Application Context

I have an application written on the struts framework. In the application configuration information is placed in application state on startup using
servlet.getContext().setAttribute

When working in a database plus middle tier environments the most common issue is the challenge of identifying who the real user is.
Is your application coded in such a way that the only application user you see is the schema owner?
Are the users validated at the application level and not at the database level?
Are you using plsql web applications?
Only for the plsql and mod_plsql it is possible to identify the db user, just in case you are passing connect information through the dad, otherwise you will have to setup a proxy user and validate user through single sign on, but this means you have already configured your Identity Management realm.
Otherwise, you will have to change the application coding, so session information is passed through the url and be locally stored as a cookie at client's browser.
For further information on these configuration you may want to read the security manual:
Preserving User Identity in Multitiered Environments .
~ Madrid.

Similar Messages

Getting values from application context

I want to set an input box with the value from the jsp getRemoteHost() in jsf page..
In my page i have this
<h:inputText value="#{sok.Searchstring}">...
where the reference sok is a java bean
public class sok
 private String Searchstring;
 public sok()
 // I want to set the Searchstring = getRemoteHost()
 public String getSearchstring()
 return this.sokVerdi;
 public void setSearchstring(String data)
 this.sokVerdi = data;
}How can this be done? Should I avoid using http request.. couldn't I get it from the application context, and how do I do that?? I'am kinda empty on ideas to solve this very issue.

I getting the getRemoteHost to work perfectly.. and as for getParameter() too.. but when I try doing getRemoteUser(), it gives me null.. I also did getRemoteUser() in the jsf file, and there I do get the right output..
How come? Why do I not get the correct value from the java bean?
public sok()
 ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
 HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
 sokVerdi = "h: " + httpServletRequest.getRemoteUser();
 //sokVerdi = "g: " + httpServletRequest.getParameter("fardin");
 //sokVerdi = "g: " + httpServletRequest.getRemoteHost();
 }

Multiple values in 1 application context

All, I'm trying to return multiple values from a query and store them in an application context.
I have an employee that can be a part of multiple divisions. I already captured emp_id:
dbms_session.set_context('COMPANY', 'emp_id', emp_id);
but also want to capture division_id for the person. Most people will only have 1 division_id, but some will have multiple division_id's.
What's the best way for me to capture multiple numeric values and store them in an application context like this.
I'm trying to set up VPD policies and don't have to have to reissue a query every time I need to access the division_id.
Thanks,
Jon.

One option would be to store a comma-delimited list of the division_ids in the context and then your VPD filter can use this and the TABLE function to limit the rows:
sql>create or replace type NumberTable as table of number;
2 /
Type created.
sql>create or replace function f_number_table(
2    p_list       in varchar2,
3    p_delimiter in varchar2 default ',')
4    return numbertable
5 is
6    v_string long := p_list || p_delimiter;
7    v_pos     pls_integer;
8    v_data    numbertable := numbertable();
9 begin
10    loop
11      v_pos := instr(v_string, p_delimiter);
12      exit when (nvl(v_pos, 0) = 0);
13      v_data.extend;
14      v_data(v_data.count) := trim(substr(v_string, 1, v_pos - 1));
15      v_string := substr(v_string, v_pos + 1);
16    end loop;
17    return (v_data);
18 end f_number_table;
19 /
Function created.
Then, in your VPD package:
-- build a list of the division_ids by looping through a cursor
-- set the context using this list of division_ids:
dbms_session.set_context('company', 'div_id', '10,20');
-- later, you would replace the literal value below with a call to sys_context to retrieve it
sql>select empno, ename, deptno
2    from emp
3   where deptno in (select *
4                      from table(f_number_table('10,20')));
    EMPNO ENAME         DEPTNO
     7782 CLARK             10
     7839 KING              10
     7934 MILLER            10
     7369 SMITH             20
     7876 ADAMS             20
     7902 FORD              20
     7788 SCOTT             20
     7566 JONES             20
8 rows selected.

