10

th
Anniversary 1999 - 2009


Many-to-One: Managing
Multiple APEX Applications
Scott Spendolini, Sumner Technologies
2
General Announcements
Please turn off all cell phones/pagers
If you must leave the session early, please do
so as discreetly as possible
Please avoid side conversations during the
session
Thank you for your cooperation!
3
About Me
Scott Spendolini
scott@sumnertechnologies.com
Ex-Oracle Employee of 10 years
Senior Product Manager for Oracle APEX
from 2002 through 2005
Founded Sumner Technologies
in October 2005
Oracle Ace Director
Co-Author,
Pro Oracle Application Express
Scott on OTN Forums
4
Agenda
Overview
APEX Components
Database Objects
The Framework
Demonstration
Summary
5
Overview
6
Has This Happened to You?
Youve adopted APEX in your organization
Based on a pilot project of a application or two
It becomes successful. Wildly successful.
APEX applications are popping up all over the place,
leaving useless spreadsheets and desktop databases
in their wake
Others start to develop with APEX
And start to release their own applications
All of a sudden, your Access & Excel mess has
simply moved from the client to the server
7
Common Early APEX Adoption Issues
Multiple user accounts for the same person
Some use APEX credentials, some use LDAP, others
may use something else
No single point of account management
Because of the scattered nature of user accounts, it is
difficult - if not impossible - to manage all accounts for a
single user
No centralized role management
Impossible to tell which privileges a user has
Each application deals with role management in its own
different way
8
The Solution
Develop and implement a centralized
Framework which manages:
Application Definitions
Roles
Users
User to Role Mappings
Other Components
Themes/Templates
Common Regions
Navigation Bar Entries
9
Framework Components
The Framework should provide:
Single Sign On
Single Point of User & Role Management
Be extensible, yet simple
Take advantage of APEX components as much as
possible
Easy to integrate
New Development
Existing Applications
10
Framework Components
The Framework can also incorporate a number
of other components useful for building multiple
APEX applications
Themes/Templates
Associated Images & Cascading Style Sheets
Navigation Bar Entries
Lists of Values
Shortcuts
11
Less is More
Most importantly, the framework should also be
easy for developers to use and extend as
well as transparent to your users
12
APEX Components
13
APEX Components
Most of what is required can be achieved with
APEX components
Very little custom code
Which is almost 100% PL/SQL
Important to understand how the APEX
components work before trying to grasp the
solution as a whole
14
APEX Components
Shared Components
Authentication Schemes
Authorization Schemes
Navigation Bar Entries
Templates & Themes
Page Zero
APEX View
APEX_APPLICATIONS
Application Items & APEX_UTIL API
APEX_UTIL.FETCH_APP_ITEM
15
Shared Components
16
Shared Components
APEX components that can be shared:
Within a single application
In some cases, within multiple applications within a
single workspace via Subscriptions
Little known, less publicized underrated feature of
APEX
Subscriptions are the cornerstone of the
Framework
17
Subscriptions
Feature of APEX that allow you to link shared
components from one application to another
within a workspace
When changes are made to the parent component,
they can be pushed (published) or pulled (refreshed)
to/by the child component
Allows changes of Shared Components to be
centralized and easily synchronized amongst
multiple applications
18
Subscriptions
Subscriptions work only within a single
APEX Workspace
Application IDs must be preserved when moving the
framework from one instance of APEX to another
Otherwise, all links will be broken
But the applications will still work
19
Subscribe-able Shared Components
20
Authentication Schemes
APEX mechanism used to authenticate a user
