VPD in APEX

Similar Messages

• Using VPD in APEX

  I need to use a VDP in APEX to restrict access to seeing some records. In other oracle apps I did with VPD, I did these steps:
  1) Created a view (SP_TEACHER)
  2) Created a function to dynamically set the predicte (where)
  3) Created a policy
  dbms_rls.add_policy(
  object_schema => 'STARS3',
  object_name => 'SP_TEACHER',
  policy_name => 'SP_TEACHER_POLICY',
  function_schema => 'STARS3',
  policy_function => 'sp_teacher_predicate');
  Is this the appropriate way to handle fine grained acess in APEX applications? I see there is a section in Shared Components - Security That has a VPD call sections

  Hi Bob,
  The VPD section in APEX is actually a different concept really, any code you place in the VPD section is executed for each page request.
  I'm not trying to do a 'hard sell' here, but in my book (Pro Application Express) there is a whole section dedicated to data security (chapter 5) where I cover using the 'traditional VPD' functionality in the database with APEX.
  John.
  Blog: http://jes.blogs.shellprompt.net
  Work: http://www.apex-evangelists.com
  Author of Pro Application Express: http://tinyurl.com/3gu7cd
  REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!

• VPD in Apex using Standard or XE version of database

  I was planning to use the VPD method of security in my APEX application. Some of my sites are using Standard Edition and XE edition of database. Is it true that VPD only works in Enterprise Edition of database? If so, any suggestion on how to implement the same type of security in APEX without VPD?
  Thanks!

  Bob,
  VPD functionality essentially gives the database the ability to dynamically add extra predicate information to your queries at runtime (as a simplification). This is enforced at the database level.
  So, you're never going to really be able to implement the same type of security (since you can't develop something that is processed at that same level).
  The only way you could really come close to it is by not giving end users direct access to the underlying tables and using either views (combined with application contexts) and/or table API's. If you give your end users access to the underlying tables and you haven't taken additional precautions then all bets are off (for example if you implement your functionality from inside your APEX app, someone could circumvent it by using SQLPlus etc).
  I'm a huge fan of VPD (I included a section on it in my Pro Application Express book where I discuss using Application Contexts too), you can roll-your-own to a certain degree, but no you can't come close to the level of functionality true VPD gives you from a database-enforced level anyway.
  Also, take a look at this AskTom thread which discusses contexts -
  http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4514782352602
  Hope this helps,
  John.
  Blog: http://jes.blogs.shellprompt.net
  Work: http://www.apex-evangelists.com
  Author of Pro Application Express: http://tinyurl.com/3gu7cd
  REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!

• VPD and APEX

  I have a VPD policy in place on a table. The VPD function returns a predictate of the form
  "1=2 or substr('000000010000000000100000000000000000000010000000000000000000001000000000000000000000000000000000000',dept_code,1) = 1"
  The generation of the predicate used to be based on the value returned from upper(sys_context('userenv','session_user')).
  Everything worked fine (in SQL*Plus, Discoverer and TOAD).
  However, I query the same table in APEX and all values returned, i.e. the predicates seem not to have been applied.
  Obviously, the session_user value would not be useful as this would be APEX_PUBLIC_USER for all connections.
  I modified the VPD function to include...
  v_user := upper(sys_context('userenv','session_user'));
  IF v_user='APEX_PUBLIC_USER'
  THEN
  execute immediate 'select NVL(v(''APP_USER''),user) from dual' into v_user;
  END IF;
  HTP.P('VPD Activated');
  Again, running in SQLPLUS, Discoverer, TOAD all is well. But it still doesnt affect the APEX query. Also, I do not see the string 'VPD Activated' being displayed, suggesting that the function is not being run?
  I created a dummy region to query the VPD function from dual....
  select edw_sys.f_vpd_policy('EDW','TEXTILES_REVISED_DSCHED_NOS_WK') test from dual
  and the correct predicate is being returned from the function.
  I know there is a VPD region in the application's security attributes, but as I understand it this is for creating a context, and that is not a requirement in this case.
  Am I missing something?
  Many thanks in advance.
  Rob

