must admit I gave up looking a week or so ago.

Stay tuned...

extremely useful APEX titbit

This is one of the most useful things I have found while using the SQL Workshop. I am not an oracle expert by any means, and sometimes I find their error messages, for the most part, useless. I discovered something so brainlessly simple it saddens me I didn't think of it myself.

Open the workshop, select 'SQL Commands' and type in the following query:

select * from user_errors;

Save this query with whatever name you want.

Next time you get something really cryptic, like

PL/SQL: Compilation unit analysis terminated

Open the query and run it. It will give you much more useful information.

You have GOT to be kidding...

I was going to post this yesterday, but was too angry to write it without using expletive after expletive. There is nothing harder to read than a page full of holes.

Ireceived a letter from my bank yesterday, regarding my Line of Credit. The letter explained to me how the bank, such loving caring souls that they are, were going to change my Line of Credit interest rate from Prime + 1% to Prime +5%. They kindly doing this for my benefit, you see, because it's so hard to get credit these days due to the current world economic downturn.

Umm. How exactly does raising my interest rate 4 points translate into something beneficial to me? The argument they use is based on my need to acquire credit. They seem to have forgotten I already HAVE credit, so GETTING credit is not the issue. They are just gouging because they can.

Ooo I feel the urge to use expletives again. I had better stop for now.

My Dad - 1927 -2009

I haven't posted in a while; it seems like forever, to me. When dealing with sickness and loss you experience what ufologists might call 'lost time'.

My Dad was in his 82nd year. Mom passed away 2 years ago on January 29 2007. Dad passed away January 28 2009. Two years less one day. I suppose one more anniversary of Mom's death just wasn't something he wanted to deal with.

Dad had been in the hospital for almost three weeks, with pneumonia. Hospitals are not good places to be in, especially if you are sick. I am pretty sure he caught the pneumonia that killed him while in hospital, because after the first week he was actually much better and was being considered for discharge. That did not happen, at least not in the way we anticipated.

We tried as hard as we could to keep him around. That included fighting the hospital every step of the way with their 'end of life' spiels. They want you to sign the 'Do Not Resuscitate' forms about a minute after you show up, whether you've got a hang-nail or are missing large parts of your skull. It is horrifying. What is frightening is that if you start to ask questions about quality-of-life, seriousness of illness, you will find that even the staff reluctantly admit that maybe Do Not Resuscitate is a bit, how shall we say, excessive. Dad, had he survived, would not have been impaired physically or mentally. He would have needed to move into an assisted-care facility, but that is not a drastic change. It's not like he wouldn't be able to feed himself, or walk, or be able to understand us. It's very complicated and it makes me tired thinking about it, but it seems the hospital wanted us to throw in the towel just because he was 81. Really. And we wouldn't.

Dad threw in the towel himself. And that makes all the difference.