Application Context - VPD

APEX: 2.0.0.00.49
DB: 10R2
I am using table based security. Upon login, I am setting a number of different context variables (e.g., sessionid, userid, name, etc). They are also being set in my application (F100_SESSIONID, F100_USERID, etc).
Recently, our company decided to host another company's data. Not having EE, I decided to add a column to the appropriate tables and then create views accessible through the application. Each view would have a predicate: 
WHERE companycode = SYS_CONTEXT( 'PFS_CTX', 'COMPANYCODE' ) 
Now, after submit, (I haven't tested every single page), session state seems to be lost. 
Debug info before Submit: 
0.00: S H O W: application="100" page="26" workspace="" request="" session="12483598699829578467"
0.00: ...Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
0.00: alter session set nls_language="AMERICAN"
0.00: alter session set nls_territory="AMERICA"
0.00: NLS: CSV charset=WE8MSWIN1252
0.00: ...Setting NLS Decimal separator="."
0.00: ...Setting NLS Group separator=","
0.00: ...Setting NLS date format="DD-MON-RR"
0.00: NLS: Language=en-us
0.00: Application 100, Authentication: CUSTOM2, Page Template: 653625525474071
0.02: ...Supplied session ID can be used
0.02: ...Application session: 12483598699829578467, user=USER_PFS
0.02: ...Determine if user PFS_ADMIN with SGID 635206529335328 can develop application 100 in workspace 635206529335328
0.02: Fetch session state from database
0.02: Fetch session header information
0.02: ...fetch page attributes: f100, p26
0.02: Branch point: BEFORE_HEADER
0.03: Fetch application meta data
0.03: Computation point: BEFORE_HEADER
0.03: Processing point: BEFORE_HEADER
0.03: Show page template header
0.03: Computation point: AFTER_HEADER
0.03: Processing point: AFTER_HEADER 
The Select List I have renders correctly. The query behind the Select List is: 
SELECT projectname, projectid
FROM pnet_projects 
The view text is: 
SELECT projectid, projectname,...
FROM vw_projects
WHERE companycode = SYS_CONTEXT( 'PFS_CTX', 'COMPANYCODE' ) 
After Submit, the Select List is empty and here is the Debug info: 
0.00: A C C E P T: Request="SUBMIT"
0.00: Fetch application info
0.00: wwv_flow.g_flow_language_derived_from=FLOW_PRIMARY_LANGUAGE: wwv_flow.g_browser_language=en-us
0.00: alter session set nls_language="AMERICAN"
0.00: alter session set nls_territory="AMERICA"
0.00: NLS: CSV charset=WE8MSWIN1252
0.00: ...Setting NLS Decimal separator="."
0.00: ...Setting NLS Group separator=","
0.00: ...Setting NLS date format="DD-MON-RR"
0.02: Fetch session state from database
0.02: ...Check instance 12483598699829578467 owner
0.02: ...Fetch iconbar, page, computation, process, ...
0.02: Fetch session header information
0.02: ...fetch page attributes: f100, p26
0.02: ...Check security schemes
0.02: Save form items and p_arg_values
0.02: ...P26_PROJECTID session state saving same value: "NONE"
0.02: ...P26_TIMEIN session state saving same value: ""
0.03: ...P26_PERSONID session state saving same value: ""
0.03: Processing point: ON_SUBMIT_BEFORE_COMPUTATION
0.03: Branch point: BEFORE_COMPUTATION
0.03: Computation point: AFTER_SUBMIT
0.03: Perform Branching for Tab Requests
0.03: Branch point: BEFORE_VALIDATION
0.03: Perform validations:
0.03: Display inline error messages that are a result of failed validations.
0.03: S H O W: application="100" page="26" workspace="" request="" session="12483598699829578467"
0.03: NLS: Language=en-us
0.03: Application 100, Authentication: CUSTOM2, Page Template: 653625525474071
0.05: ...Supplied session ID can be used
0.05: ...Application session: 12483598699829578467, user=USER_PFS
0.05: ...Determine if user PFS_ADMIN with SGID 635206529335328 can develop application 100 in workspace 635206529335328
0.05: ...fetch page attributes: f100, p26
0.05: Branch point: BEFORE_HEADER
0.05: Fetch application meta data
0.05: Computation point: BEFORE_HEADER
0.05: Processing point: BEFORE_HEADER
0.05: ......do not perform process because inline validation condition found.
0.05: ...Recompute field lables for fields in error.
0.05: Show page template header
0.05: Computation point: AFTER_HEADER
0.05: Processing point: AFTER_HEADER 
In the ACCEPT portion, there's a line "Fetch session state from database" which I am guessing gets the Application Context. There is no such line in the SHOW section. 
I have used Branch to Page Identified by Item and a Branch to Page or URL. Same result. 
Does anyone have a suggestion as to how I should proceed? Can I use APEX/Application Context in this manner? 
chet