  Hi Scott,
  I granted execute any procedure to EDW_SYS and the "v" function is now available!!!!
  I also implemented your code, getting rid of the dynamic sql, so the code is much cleaner now - thanks for that.
  And the VPD policy works very nicely in SQL*Plus, TOAD, Discoverer.....
  BUT....
  Not in APEX :-(
  I have gone through the document you mention, it is fairly straight forward and I believe all steps have been followed.
  Any other suggestions? In parallel of course I am googling away for other possible solutions, but done in conjunction with APEX, the responses all eventually end up pointing to the document you highlighted.
  If I had hair to spare I'd be pulling it out!
  Thanks again,
  Rob

• One apex application, multiple different users

  Hi all,
  I'm developing an application that will be used by multiple different companies, all with their own data. As far as I can see, there are three different approaches for this:
  - make different applications with different schemas in apex, for each company one
  - 1 application, 1 schema, and distinct the data by using a key for each company in the tables
  - 1 application, multiple schemas, for each company its own schema
  I'm not that experienced in apex, so I don't know what the best approach is for this. Personally, the third option seems the best one for me. But is it difficult to make, and what about security? How can I make sure one company don't get to see data from another company?
  I hope my question is clear and I'm looking forward for your comments!
  Tom

  Nope I wouldn't necessarily agree with that; 1 Application and 1 Schema will give you a much lower maintenance overhead. If you have a database licence then you can use Oracle Virtual Private Database (VPD) to secure the DATA for each organisation:
  http://www.oracle.com/technology/obe/obe10gdb/security/vpd/vpd.htm
  There is an excellent example of VPD and Apex in the 'PRO ORACLE APPLICATION EXPRESS' book.
  This approach to application design will also help:
  http://www.oracle.com/technology/pub/articles/bobrowski-saas.html
  Good luck
  Shunt

• FGAC with APEX 4.0.2?

  I recently threw APEX over an existing database I have to offer some custom reporting for a client. Any SQL Workshop queries or application reports return "no data found" though I can still see plenty in SQL Developer. I assume it has to do with the FGAC applied to my tables. I thought I configured the APEX workspace to use my existing schema as the same user as our application. In fact, a "select username from user_users" shows the user I expected, not APEX_PUBLIC or ANONYMOUS. Is there any special FGAC adjustment necessary for APEX to use FGAC data? I can't find much documentation crossing APEX and FGAC.
  Thanks

  No it's not. There is one paragraph on VPD and it's severely lacking.
  I see some older threads on VPD and APEX but they're full of 404 links and older APEX 2.2 talk.
  I see mentions of APEX's "VPD section" which looks like a page process section. I don't recall ever seeing it. It's definitely not available in the new tree view.
  Thanks for suggesting though.

• How to detect loged in user

  Hi All,
  I have a scenario like this,
  i have a global report in which some branch codes are available.
  once the end user logged into the system,i want to restrict the report details according to his branch code.
  ex: report details (name,age,address,salary,branch)
  one user login --> branch code is (COL)
  he/she should not be able to view the report details which are related to other branches.
  is there any way to do this using Apex...??? or do i need to handle this through the query...???
  if i need to handle this through a query then i have to detect the login session clearly like login user name.
  Then i can use the name and get the branch code from the login table and pass to the query..i guess im correct ;)
  is this possible to detect the user login name and bring it to a sql query ????
  ex: login name say MAX branch COL
  select * from TABLE_SAMPLE where branch_code=(select branch_code from USER where uname='MAX'; );
  can anybody give me a hand on this regard.plss..???
  Thanks,
  Max
  Edited by: Max on Dec 6, 2010 4:46 AM