APEX contains a number of built-in schemes:
LDAP
Oracle Single Sign On
APEX Credentials
Database
Open Door
Custom
None
21
Authentication Schemes
The Framework uses a Custom Authentication
Scheme
Stores usernames and hashed passwords in an Oracle table
Easiest to demonstrate
Does not require an additional server
APEX Authentication is typically a one-time event
APEX doesnt care HOW you authenticate, just that you DO
authenticate
Thus, it would be trivial to change the Authentication Scheme
to LDAP, for instance
More robust approach for enterprise user management
22
Authorization Schemes
What do you have access to?
Can be associated with almost every APEX
Component
Application
Page
Region
Item
Report Column
When scheme evaluates to TRUE, item renders or
process executes
23
Authorization Scheme Types
Several different types
Exists/Not Exists SQL Query
Item is NULL/NOT NULL
Item Comparison
PL/SQL Function
Evaluation Point
Per Page View vs. Per Session
24
Navigation Bar Entries
Links that appear on almost every page
Typically used for common navigation control
Home
My Account
Login/Logout
Can link to either:
Page
URL
25
Themes & Templates
Themes are collections of Templates
Templates make up the UI of an application
APEX ships with 20 pre-built Themes
You can use one of them or make your own
Less is More
Recommend deleting 2/3 of the provided templates from
any theme
Will enforce consistency among your developers,
causing your applications to look similar regardless of
who developed them
26
Importance of Good Design
Good design helps to convey credibility
If you spend time on the design, then surely you also
spent time on making the application work well
Poor design leaves users wondering what other
corners were cut
If the design is bad, the application must be worse!
Perception is reality, more often than not
Phishing sites strive to look like those they are
mimicing
27
Page Zero
Page Zero is a special page
Only contains Page Rendering UI components
(Regions, Buttons & Items)
Does not include Computations or Processes
Items on Page Zero display on ALL pages in
APEX unless conditionally restricted to do
otherwise
28
Page Zero
Common Uses:
Breadcrumb Regions
Lists
Common Regions/Reports
JavaScript Libraries
29
Page Zero
30
APEX Views
Set of pre-created views which provide access to
the APEX metadata
Utilities > APEX Views
List of all views and descriptions of their columns
Can also be accessed via SQL Developer
Views can be incorporated into your own
applications
Reuse APEX metadata to supplement your application's
data
Use to render a list of Applications and their properties
rather than maintaining your own parallel list
31
APEX_UTIL API
Application Items cannot technically be
subscribed to from other applications
However, you can determine the value of any
APEX Application Item in any application in the
same workspace by using the API:
APEX_UTIL.FETCH_APP_ITEM
Not well documented, but definitely supported
APEX_UTIL.FETCH_APP_ITEM( p_item
IN VARCHAR2, p_app IN NUMBER
DEFAULT NULL, p_session IN NUMBER
DEFAULT NULL) RETURN VARCHAR2;
32
Database Objects
33
Database Objects
Application Definitions, Users, Roles and Role
Assignments are all managed in a set of tables
Could use LDAP to do the same and retrofit into the framework
relatively easily
Schema Objects consist of:
1 Context
4 Tables
8 Triggers
2 Views
1 Package
4 Functions & 2 Procedures
34
ER Diagram
ST_ROLE_USERS
ST_ROLES
ST_USERS
ST_APPLICATIONS
35
ST_APPLICATIONS
Stores metadata about each application that is a
part of the framework
Most data about an application will be derived from
the APEX_APPLICATION view
ST_APPLICATIONS
------------------------------------------------------
APPLICATION_ID NOT NULL NUMBER
ACTIVE_FLAG NOT NULL VARCHAR2(1)
DESCRIPTION VARCHAR2(4000)
CREATED_BY NUMBER
CREATED_ON DATE
UPDATED_BY NUMBER
UPDATED_ON DATE
36
ST_USERS
Stores user information, such as USER_ID,
USER_NAME and hashed PASSWORD
Triggers will automatically hash the password and