FUNCTION login
(p_username IN VARCHAR2,
 p_password IN VARCHAR2,
 p_systemcode IN VARCHAR2 DEFAULT 'PFS') RETURN NUMBER
IS
l_sessionid NUMBER(15);
l_password PERSON_SYSTEMS_TAB.PASSWORD%TYPE;
l_personsystemid PERSON_SYSTEMS_TAB.PERSONSYSTEMID%TYPE;
l_personid PERSON_SYSTEMS_TAB.PERSONID%TYPE;
l_passwordexpires PERSON_SYSTEMS_TAB.PASSWORD_EXPIRES%TYPE;
l_accountlocked PERSON_SYSTEMS_TAB.ACCOUNTLOCKED%TYPE;
l_expiredate DATE;
l_entityid ENTITY_TAB.ENTITYID%TYPE;
l_companyname VARCHAR2(150);
l_companycode VARCHAR2(30);
BEGIN
SELECT password, personsystemid, personid, password_expires, accountlocked, date_expired, companycode
INTO l_password, l_personsystemid, l_personid, l_passwordexpires, l_accountlocked, l_expiredate, l_companycode
FROM vw_person_systems
WHERE systemcode = p_systemcode
 AND date_expired IS NULL
 AND UPPER( username ) = UPPER( p_username );
IF l_password = p_common.hash(p_username, p_password) THEN --successful login
--1 create session
--2 set app context
--3 return sessionid
 l_sessionid := create_session( l_personsystemid );
 l_companyname := p_common.get_company_name( l_personid );
 l_entityid := p_common.get_entityid( l_personid );
 p_ctx.set_sessionid( l_sessionid );
 p_ctx.set_context( 'NAME', p_login.get_name( l_personid ) );
 p_ctx.set_context( 'PERSONSYSTEMID', l_personsystemid );
 p_ctx.set_context( 'PERSONID', l_personid );
 p_ctx.set_context( 'COMPANYID', SUBSTR( l_companyname, 1, INSTR( l_companyname, ':' ) - 1 ) );
 p_ctx.set_context( 'COMPANYNAME', SUBSTR( l_companyname, INSTR( l_companyname, ':' ) + 1, LENGTH( l_companyname ) ) );
 p_ctx.set_context( 'SESSIONID', l_sessionid );
 p_ctx.set_context( 'EMAILADDRESS', p_username );
 p_ctx.set_context( 'ENTITYID', l_entityid );
 p_ctx.set_context( 'COMPANYCODE', l_companycode );
END IF;
RETURN l_sessionid;
EXCEPTION
WHEN no_data_found THEN
 raise_application_error(-20002, 'invalid username');
END login; 
None of this code has changed in quite some time. The only thing that changed was the view reference from APEX. This seems to occur only when the page is submitted (with or without validations).

How to define JAXP Parsers and Transformer in a Web Application Context

Hi
I need to define JAXP Parsers and Transformer in a Web Application Context where I can deploy this application in any J2EE Application Server without modifying the server. That means that I can't set System properties or set the jaxp.properties file. I tried to use the META-INF/services/javax.xml.transform.TransformerFactory file but it didn't work.
Any ideas?

Hi
I need to define JAXP Parsers and Transformer in a Web Application Context where I can deploy this application in any J2EE Application Server without modifying the server. That means that I can't set System properties or set the jaxp.properties file. I tried to use the META-INF/services/javax.xml.transform.TransformerFactory file but it didn't work.
Any ideas?