  he/she should not be able to view the report details which are related to other branches.This is known as Fine Grained Access Control (FGAC).
  is there any way to do this using Apex...??? or do i need to handle this through the query...???Both. The best approach is to use Virtual Private Database (VPD), utilizing APEX's built-in VPD security attribute to set the context.
  VPD requires an Enterprise Edition database. In other editions a similar approach can be developed using parameterized views, again setting the context through the APEX VPD security attribute.
  >
  if i need to handle this through a query then i have to detect the login session clearly like login user name.
  Then i can use the name and get the branch code from the login table and pass to the query..i guess im correct
  is this possible to detect the user login name and bring it to a sql query ????
  ex: login name say MAX branch COL
  select * from TABLE_SAMPLE where branch_code=(select branch_code from USER where uname='MAX'; );
  >
  Use the <tt>APP_USER</tt> built-in substitution string to get the ID of the authenticated user:
  select * from TABLE_SAMPLE where branch_code=(select branch_code from USER where uname= :app_user);

• Stop parameters from displaying in the URL

  Hi All,
  I've got a simple application with no login required and I have set up the session state protection at the page level.
  Is there any way to not display the parameters within the URL?
  If yes, what security method is better between the session state protection and hidding the params?
  Many thanks

  Javier,
  What are the normal security recommendations?There is a lot to consider when it comes to security. Does your app has sensitive data? Does it run on the internet? How secure does it need to be?
  Determining the level of security you are shooting for is the first step. After that, it is following processes that will get you to what you need. SSP is not enough--you need to consider security in everything you do--in Apex or any other tool.
  As for hiding parameters, you could also use a frame, but the parameters are still there, they are just in a frame. You could also post them instead of using links, but they are still there, just view the source of the page. SSP will keep users from tampering with the URL and a few other things, but it won't keep them from changing post-able items.
  If you have really sensitive data, you should consider your security holistically--database views, VPD, triggers, Apex validations, Apex conditions, Apex Authorization Schemes. Because it is html, the user can modify the html and post the page--you need to consider that. If you don't have (or display) a Delete button, the user can just add one in and post the page. If you have a process that is dependent on a delete button it will run, unless you check to see if it should. This is true for Apex and any other html application.
  This probably poses more questions than it answers, but security is that way--no simple answers.
  Anton

• How to setup Security and Notification

  Hi, I have developed a small application for call logging. I would like to know the procedure for implementing security and about the notification settings.
  As I am new to this field, Please explain in detail. Any screenshots showing the setups ([email protected]) would be highly appreciated.
  The key features and procedures of the application -
  a) Users will be given individual user ids and passwords to raise calls on a particular department
  b) Each department has a call manager who will assign the call to a technician
  c) The technician will resolve the call and update the status
  d) The user will close the call and provide feedback
  Structure -
  1 table for maintaining users / employees - 1 Page - Report & Form
  1 table to manage call manager department wise - 1 Page - Report & Form
  1 table for calls (raise, assign, resolve) - multiple report and form pages (one for logging, one for assigning, one for resolving and one for feedback with only the relevant columns of the table) - I have created multiple forms so that a call cannot be modified by a subsequent user)
  My Requirement:
  1. The user should view only the calls raised by him/her (User1 should not view the calls raised by user2)
  2. The technician should view the call raised by him/her (user role) and also can view the calls assigned to him/her
  3. The Call manager can view the calls raised by him (user role) and also can view the calls raised on his department
  4. Notification: E-mail should be fired at each event only to the concerned people attached to the call (user, call manager, technician)
  Please guide me in setting up the above features.
  Regards,
  Sandeep