store the hash, not the actual password
ST_USERS
-----------------------------------------------------
USER_ID NOT NULL NUMBER
USER_NAME NOT NULL VARCHAR2(255)
PASSWORD NOT NULL VARCHAR2(255)
EXPIRES_ON DATE
CREATED_BY NUMBER
CREATED_ON DATE
UPDATED_BY NUMBER
UPDATED_ON DATE
37
ST_ROLES
Stores the roles for a given application
Roles are related via a parent-child relationship
Not used in this demo, but could be activated
ST_ROLES
------------------------------------------------------
ROLE_ID NOT NULL NUMBER
PARENT_ROLE_ID NUMBER
APPLICATION_ID NOT NULL NUMBER
ROLE_NAME NOT NULL VARCHAR2(255)
ROLE_KEY NOT NULL VARCHAR2(255)
DESCRIPTION VARCHAR2(4000)
CREATED_BY NUMBER
CREATED_ON DATE
UPDATED_BY NUMBER
UPDATED_ON DATE
38
ST_ROLE_USERS
Intersect table that links Roles to Users
ST_ROLE_USERS
----------------------------------------------
ROLE_USER_ID NOT NULL NUMBER
ROLE_ID NOT NULL NUMBER
USER_ID NOT NULL NUMBER
CREATED_BY NUMBER
CREATED_ON DATE
UPDATED_BY NUMBER
UPDATED_ON DATE
39
Packages
ST_FWK
PROCEDURE logout
PROCEDURE set_ctx
FUNCTION hash_pw
FUNCTION auth_user
FUNCTION app_gatekeeper
FUNCTION role_member
40
Views
Two views that assist in simplifying the
interaction with the data model
ST_ROLE_USERS_V
Lists all active roles for a the currently signed on
user
ST_USER_APPLICATIONS_V
Lists all active applications that any user has at
least
one active role in
41
Context
st_fwk_ctx
Context created to store the G_USER_ID parameter
42
The Framework
43
Framework Applications
Four applications make up the core framework
Shared Components Master (999)
Will never be run, but its shared components are
used by all other applications
Starter Application (998)
Will never be run, but used to clone all additional
applications
Launchpad (1000)
Framework Access Control (1001)
Any number of child applications can be easily added
to the Framework
44
Shared Components
Master
Application 999
45
Shared Components Master - App 999
Sole purpose is to store all Shared
Components that will be subscribed to by all
other applications
There are no pages in this application, since no end
user should ever need to (or be able to) login to it
Any and all changes/additions to the
subscribed shared components should be
done here and published/subscribed to each
subscriber
Most changes will be done to the templates
46
Shared Components Master Contents
Authentication Scheme
ST Child Authentication
Authorization Scheme
Application Gatekeeper
Navigation Bar Entries
Home
Logout
Themes/Templates
SumnerTheme
47
Authentication Scheme
ST Child Authentication
Acts as a pointer to the Launchpad application
All authentication occurs only at the Launchpad
Session Not Valid URL
f?p=LAUNCHPAD:101
Cookie Name
ST
Logout URL
f?p=&G_LAUNCHPAD_APP_ID.:102:&SESSION.
48
Authorization Schemes
Application Gatekeeper
Checks to see if a specific user has at least one active
role for a specific application
If so, then the user can access the application
PL/SQL Function Returning BOOLEAN
Evaluates for Every Page View
RETURN st_fwk.app_gatekeeper( p_app_id => :APP_ID, p_app_user => :APP_USER);
49
ST_FWK.APP_GATEKEEPER
FUNCTION app_gatekeeper (p_app_id IN
NUMBER, p_app_user IN VARCHAR2)RETURN
BOOLEANIS l_user_id
st_users.user_id%TYPE; l_count
NUMBER;BEGINSELECT count(*) INTO l_count FROM
st_role_users_v WHERE application_id =
p_app_id;IF l_count > 0 THEN RETURN TRUE;ELSE
RETURN FALSE;END IF;
EXCEPTION WHEN NO_DATA_FOUND THEN RETURN
FALSE;END app_gatekeeper;
50
Navigation Bar Entries
Home
Redirects to the home page of the Launchpad Application
URL Target:
n f?p=ST:1:&APP_SESSION.
Logout
Logs out of the suite of applications
URL Target:
&LOGOUT_URL.
Which will be replaced with the value of Logout URL
from the current Authentication Scheme
51
Themes/Templates
SumnerTheme
Set of pre-built custom templates
Could be a built-in APEX theme/templates as well
Only a total of 26 templates are included in
SumnerTheme as compared to about 70-80 for the