JBO-33008 Error finding application context

Can anyone explain what causes JBO-33008 or where I can find more information on the exception. I have been unable to find any documentation (even the help in JDev goes from 34001 to 55001). Any information would be greatly appreciated.
Thanks in advance.
Deb
oracle.jbo.JboException: JBO-33008: Error finding application context
at oracle.jbo.server.ContextMetaObjectManager.getCurrentApplicationMap(ContextMetaObjectManager.java:73)
at oracle.jbo.server.ContextMetaObjectManager.findLoadedObject(ContextMetaObjectManager.java:55)
at oracle.jbo.mom.DefinitionManager.getDynamicObjectsContainer(DefinitionManager.java:604)
at oracle.jbo.mom.DefinitionObject.isDynamicDefinitionObject(DefinitionObject.java:141)
at oracle.jbo.server.DefObject.isDynamic(DefObject.java:46)
at oracle.jbo.server.ComponentDefImpl.unsetDefForComponent(ComponentDefImpl.java:200)
at oracle.jbo.server.ComponentObjectImpl.setDef(ComponentObjectImpl.java:53)
at oracle.jbo.server.ViewObjectImpl.setDef(ViewObjectImpl.java:498)
at oracle.jbo.server.ApplicationModuleImpl.removeChild(ApplicationModuleImpl.java:649)
at oracle.jbo.server.ComponentObjectImpl.remove(ComponentObjectImpl.java:225)
at oracle.jbo.server.ViewObjectImpl.remove(ViewObjectImpl.j[i]Long postings are being truncated to ~1 kB at this time.

Evidently the 'Search Forum' is not catching everything. I did find this discussion by scrolling through.
JBO-33008 error finding application context

Application contexts in multi-user environments

[Oracle9i Enterprise Edition Release 9.2.0.3.0]
Hi,
I'm experimenting with application contexts as a means of utilizing bind variables in variable WHERE clauses.
In a multi-user environment where the database is accessed from an application using a single user id, are there any conflicts involved when the same procedure is accessed multiple times and the same context variable is set to different values by each call? In other words, can I assume that between the time the user_id of my_context is set and the query is executed in procedure call 1 that those values will be used and not be affected by other procedure calls also setting the user_id of my_context?
Thanks,
Ed Holloman
================================================
create or replace context my_context using my_proc;
================================================
In procedure call 1 to my_proc:
================================================
my_query := 'SELECT * FROM my_table ' ||
'WHERE user_id = sys_context(''my_context'',''user_id'')';
dbms_session.set_context('my_context', 'user_id', '12345');
OPEN my_refcursor FOR
my_query;
================================================
In procedure call 2 to my_proc:
================================================
my_query := 'SELECT * FROM my_table ' ||
'WHERE buyer_id = sys_context(''my_context'',''user_id'')';
dbms_session.set_context('my_context', 'user_id', '45678');
OPEN my_refcursor FOR
my_query;
================================================
etc.

A quick little test shows John's statement in action:
sql>create or replace procedure test_procedure
2    (p_value in pls_integer,
3     p_rc    out sys_refcursor)
4 is
5 begin
6    dbms_session.set_context('TEST_CONTEXT', 'VALUE', to_char(p_value));
7    open p_rc for select sys_context('TEST_CONTEXT', 'VALUE') from dual;
8 end;
9 /
Procedure created.
sql>var rc1 refcursor
sql>var rc2 refcursor
sql>exec test_procedure(1, :rc1)
PL/SQL procedure successfully completed.
sql>exec test_procedure(2, :rc2)
PL/SQL procedure successfully completed.
sql>print rc2
SYS_CONTEXT('TEST_CONTEXT','VALUE')
2
1 row selected.
sql>print rc1
SYS_CONTEXT('TEST_CONTEXT','VALUE')
1
1 row selected.Note the original value (1) has not been stomped on by the second execution even though we fetched this after that second execution and fetch sequence.