  user4441274 wrote:
  HiWelcome to the forum: please read the FAQ and forum sticky threads (if you haven't done so already), and update your profile with a real handle instead of "user4441274".
  When you have a problem you'll get a faster, more effective response by including as much relevant information as possible upfront. This should include:
  <li>Full APEX version
  <li>Full DB/version/edition/host OS
  <li>Web server architecture (EPG, OHS or APEX listener/host OS)
  <li>Browser(s) and version(s) used
  <li>Theme
  <li>Template(s)
  <li>Region/item type(s)
  With APEX we're also fortunate to have a great resource in apex.oracle.com where we can reproduce and share problems. Reproducing things there is the best way to troubleshoot most issues, especially those relating to layout and visual formatting. If you expect a detailed answer then it's appropriate for you to take on a significant part of the effort by getting as far as possible with an example of the problem on apex.oracle.com before asking for assistance with specific issues, which we can then see at first hand.
  My Requirement:
  1. The user should view only the calls raised by him/her (User1 should not view the calls raised by user2)
  2. The technician should view the call raised by him/her (user role) and also can view the calls assigned to him/her
  3. The Call manager can view the calls raised by him (user role) and also can view the calls raised on his departmentThis is known as Fine Grained Access Control (FGAC) and is normally implemented using either views or Oracle's Virtual Private Database (VPD) feature.
  If you're licensed to use an Enterprise Edition database and want to apply these restrictions across the entire application, or across multiple applications, then use Virtual Private Database (VPD). In APEX 4.1 you can set up/tear down the security context using the Initialization PL/SQL Code/Cleanup PL/SQL Code attributes. In earlier versions the set up attribute is termed Virtual Private Database (VPD), and there is no tear down option. (A somewhat out of date article on using VPD with APEX is available.)
  Should you not be using EE, then you can roll your own VPD using parameterized views, again using the VPD security attribute to set the required application context.
  4. Notification: E-mail should be fired at each event only to the concerned people attached to the call (user, call manager, technician)Build the application using PL/SQL package APIs that provide transactional procedures for raising, assigning, resolving calls etc. These will encapsulate all the required functionality, including sending email notifications when the transaction is complete. APEX form regions can be created on top of these API procedures.

• APEX VPD Implementation for Web Site - Please Help

  Hi Folks.
  I want to do the following...
  I have an APEX website which has both INTERNAL and EXTERNAL users.
  The INTERNAL users (employees) should be able to see all data in all tables.
  The EXTERNAL users (clients) should only see their own data within the same tables.
  The intention here is to enforce the data that employees and clients can interact with using VPD.
  Within the application we have our own CONTACT table that will be used by our system for controlling user-access. Only Valid system users will have an entry in the CONTACT table. Currently, this is partially enforced by APEX.
  It is also, our intention that all the users of our APEX system, connect to the database as a single user – currently APP_PUBLIC_USER. As we do not want the overhead of database user account management.
  Note in the future we hope to integrate the APEX system with Oracle Business Intelligence (BI).
  VPD
  If we create a DATABASE account with the same username as that stored in our own CONTACT table and connect using SQL/PLUS then the VPD policy is successful.
  When we connect using APEX we are able to authenticate the APEX username is in our own CONTACT table but we cannot pass the APEX username to the database for testing with regards the VPD policy. It is always APEX_PUBLIC_USER as far as the database is confirmed.
  The username as far as the database is concerned is always APEX_PUBLIC_USER.
  As such we cannot distinguish between the users.
  We have tried setting an oracle application context (XXX_App_CTX) that has an attribute ‘USER_NAME’ with value of :APP_USER in the APEX application. This was done in the Apex VPD security section. We’ve queried the value when running the APEX application and the value displays correctly.
  But on the database the value of USER_NAME appears as null.
  How can we pass the APEX user name to the database for the purposes of enforcing VPD?
  Also, we have a database on-logon trigger which initialises application contexts attributes/values that are used to implement our VPD, see below.
  Any suggestions?
  Note : DEVYYY is the schema owner.
  DECLARE
  -- Fetch valid user information which is required for set the application
  -- context.
  CURSOR csr_user_info (cp_user_name IN VARCHAR2) IS
  sELECT con.contact_id
  ,con.master_entity_id
  FROM DEVYYY.contact con
  WHERE con.user_name = cp_user_name ;
  r_user_info csr_user_info%ROWTYPE;
  v_user VARCHAR2(30);
  BEGIN
  IF v('APP_USER') != 'APEX_PUBLIC_USER' AND
  v('APP_USER') IS NOT NULL THEN
  v_user := v('APP_USER');
  ELSE
  v_user := UPPER(SYS_CONTEXT('USERENV','SESSION_USER'));
  END IF;
  v_user := SYS_CONTEXT('XXX_App_CTX','user_name') ;
  -- Validate/Authenticate that the user exists in the contacts table
  OPEN csr_user_info (cp_user_name => v_user );
  FETCH csr_user_info INTO r_user_info;
  CLOSE csr_user_info;
  -- Set application context for a valid user, else set the the context
  -- to invalid.
  IF r_user_info.contact_id IS NOT NULL THEN
  DEVYYY.XXX_app_CTX_mgr.set_contact_id_CTX(p_contact_id => r_user_info.contact_id );
  DEVYYY.XXX_app_CTX_mgr.set_user_name_CTX (p_user_name => v_user);
  DEVYYY.XXX_app_CTX_mgr.set_master_entity_id_CTX(p_master_entity_id => r_user_info.master_entity_id);
  ELSE
  -- invalid user, i.e does not exist in .contact table.
  DEVYYY.XXX_app_CTX_mgr.set_contact_id_CTX(p_contact_id => -99 );
  DEVYYY.XXX_app_CTX_mgr.set_user_name_CTX(p_user_name => 'INVALID_USER');
  DEVYYY.XXX_app_CTX_mgr.set_master_entity_id_CTX(p_master_entity_id => -99);
  END IF;
  EXCEPTION
  WHEN OTHERS THEN
  RAISE_APPLICATION_ERROR(-20001, 'ON-LOGON TRG Error: ' ||SQLERRM);
  END trg_db_logon;