APEX built-in themes
Most templates in the built-in themes are not needed and
can be safely and easily removed
Additional templates can be added to this
application and published/subscribed as needed
52
Starter Application
Application 998
53
Starter Application - App 998
The Starter Application will have all of the
Shared Component subscriptions established
Thus, they are linked back to the Shared
Components Master application
This application will be the starting point for all
NEW applications that will be a part of your suite
No longer need to use Create Application
Instead, start by Copying
this application
54
Shared Component Subscriptions
Subscribe to and Associate the Authorization
Scheme Application Gatekeeper at the
Application Level
Subscribe to and make the Authentication
Scheme ST Child Authentication current and
delete all others
Subscribe to the Navigation Bar Entries Home
and Logout and delete all others
55
Shared Component Subscriptions
Subscribe to each of the Templates in the theme
SumnerTheme
There is no easy way to do this
You must do each one individually
Best approach:
Get a nice cup of coffee/tea
Export the theme from the Subscription Master
Import it into the Starter Application
Edit each template in the Starter Application and subscribe
it back to the corresponding one in the Subscription Master
56
Components
Page Zero
Pre-created Page Zero for items residing on multiple pages
My Applications Report
Lists all applications a given user has access to
Pre-created Breadcrumb for site navigation and placed it on
Page Zero
Page One also has an entry pre-created in the
breadcrumb
No Login Page
Since all authentication will be done at the Launchpad, there
is no need to preserve the login page in the Starter
Application
57
Components
Call to Set Security Context
Used to set both G_USER_ID &
G_LAUNCHPAD_APP_ID
Called from Security Attributes of Application
Properties
58
Additional Components
Any additional non-subscribe-able shared
component or Page Zero items that you want all
of your applications to have should be set up
here
Take the time to think this through, as its a lot easier
to do it now verses when you have 20 applications up
and running
59
Launchpad
Application 1000
60
Launchpad Application - App 1000
The Launchpad will:
Provide centralized authentication services for the
suite of applications
Any unauthenticated session will end up here
All logins will occur on Page 101 of this application
All logouts will occur on Page 102 of this application
Provide a home page that users will see should they
have access to more than one application
Or automatically redirect the user to a single
application, if that is all they have access to
61
Deep Linking
The Launchpad Application supports deep
linking
Linking to a specific APEX application & page,
typically from a bookmark
Done in the Login process on Page 101
Uses the APEX item FSP_AFTER_LOGIN_PAGE
Which is set automatically by the APEX engine
62
Login Process on Page 101
DECLARE l_count NUMBER; l_flow_page VARCHAR2(4000);BEGINIF
:FSP_AFTER_LOGIN_PAGE IS NULL THEN l_flow_page := :APP_ID ||
':1';ELSE -- Count the number of |s in the FSP_AFTER_LOGIN_URL item
SELECT INSTR(:FSP_AFTER_LOGIN_URL, '|', 1) INTO l_count FROM dual; IF
l_count = 1 THEN -- Session ID is NOT included l_flow_page :=
REPLACE(SUBSTR(:FSP_AFTER_LOGIN_URL, 5),'|',':'); ELSE -- Session
ID is included l_flow_page :=
REPLACE(SUBSTR(SUBSTR(:FSP_AFTER_LOGIN_URL, 1,
INSTR(:FSP_AFTER_LOGIN_URL, '|',1,2)-1),5), '|', ':'); END IF;END
IF;-- Perform the loginwwv_flow_custom_auth_std.login( P_UNAME
=> :P101_USERNAME, P_PASSWORD => :P101_PASSWORD, P_SESSION_ID =>
v('APP_SESSION'), p_flow_page => l_flow_page);END;
63
Creating the Launchpad
The Launchpad will be unique in that it will be
the only application in the Framework that has a
login page
It will also have a different authentication scheme than
all other application in the framework
