CREATE OR REPLACE FUNCTION apex_sentry_ntnm
   RETURN BOOLEAN
IS
   v_app_id            APEX_APPLICATION.g_flow_id%TYPE;
   l_username          VARCHAR2 (512);
   l_session_id        NUMBER;
   l_raw               RAW (1000);
   l_domain            VARCHAR2 (128);
   l_user              VARCHAR2 (128);
   l_auth              VARCHAR2 (512);
   l_decode            VARCHAR2 (2000);
   l_off               PLS_INTEGER := 0;
   l_length            PLS_INTEGER;
   l_offset            PLS_INTEGER;
   l_htp_buffer        HTP.htbuf_arr;
   l_htp_rows          INTEGER;
   l_url               VARCHAR2 (500);
   l_charset           VARCHAR2 (128);
   l_browser_version   VARCHAR2 (128);
BEGIN

   v_app_id := APEX_APPLICATION.g_flow_id;
   l_username := APEX_CUSTOM_AUTH.get_username;

   -- if session is valid return true
   IF     APEX_CUSTOM_AUTH.is_session_valid
      AND APEX_APPLICATION.g_user IS NOT NULL
      AND UPPER (APEX_APPLICATION.g_user) != 'NOBODY'
   THEN
      RETURN TRUE;
   END IF;

   IF APEX_CUSTOM_AUTH.is_session_valid
   THEN
      APEX_CUSTOM_AUTH.set_session_id (
         APEX_CUSTOM_AUTH.get_session_id_from_cookie);

      l_username := APEX_CUSTOM_AUTH.get_username;

      IF l_username IS NOT NULL AND l_username != 'NOBODY'
      THEN
         APEX_CUSTOM_AUTH.set_user (l_username);
      END IF;
     ELSE
       apex_custom_auth.set_session_id(apex_custom_auth.GET_NEXT_SESSION_ID);

   END IF;

   -- check, if the user is already logged into apex
   APEX_APPLICATION.g_flow_id := 111;

   IF APEX_CUSTOM_AUTH.is_session_valid
   THEN
      APEX_APPLICATION.g_instance :=
         APEX_CUSTOM_AUTH.get_session_id_from_cookie;
      APEX_APPLICATION.g_user := APEX_CUSTOM_AUTH.get_username;

   END IF;

   APEX_APPLICATION.g_flow_id := v_app_id;

   IF UPPER (l_username) = 'NOBODY'
   THEN

      l_auth := OWA_UTIL.get_cgi_env ('AUTHORIZATION');

      IF l_auth IS NULL
      THEN

         OWA_UTIL.status_line (nstatus         => 401,
                               creason         => 'Unauthorized',
                               bclose_header   => FALSE);
         HTP.P ('WWW-Authenticate: NTLM');
         OWA_UTIL.mime_header ('text/html', FALSE, 'utf-8');
         OWA_UTIL.http_header_close;
         wwv_flow.g_unrecoverable_error := TRUE;
         RETURN FALSE;
      END IF;


      l_decode :=
         UTL_ENCODE.text_decode (buf        => SUBSTR (l_auth, 6),
                                 encoding   => UTL_ENCODE.BASE64);

      l_raw := UTL_RAW.cast_to_raw (l_decode);


      IF UTL_RAW.cast_to_binary_integer (UTL_RAW.SUBSTR (l_raw, 14, 1)) !=
            130
      THEN
         IF UTL_RAW.cast_to_binary_integer (UTL_RAW.SUBSTR (l_raw, 9, 1)) = 1
         THEN
            OWA_UTIL.mime_header ('text/html', FALSE, 'utf-8');
            OWA_UTIL.status_line (nstatus         => 401,
                                  creason         => 'Unauthorized',
                                  bclose_header   => FALSE);
            HTP.P (
               'WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAAAICAgAAAAAAAAAAAAAAAA==');
            OWA_UTIL.http_header_close;
            wwv_flow.g_unrecoverable_error := TRUE;
            RETURN FALSE;
         END IF;