  Contexts are only valid for a session, but every page view in an APEX application is essentially a new session. Take a look at global application contexts as they persists across sessions. You could also set some type of role info in an APEX item and reference it via PL/SQL from your VPD policy function.
  Tyler

• Is there a problem with APEX Application Processes and VPD?

  I have a table that has a policy function. When I select from the table straight from the page it seems to be only returning the appropriate rows for the user.
  But, when I select from the same table using an application process (On-Demand), PL/SQL Block.
  BEGIN
  OWA_UTIL.mime_header ('text/xml', FALSE);
  HTP.p ('Cache-Control: no-cache');
  HTP.p ('Pragma: no-cache');
  OWA_UTIL.http_header_close;
  HTP.prn ('<select>');
  FOR c IN (SELECT '1' o,
  name || ' (' || school || ')' d,
  pk_id r
  FROM sch_base
  WHERE pk_id = nvl(:REFRESH_LOV_PK_ID,'null')
  UNION
  SELECT '2' o,
  '%' d,
  '%null%' r
  FROM dual
  UNION
  SELECT '3' o,
  name || ' (' || school || ')' d,
  pk_id r
  FROM sch_base
  WHERE pk_id <> nvl(:REFRESH_LOV_PK_ID,'null')
  ORDER BY 1,2)
  LOOP
  HTP.prn ('<option value="' || c.r || '">' ||
  c.d || '</option>');
  END LOOP;
  HTP.prn ('</select>');
  END;
  It returns all rows in the table.

  This is the policy on my table:
  begin
  dbms_rls.add_policy(
  object_schema => 'SIS_EXPRESS',
  object_name => 'SCH_BASE',
  policy_name => 'SCH_BASE Policy',
  function_schema => 'SIS_EXPRESS',
  policy_function => 'VPD_SCH_BASE',
  statement_types => 'select');
  end;
  I have a function VPD_SCH_BASE which set the where condition for the SCH_BASE table.
  It works for a simple list values select, but not when this Application Process is run.
  BEGIN
  OWA_UTIL.mime_header ('text/xml', FALSE);
  HTP.p ('Cache-Control: no-cache');
  HTP.p ('Pragma: no-cache');
  OWA_UTIL.http_header_close;
  HTP.prn ('<select>');
  FOR c IN (SELECT '1' o,
  name || ' (' || school || ')' d,
  pk_id r
  FROM sch_base
  WHERE pk_id = nvl(:REFRESH_LOV_PK_ID,'null')
  UNION
  SELECT '2' o,
  '%' d,
  '%null%' r
  FROM dual
  UNION
  SELECT '3' o,
  name || ' (' || school || ')' d,
  pk_id r
  FROM sch_base
  WHERE pk_id <> nvl(:REFRESH_LOV_PK_ID,'null')
  ORDER BY 1,2)
  LOOP
  HTP.prn ('<option value="' || c.r || '">' ||
  c.d || '</option>');
  END LOOP;
  HTP.prn ('</select>');
  END;