Additional changes can be made to page 1, as this is
the landing page for users who have access to more
than 1 application
64
Application Alias
Add the Application Alias LAUNCHPAD to
Application 1000
This way, we can refer to the LAUNCHPAD and not
rely on the Application ID always being 1000
65
What is G_USER_ID?
Surrogate Key for the USERS table
Also an Application Item in the Launchpad
Could have opted to use APP_USER, as that is
typically a unique key
However, as people change their names, there would
be more maintenance involved in preserving auditing
records or role reports
Thus, the surrogate key will never change
Allowing for variance in APP_USER, should it be
desired
66
Setting G_USER_ID
Set via the Application Attribute VPD PL/SQL
Call to Set Security Context
Not actually using VPD, but any code there is
executed at the proper place to set the context for any
purpose
st_fwk.set_ctx (p_user_name => :APP_USER, p_app_session => :APP_SESSION);
67
DBMS_SESSION.SET_CONTEXT
dbms_session.set_context( namespace
=> 'ST_FWK_CTX', attribute =>
'G_USER_ID', value => l_user_id,
username => p_user_name, client_id
=> p_app_session);
68
G_USER_ID as a Context
More efficient to use a Context in WHERE
clauses
Will only be evaluated once for X number of rows
v('G_USER_ID') will be evaluated once per row for
X number of rows
Usage:
WHERE user_id = SYS_CONTEXT('ST_FWK_CTX',
'G_USER_ID')
69
G_LAUNCHPAD_APP_ID
Also set with st_fwk.set_ctx
Refers to the Launchpad Application ID
Set as a variable to allow for a different ID to be used
if 1000 is not available
70
Authentication Scheme
The Launchpad will have its own Authentication Scheme
ST Parent Authentication
Session Not Valid Page
101
Authentication Function
RETURN st_fwk.auth_user
Cookie Name
ST
Logout URL
wwv_flow_custom_auth_std.logout?p_this_flow=&APP_
ID.&p_next_flow_page_sess=&G_LAUNCHPAD_APP_ID
.:1
71
Custom Authentication Function
Must have the following signature:
p_username VARCHAR2
p_password VARCHAR2
And it must return a BOOLEAN
Can be used for more than just a custom table
that stores usernames & password
Multiple LDAP servers
Multiple authentication mechanisms based on
username
72
st_fwk.auth_user
FUNCTION auth_user (p_username
IN VARCHAR2, p_password IN
VARCHAR2)RETURN BOOLEAN AS l_password_hash
VARCHAR2(4000); l_stored_password_hash
VARCHAR2(4000); l_expires_on
DATE; l_count
NUMBER;BEGINSELECT count(*) INTO l_count
FROM st_users
WHERE UPPER(user_name) =
UPPER(p_username);if l_count > 0 then SELECT
password, expires_on INTO
l_stored_password_hash, l_expires_on FROM
st_users WHERE user_name = p_username;
73
st_fwk.auth_user
IF l_expires_on > SYSDATE OR l_expires_on IS NULL THEN
l_password_hash := hash_pw(p_password); IF
l_password_hash = l_stored_password_hash THEN RETURN
TRUE; ELSE RETURN FALSE; END IF; ELSE
RETURN FALSE; END IF;ELSE RETURN FALSE;END IF;END
auth_user;
74
Authorization Scheme
The Launchpad application has no authorization
scheme associated with it
Users with no roles will simply get a message stating
such and will not be able to login to any other
application
75
Branches
Create a Before Header Branch on Page 1
Checks to see how many applications a user has access
to
Will branch directly to that application if the user only
has access to a single application
Otherwise, it will stay on Page 1 and display the
Welcome page, allowing the user to choose which
application to run
Possible Enhancements:
Remove this; always end up on Page 1
Allow the user to choose and save a Default Application
to branch to and go there
76
Logout Page
Page 102 is the Framework Logout Page
Clears the context
Logs the users out of the Framework
More actions can occur here, is desired
-- Unset the contextdbms_session.clear_context( namespace
=> 'ST_FWK_CTX', client_id => v('APP_SESSION')); --
Process the logoutwwv_flow_custom_auth_std.logout(
p_this_flow => v('G_LAUNCHPAD_APP_ID'),
p_next_flow_page_sess => v('G_LAUNCHPAD_APP_ID') || ':1');
77
Framework Flow
App 1000