Different applications context in iStore

Vi have implemented severel minisites in iStore and have a question regarding using different context for different minisites.
Is it possible to configure the iStore in a way that different minisites can have different applications context?
For instance:
Insted of using common URL like
http://server.domain.com/OA_HTML/ibeCZzpHome.jsp?a=b
We wnat to use
http://server.domain.com/OA_DOGS/ibeCZzpHome.jsp?a=b
http://server.domain.com/OA_CATS/ibeCZzpHome.jsp?a=b
So OA_DOGS always refer to a perticular miniSite (minisite=10020)
and OA_CATS always refer to another miniSite (minisite=10021)
Thanks Mayu

you were not asking for a seperate ministed for different users instead ur asking for a different applications under one single domain.
but we can have any number of minisites to address your need, just need to create them using iStore Admin responsibility, if you want to restrict some of the users to access to some of the minisites only then go for responsibility key / operating unit differentiation or see CRM Administration - Roles and Responsibilites to implement the requirement.
there you can define 2 different responsibilities like IBE_CUSTOMER_DOGS who can only access the sites you allow him in iStore Admin, IBE_CUSTOMER_CATS allowed to see only minisites meant for CATS .
thanks
Praveen Reddy

Report Export - No data when query based on Application Context

I updated my Query Region source to use a Global Application Context and now the Report Export (to .csv) download has no data. This appears to run the query again in under a different session_id perhaps(?)
In a before header process I set the session_id to access a couple of date values set by the user via LOVs - the 'Search' button and an After Submit Process sets the context values which are accessed in the where clause, i.e
where date_attribute between to_date( SYS_CONTEXT('MY_CTX', 'START_DATE'), 'dd-Mon-yyyy')
and to_date( SYS_CONTEXT('MY_CTX', 'END_DATE'), 'dd-Mon-yyyy')
If you know any solution or alternative approach I'd be very grateful for your tips. I like Apex because you can leverage core Oracle database technology but then in some case you do hit these little troubles!
Thanks
Craig

Thanks for the link to the posts.
I considered the Security Attribute but thought that was somewhat inappropriate for just the one page I am setting the context; I understand the Security Attribute function would set 'My_Ctx' values on all page requests.

Application context & Finegrain Security

I tried to inplement security on table (row level) using application context & Fine grain. Policy predictate function for fine grain works fine. but when I tried to use application context & fine grain together it says no rows found all the time. So something going wrong in application context. if any body know this topic pls respond.
null

Actually, our aim is to change our client/server tech. to web enabled.
According to my study in google and in oracle forums......
Server1:
OS: RHEL 5
DB: oracle database 10g
In this server what security softwares i have to install?
What else i have to install in server1?
Server2:
OS: RHEL 5
OAS: Oracle Application Server (which version to install?)
In oracle application server what are all the components i have to select while installing
In this server what security softwares i have to install?
what else i have to install in server2?
Do i need anyother server? if yes, what i should install in that server? what is for?
thanks

Application Context Security

Is there any limitations on the value that the Application Context can hold?

Dear Frank,

Instead you have a single identity management system and have the application policies being different for the applications.Using ADF Security, users and groups can have different privileges in different applications

suppose i have 3 applications that use adf security, the users will be common to all applications. right..?Roles and group can be different for applications.
application polices means roles and group..?
So how it(application polices) can be made different for applications? is it inbuilt or some configurations needed ?. Can you point me to some blogs or tutorials for more reference.
Bet: Incase i hook up adf security with database schema.
Regards,
Santosh.

Application context vs system context

Could you enlighten me about application context and system context and their implementations.
Thanks.

Could you enlighten me about application context and system context and their implementations.
Thanks.

Application Context - Add policy

How can I apply an application context policy to all tables in a database?

Check Note: 362663.1 - How to implement (Signon Password Custom) Profile Option in Oracle Applications 11i
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=362663.1

Why it need in spring application context if integrated with hiberate

Dear all,
in hiberate.xml which has specified the connection data source. I don't understand why the following need to be defined in spring application context.
Or I have made a mistake that data source connection can be defined in hiberate.xml or in spring application context but not both???