• Adding "data owner" schema to apex workspace provided unexpected results

  Recently I added a "data owner" schema to an existing apex workspace thinking it was a god idea.
  As stated...
  the schema that I added was a "data owner" schema and I was only suppose to have select capability for apex reporting.
  After the schema was added to the workspace I felt I had owner privs on all of the schema objects and
  could create objects and insert and update table records.
  Needless to say... this is something that I do not want to do with tihs particular "data owner" schema BUT...
  this is something that I feel is really good.
  i.e. The Object Browser and Model are some excellent examples of the apex tool. :)I would just like to remove/block the insert/update capabilty against this particular schema from my workspace.
  Any ideas on how to remove the update capability from my workspace or is it even possible?thanks in advance... :)
  v/r
  RJones

  Ah, thanks I didn't see that section before.
  I put the procedure details in the box; declaring the variables and the code to determine the context values
  Logged in as a user and again as the schema owner (both with admin privs) I get this error back:
  ORA-01031: insufficient privileges
  Error ERR-1181 Unable to set VPD security context on page show.
  This is my procedure:
  Declare
  V_COUNT NUMBER;
  V_PRJ_USERNAME VARCHAR2(30);
  V_USERID NUMBER;
  V_PRJROLE VARCHAR2(30);
  BEGIN
  -- sets user name
  V_PRJ_USERNAME := v('APP_USER');
  V_PRJROLE := 'NO_ACCESS';
  BEGIN
  --gets user id from staff table
  SELECT staf_id
  INTO V_USERID
  FROM PRJ_STAFF
  WHERE staff_oracle_name = V_PRJ_USERNAME;
  Select count(*)
  into v_count
  FROM DBA_ROLE_PRIVS
  WHERE GRANTEE = V_PRJ_USERNAME
  AND GRANTED_ROLE='PRJJ_GUEST_RL';
  if v_count > 0 then
  V_PRJROLE := 'GUEST';
  end if;
  Select count(*)
  into v_count
  FROM DBA_ROLE_PRIVS
  WHERE GRANTEE = V_PRJ_USERNAME
  AND GRANTED_ROLE='PRJJ_DEVELOPER_RL' ;
  if v_count > 0 then
  V_PRJROLE := 'DEVELOPER';
  end if;
  Select count(*)
  into v_count
  FROM DBA_ROLE_PRIVS
  WHERE GRANTEE = V_PRJ_USERNAME
  AND GRANTED_ROLE='PRJJ_MANAGER_RL' ;
  if v_count > 0 then
  V_PRJROLE := 'MANAGER';
  end if;
  Select count(*)
  into v_count
  FROM DBA_ROLE_PRIVS
  WHERE GRANTEE = V_PRJ_USERNAME
  AND GRANTED_ROLE='PRJJ_ADMIN_RL' ;
  if v_count > 0 then
  V_PRJROLE := 'ADMIN';
  end if;
  DBMS_SESSION.SET_CONTEXT('PRJ_SEC_PKG','USER_NAME','V_PRJ_USERNAME');
  DBMS_SESSION.SET_CONTEXT('PRJ_SEC_PKG','USER_ID','V_USERID');
  DBMS_SESSION.SET_CONTEXT('PRJ_SEC_PKG','USER_ROLE','V_PRJROLE');
  END;
  END;
  Is there something wrong with my procedure?
  Edited by: JodyMorin on Mar 27, 2009 6:23 AM

• Login from ebs to apex directly .

