4 Replies Latest reply: Jun 22, 2011 10:47 PM by Harry83 RSS

    Replace Connection Pool with authenticated Database access Descriptor

    Harry83
      APEX by default is a light weight application that uses connection pool (APEX_PUB_USER) by default.

      In order to use existing Visual Private database, we need to get authenticated session_user in APEX (that will be APEX_PUB_USER by default). One developer suggests to create a new authenticated DAD(database access descriptor) to replace default connection pool that is coming with APEX as default.

      Could anyone tell me whether this is a right approach? Will this cause any performance issues when APEX is turned to a heavy weight application?
        • 1. Re: Replace Connection Pool with authenticated Database access Descriptor
          rima
          This would mean creating a DAD for every database user.

          maybe this can help: Virtual Private Database and APEX

          regards,
          Richard
          • 2. Re: Replace Connection Pool with authenticated Database access Descriptor
            Harry83
            Thanks Rima for your reply. Yes, I agree with you that replacing connection pool with a DAD will ends up with DAD for every user. As a concenquence, it may hurt performance all together. That is also my worry. I haven't seen any documentation from Oracle about switching connection to DAD. Is there any reason for this?
            • 3. Re: Replace Connection Pool with authenticated Database access Descriptor
              fac586
              Please update your forum profile with a real handle instead of "user3935570".
              In order to use existing Visual Private database, we need to get authenticated session_user in APEX (that will be APEX_PUB_USER by default). One developer suggests to create a new authenticated DAD(database access descriptor) to replace default connection pool that is coming with APEX as default.
              This is a false premise. Changing a modplsql DAD will not replace connection pooling, nor convert APEX apps from "lightweight" to "heavyweight" applications (whatever you mean by that).
              Yes, I agree with you that replacing connection pool with a DAD will ends up with DAD for every user.
              You're not replacing the connection pool, and it's not necessary to create a DAD for every user. Using DAD Credentials Verification as the authentication scheme with a DAD without <tt>PlsqlDatabaseUsername</tt> and <tt>PlsqlDatabasePassword</tt> parameters, users can enter their DB credentials in response to the browser basic authentication challenge, and sessions for these DB users will be set up in the connection pool. Still a transient stateless connection over HTTP; still a connection pool; still no roles; still running APEX app code as the application parsing schema; but <tt>user</tt> is the DB user entered, not <tt>APEX_PUBLIC_USER</tt>. (Feel free to construe this as "light" or "heavy" as you see fit.)

              If your existing VPD is dependent on <tt>user</tt> values, but not on roles or invokers' rights packages, then it will continue to work when using DAD Credentials Verification as the authentication scheme. However you are strongly advised to rewrite the VPD scheme to use predicates based on system contexts, using the VPD security attribute to set these in APEX apps.

              As I've never run this using DAD Credentials Verification in a production environment (and&mdash;to be clear&mdash;never intend to, as it's a bad idea), nor changed connection pool settings from the defaults, I have no idea about any impact on performance.
              • 4. Re: Replace Connection Pool with authenticated Database access Descriptor
                Harry83
                Thanks fac586 for your replay. Very helpful advice!