<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName"><value>${jdbc.driverClassName}</value></property>
<property name="url"><value>${jdbc.url}</value></property>
<property name="username"><value>${jdbc.username}</value></property>
<property name="password"><value>${jdbc.password}</value></property>
</bean>

Rchiu5hk wrote:
Dear all,
in hiberate.xml which has specified the connection data source. I don't understand why the following need to be defined in spring application context.Your instinct is a good one. "Don't Repeat Yourself" is good advice.
Or I have made a mistake that data source connection can be defined in hiberate.xml or in spring application context but not both??? I agree with you - I would not put it in both.
My preference is to put the data connection information into Spring, not Hibernate, and simply refer to the Hibernate configuration in my session factory:
 <bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean">
 <property name="dataSource" ref="dataSource"/>
 <property name="configLocation" value="classpath:hibernate.cfg.xml"/>
 </bean>That way I can use DriverManager or JNDI for my connection as needed.
%

Required application context reporting is not available

I've just installed HPM 11.1.1.1 (product: ESSBASE/foundation/planning/Financial reporting) and I'm now testing Financial Reporting.
I created a financial report as indicated in http://oraclebizint.wordpress.com/2008/06/07/hyperion-financial-reporting-getting-started
I can run this report in Financial reports (PDF view)
1. But I cannot run the report in HTML (Hyperion Workspace) : error "Required application context reporting is not available"
2. Besides I notice that in Workspace -> explorer the voice File -> Import -> "Financial Reports" is missing.
Maybe something was wrong in installation, but I did it twice .... and Diagnositcs reports no errors.
So, is there some more activity to be done on Workspace/Financial reports so that integration of these two products work correctly ??
(Note: installing on Microsoft windows 2003 server - deploying on Tomcat and IIS6 web server)
Regards
Marina

This one has frustrated me to no end as well! One would think that when you install FR/WA they would automatically register themselves with Workspace as part of their configuration process (and one would be wrong).
The solution is to go back and run the configuration tool again. The only thing you have to select this time is Foundation Services... Workspace... Configure Web Server, then restart the two Workspace services.

Setting Application Context Attributes for Enterprise Users Based on Roles

Hello,
We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
-- For each record in my RoleSitePrivileges table, set
-- an attribute named 'SITE_PRIVILEGE_<SiteID>'.
-- If the current user has been assigned a role matching
-- the value in the 'RoleName' field, set the corresponding
-- attribute to 'Y'... otherwise, set it to 'N'.
FOR iPrivRec IN (SELECT RoleName, SiteID
 FROM RoleSitePrivileges
 ORDER BY SiteID)
 LOOP
 SELECT COUNT(*)
 INTO roleExists
 FROM dba_role_privs
 WHERE granted_role = UPPER(iPrivRec.RoleName)
 AND grantee = USER;
 IF roleExists > 0 THEN
 DBMS_SESSION.set_context(
 namespace => 'my_ctx',
 attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
 value => 'Y');
 ELSE
 DBMS_SESSION.set_context(
 namespace => 'my_ctx',
 attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
 value => 'N');
 END IF;
 END LOOP;To finish things off, I created a security policy function for the table which returns the following:
RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
 FROM session_context
 WHERE attribute LIKE ''SITE_PRIVILEGE_%''
 AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
Thank you!

Hello,
We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
-- For each record in my RoleSitePrivileges table, set
-- an attribute named 'SITE_PRIVILEGE_<SiteID>'.
-- If the current user has been assigned a role matching
-- the value in the 'RoleName' field, set the corresponding
-- attribute to 'Y'... otherwise, set it to 'N'.
FOR iPrivRec IN (SELECT RoleName, SiteID
 FROM RoleSitePrivileges
 ORDER BY SiteID)
 LOOP
 SELECT COUNT(*)
 INTO roleExists
 FROM dba_role_privs
 WHERE granted_role = UPPER(iPrivRec.RoleName)
 AND grantee = USER;
 IF roleExists > 0 THEN
 DBMS_SESSION.set_context(
 namespace => 'my_ctx',
 attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
 value => 'Y');
 ELSE
 DBMS_SESSION.set_context(
 namespace => 'my_ctx',
 attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
 value => 'N');
 END IF;
 END LOOP;To finish things off, I created a security policy function for the table which returns the following:
RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
 FROM session_context
 WHERE attribute LIKE ''SITE_PRIVILEGE_%''
 AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
Thank you!

Application Context

Similar Messages

Maybe you are looking for