  Hi All,
  I have been using the Cabot consulting paper for login to apex from ebs directly .
  i placed the following code as onload process
  BEGIN
  wfa_sec.getsession(:P101_USERNAME);
  :P101_PASSWORD :=
  XXAPX_SECURITY_PKG.generate_hash
  (FND_GLOBAL.user_name);
  IF :P101_PASSWORD IS NOT NULL THEN
  APEX_CUSTOM_AUTH.login(
  P_UNAME => :P101_USERNAME,
  P_PASSWORD => :P101_PASSWORD,
  P_SESSION_ID => v('APP_SESSION'),
  P_APP_PAGE => :APP_ID||':1'
  END IF;
  EXCEPTION WHEN OTHERS THEN NULL;
  END;
  But the wfa_sec.getsession(:P101_USERNAME); is not working properly , its redirecting me to ERP home page .
  Kindly! help me.
  Regards,
  Nandini Thakur.

  This is how we do it...
  1) Call a function from apps, passing in the app number and page separated by a pipe symbol:
    PROCEDURE launch_application(app_page IN VARCHAR2)
    IS
      l_url          VARCHAR2(256);
      l_page         NUMBER;
      c              OWA_COOKIE.cookie;
      l_application  NUMBER;
    BEGIN
      l_application  := TO_NUMBER(SUBSTR(app_page, 1, INSTR(app_page, '|') - 1));
      l_page         := TO_NUMBER(SUBSTR(app_page, INSTR(app_page, '|') + 1));
      OWA_UTIL.mime_header('text/html', FALSE);
      OWA_COOKIE.send(
        name     => 'APEX_EBS_' || l_application,
        VALUE    =>   fnd_global.user_name
                   || ':'
                   || generate_hash(fnd_global.user_name)
                   || ':'
                   || fnd_global.user_id
                   || ':'
                   || fnd_global.resp_id
                   || ':'
                   || fnd_global.resp_appl_id
                   || ':'
                   || fnd_global.resp_name
                   || ':'
                   || fnd_global.application_short_name,
        expires  => SYSDATE + 1 / (24 * 60 * 6), --Expire in 10 seconds
        PATH     => '/'
      l_url          :=
           fnd_profile.VALUE('APPS_FRAMEWORK_AGENT')
        || '/pls/apex/f?p='
        || l_application
        || ':'
        || l_page
        || '::LAUNCH';
      OWA_UTIL.redirect_url(l_url);
    END launch_application;Then the APEX login page has a on-header process:
  DECLARE
    c OWA_COOKIE.cookie;
    a wwv_flow_global.vc_arr2;
  BEGIN
    c:=OWA_COOKIE.get('APEX_EBS_'||:APP_ID);
    a:=apex_util.string_to_table(c.vals(1));
    :P101_USERNAME:=a(1);
    :P101_PASSWORD:=a(2);
    :GBL_USER_ID:=a(3);
    :GBL_RESP_ID:=a(4);
    :GBL_RESP_APPL_ID:=a(5);
    :GBL_RESP_NAME := a(6);
    :GBL_APPLICATION_SHORT_NAME:=a(7);
    wwv_flow_custom_auth_std.login(
      P_UNAME       => :P101_USERNAME,
      P_PASSWORD    => :P101_PASSWORD,
      P_SESSION_ID  => v('APP_SESSION'),
      P_FLOW_PAGE   => :APP_ID||':1'
    EXCEPTION WHEN OTHERS THEN NULL;
  END;We set up the globla variables you see above.
  We then have an authentication scheme which calls an authentication function:
  RETURN xxfnd_apps_to_apex_pk.authorise_userwhich looks like this:
    FUNCTION authorise_user(
      p_username  IN VARCHAR2,
      p_password  IN VARCHAR2
      RETURN BOOLEAN
    IS
    BEGIN
      IF fnd_web_sec.validate_login(p_username, p_password) = 'Y' --This part not really requried but kept in for compatibility
      OR validate_hash(p_username, p_password) THEN
        RETURN TRUE;
      ELSE
        RETURN FALSE;
      END IF;
    END;Our validate hash function is checking hashes over a period of time against the calculated hash. This means that the hash is only valid within 10 seconds of being generated - makes things more secure. We also use a salt value which is based on a hash of the apps password. You will have to chose what level of complexity to go into.
  Then we have a VPD entry in the APEX Application Security definition:
  BEGIN
      fnd_global.apps_initialize(NVL(:gbl_user_id,0),
                               NVL(:gbl_resp_id,0),
                               NVL(:gbl_resp_appl_id,0)
  END;This ensures that apps context is maintained throughout the application.