Page
101
Page 1
App 1002



1
1
Pages
App 1003



1
1
Pages
Authenticate
78
Framework Flow
App 1000



Page
101
Page 1
App 1002



1
1
Pages
App 1003



1
1
Pages
Authenticate
79
Framework Flow
App 1000



Page
101
Page 1
Authenticate
App 1002



1
1
Pages
App 1003



1
1
Pages



80
Framework
Access Control
Application 1001
81
Access Control Application - App 1001
Access to Framework Application is managed by
an APEX Application
Mostly made up of out-of-the-box APEX components
Born from cloning the Starter Application
Subscriptions and Authentication/Authorization schemes
are still in tact
Access to the Access Control application is
managed via the Access Control application
Thus, you will need to seed the first application, user, role
& role mapping with SQL*Plus
82
Access Control - Overview
8 Pages
One of which is Page Zero
4 Reports
Applications, Roles, Users, User Roles
4 Forms
Applications, Roles, Users, User Roles
83
Additional Applications
84
Additional Applications
As new applications are needed, the Starter
Application is cloned and used as a starting
point
All subscriptions to the Shared Components Master
are preserved this way
Development can then begin on the cloned
application as normal
Caution:
If a developer removes or alters the Framework
Authentication or Authorization Schemes, things
will likely stop working
85
Retro-fitting an Existing Application
Retro-fitting existing applications is just as simple
Subscribe to the ST Child Authentication Scheme
Make Current
Subscribe to the App Gatekeeper Authorization Scheme
Associate it at the application level
Subscribe to Home & Logout Navigation Bar Entrires
Configure application via the Framework Access Control
application
Add Application & Roles
Assign Users to Roles
86
Mapping Existing Authorization Schemes
Existing Authorization Schemes can be mapped
to Roles in the Framework
Use the Member of Role: Demo example
Authorization Scheme as a model
PL/SQL Function Returning Boolean
Passing in a Role Key will return TRUE if the
currently signed on user is a member of the
associated role defined in the Framework
Otherwise, it will return FALSE
RETURN st_fwk.role_member(
p_role_key => 'DEMO')
87
ST_FWK.ROLE_MEMBER
FUNCTION role_member (p_role_key IN VARCHAR2,
p_app_id IN NUMBER DEFAULT
nv('APP_ID'))RETURN BOOLEANIS l_count
NUMBER;BEGINSELECT count(*) INTO l_count FROM
st_role_users_v WHERE role_key = p_role_key AND
application_id = p_app_id; IF l_count > 0 THEN RETURN
TRUE;ELSE RETURN FALSE;END IF;EXCEPTION WHEN NO_DATA_FOUND
THEN RETURN FALSE;END role_member;
88
Demonstration
89
Demonstration
Overview of the Access Control application
Creating a New Application
Integrating it Into the Framework
Changing a Template
Pushing Changes to All Applications
Integrating the APEX Sample Application
Authentication Scheme
Authorization Schemes
Navigation Bar Entry
90
Practical Framework Applications
Manage Multiple Applications
Module-based application
Release and manage (and charge for) components
individually
Multiple code lines for multiple developers
Easier to release a subset of functionality
APEX does this
White-listed Subset of Functionality
Easier to secure a small application entirely than a small
portion of a large application
91
Summary
92
Summary
Consider implementing some sort of centralized
framework in your APEX environment
Sooner than Later
It will pay for itself by means of:
Centralized User & Role Management
Better auditing capabilities
Flexibility to adapt to both new and existing APEX
investments
93
Download Files
http://sumnertechnologies.com/framework
http://sumnertechnologies.com
Copyright 2009 Sumner Technologies - All Rights Reserved