         -- Determine DB charset and convert raw to WE8MSWIN1252, thanks to Andrew Barbaccia
         SELECT VALUE
           INTO l_charset
           FROM nls_database_parameters
          WHERE parameter = 'NLS_CHARACTERSET';

         l_length :=
                UTL_RAW.cast_to_binary_integer (
                   UTL_RAW.SUBSTR (l_raw, 32, 1))
              * 256
            + UTL_RAW.cast_to_binary_integer (UTL_RAW.SUBSTR (l_raw, 31, 1));
         l_offset :=
                UTL_RAW.cast_to_binary_integer (
                   UTL_RAW.SUBSTR (l_raw, 34, 1))
              * 256
            + UTL_RAW.cast_to_binary_integer (UTL_RAW.SUBSTR (l_raw, 33, 1));
         l_domain :=
            REPLACE (
               REPLACE (
                  SUBSTR (
                     CONVERT (UTL_RAW.cast_to_varchar2 (l_raw),
                              l_charset,
                              'WE8MSWIN1252'),
                     l_offset + 1,
                     l_length),
                  CHR (0),
                  NULL),
               CHR (15),
               NULL);
         l_length :=
                UTL_RAW.cast_to_binary_integer (
                   UTL_RAW.SUBSTR (l_raw, 40, 1))
              * 256
            + UTL_RAW.cast_to_binary_integer (UTL_RAW.SUBSTR (l_raw, 39, 1));
         l_offset :=
                UTL_RAW.cast_to_binary_integer (
                   UTL_RAW.SUBSTR (l_raw, 42, 1))
              * 256
            + UTL_RAW.cast_to_binary_integer (UTL_RAW.SUBSTR (l_raw, 41, 1));
         l_user :=
            REPLACE (
               SUBSTR (
                  CONVERT (UTL_RAW.cast_to_varchar2 (l_raw),
                           l_charset,
                           'WE8MSWIN1252'),
                  l_offset,
                  l_length),
               CHR (0),
               NULL);

         IF l_domain IS NULL
         THEN
            l_username := l_user;
         ELSE
            l_username := l_domain || '\' || l_user;
         END IF;

         APEX_APPLICATION.g_user := l_username;
      ELSE                                           -- cast_to_binary_integer

         OWA_UTIL.status_line (nstatus         => 401,
                               creason         => 'Unauthorized',
                               bclose_header   => FALSE);
         HTP.P (
            'WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAAAICAgAAAAAAAAAAAAAAAA==');
         OWA_UTIL.mime_header ('text/html', FALSE, 'utf-8');
         OWA_UTIL.http_header_close;
         wwv_flow.g_unrecoverable_error := TRUE;
         RETURN FALSE;
      END IF;                                        -- cast_to_binary_integer
   END IF;

   IF APEX_APPLICATION.g_user IS NULL
   THEN
      RETURN FALSE;
   END IF;

   -- user is an apex user and logged in
   IF     APEX_APPLICATION.g_user IS NOT NULL
      AND UPPER (APEX_APPLICATION.g_user) != 'NOBODY'
   THEN
      APEX_CUSTOM_AUTH.set_session_id_to_next_value;

      APEX_CUSTOM_AUTH.define_user_session (
         p_user         => APEX_APPLICATION.g_user,
         p_session_id   => APEX_APPLICATION.g_instance);

      APEX_CUSTOM_AUTH.post_login (
         p_uname        => APEX_APPLICATION.g_user,
         p_session_id   => APEX_APPLICATION.g_instance,
         p_app_page     =>    APEX_APPLICATION.g_flow_id
                           || ':'
                           || NVL (APEX_APPLICATION.g_flow_step_id, 1));
      RETURN TRUE;
   END IF;

   RETURN FALSE;
EXCEPTION
   WHEN OTHERS
   THEN
      OWA_UTIL.status_line (nstatus         => 401,
                            creason         => 'Unauthorized',
                            bclose_header   => FALSE);
      HTP.P ('WWW-Authenticate: NTLM');
      OWA_UTIL.mime_header ('text/html', FALSE, 'utf-8');
      OWA_UTIL.http_header_close;
      wwv_flow.g_unrecoverable_error := TRUE;
      RETURN FALSE;
END;
/