• Oracle dbms.set_role does not work in APEX application

  Hi, in our j2ee applications, we use secure application role. Basically, the data source use the app user schema to connect to the database. the app user only has create session privileges. the database logon trigger will copy a set of attribute to the local secure context. (ip address, session user, client id, application name). The applications explicitly invoke the stored procedure sec_mgr.set_role before any DMLs are executed.
  the sec_mgr.set_role will check the local context attribute , authorize the ip, application name, and set an appreciated role to this session based on session user.
  we want to apply the same framework to the APEX application. First, we change the paring schema to the app schema which only has create session privilege. then we put the plsql code in which sec_mgr.set_role is called in the application builder --> shared components ---> edit security attribute ---> Virtual Private Database (VPD).
  however, we got the error ORA-06565: cannot execute SET ROLE from within stored procedure
  the sec_mgr.set_role is defined as invoker's right(AUTHID CURRENT_USER)
  do i missing something in APEX to get it work?
  Thanks

  Please explain it does not work in APEX? Is the application updating tables that have a trigger? APEX does NOT override trigger actions. Is it possible the values your trigger is looking for are NOT available in your APEX application? Can you post the trigger code here for review?
  Thank you,
  Tony Miller
  Webster, TX
  What if you really were stalking a paranoid schizophrenic... Would they know?
  If this question is answered, please mark the thread as closed and assign points where earned..

• #OWNER# in APEX 4.0 - inconsistent value - possible bug

  There is some inconsistency in how APEX 4.0 treats #OWNER# and &OWNER.. I believe that these variables should always have identical values (value of apex_application.g_flow_owner) but this is not always the case with #OWNER# - it is sometimes treated as the default parsing schema of the application and sometimes as apex_application.g_flow_owner. This behaviour is new in APEX 4.0 - in APEX 3.2.1 it works consistently as expected.
  Please see the example here: [url http://apex.oracle.com/pls/apex/f?p=16136:1]http://apex.oracle.com/pls/apex/f?p=16136:1
  Regards,
  Jure

  Hi Joel,
  Is there an occasion when these should be different values?I see your point that both of these values should always be the same. However, if someone wants to implement a hosting solution with multiple schemas (without VPD for any reasons), this would be a neat solution: the default parsing schema of the application always stays the same, but the value of apex_application.g_flow_owner could be different for each page load.
  I believe that many people would find this solution very useful since VPD is only available in EE, which is expensive and small companies can't afford it.
  Are you attempting to set this global variable yourself?Yes. My idea is to set this variable in a before-header process in order to change parsing schema dynamically. I got the idea from Roel here: {thread:id=1088599}. I would like to use this solution for hosting purposes with one schema for each customer. I know VPD is the best option here but the company only has SE licence so VPD is not available.
  I have tested the functionality (see the link in the first post of this thread) with satisfactory results on APEX 3.2.1. However, in version 4.0 there is a change in automatic row fetch/processing.
  For example, my fetch row process is defined as:F|#OWNER#:MY_TABLE:P1_ID:ID In APEX 3.2.1, #OWNER# will be replaced with the value of apex_application.g_flow_owner, but in 4.0 it will be replaced with the default parsing schema, which can't be changed dynamically. This is inconsistent with report regions, where #OWNER# is replaced with apex_application.g_flow_owner. What it also means is that I can no longer use this process with multiple schemas, UNLESS I hack it in to look like this:F|&OWNER.:MY_TABLE:P1_ID:ID This solution works in 4.0.
  So I guess what I want to ask is: is there a chance that in a future APEX release all occurences of #OWNER# in an application could always be replaced with the same value - possibly the one from apex_application.g_flow_owner.
  Jure