1 2 Previous Next 16 Replies Latest reply: Jun 18, 2012 2:23 AM by Christian Neumueller-Oracle RSS

    APEX_UTIL.PREPARE_URL does not work across workspaces?

    91527
      We are running ApEx 4.1.1 on Oracle 11g.

      I am trying to call an application in another workspace and am using APEX_UTIL.PREPARE_URL in a hidden item and then a button with REDIRECT TO URL using javascript:popUp2 which uses the hidden item (the returned value of the PREPARE_URL. The code works fine if I am in the same workspace and a checksum is returned:

      APEX_UTIL.PREPARE_URL('f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS','SESSION');

      returns:

      f?p=9002:2:1400894538262901::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:9001,FRD_MASTER_BANSECR&c=STU_WS&cs=3190FB9A8CC967E5B3CED03460DF6F291

      I can press the button and app 9002 opens in a new window.

      When I try the same code in an application in another workspace, no checksum is returned:

      APEX_UTIL.PREPARE_URL('f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS','SESSION');

      returns:

      f?p=9002:2:8288147979401::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS

      and I get the error:

      Error     Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum.


      I have also tried it without the workspace '&c=STU_WS' and explicitly passing the parameters, but no checksum is returned.

      APEX_UTIL.PREPARE_URL(p_url => 'f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.',p_checksum_type => 'SESSION')

      If I do not try to pass any parameters, no checksum is produced, but the button successfully opens app 9002 in a new window:

      APEX_UTIL.PREPARE_URL('f?p=9002:4:&SESSION.::NO::&c=STU_WS','SESSION');

      returns:

      f?p=9002:4:8288147979401::NO:::&c=STU_WS

      Again, the above code successfully opens app 9002 in a new window. In fact, when not passing parameters to app 9002, I would not seem to need to use PREPARE_URL.

      BUT. I do need to pass the calling app id and the calling app name to app 9002, because 9002 looks up information about the calling app. Since, I must pass parameters, I must use PREPARE_URL, and it does not seem to work when you call it for an app in a different workspace.

      Given all of the above, I have found a kludge. I call PREPARE_URL using the APP_ID of the current app and then replace that APP_ID with 9002.

      replace(APEX_UTIL.PREPARE_URL('f?p=&APP_ID.:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS','SESSION'),
      'f?p=&APP_ID.:2','f?p=9002:2')

      returns:

      f?p=9002:2:8288147979401::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS&cs=33B2BB2ECFE3555198CE3325CCF9F67B8

      And the button opens app 9002 just fine.

      Is there anyway to get PREPARE_URL to work with apps in another workspace? What am I missing? Is there a better way than the kludge I came up with?

      A little more information: my app 9002 is a help & info for ApEx DBAs and Developers. It is my attempt at code reuse. Calls to 9002 are in a master template. I can continually update and change the help in 9002 without having to update the apps that call it.

      Thanks for your help,

      Chris
        • 1. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
          VC
          lewisc3 wrote:
          We are running ApEx 4.1.1 on Oracle 11g.

          I am trying to call an application in another workspace and am using APEX_UTIL.PREPARE_URL in a hidden item and then a button with REDIRECT TO URL using javascript:popUp2 which uses the hidden item (the returned value of the PREPARE_URL. The code works fine if I am in the same workspace and a checksum is returned:

          APEX_UTIL.PREPARE_URL('f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS','SESSION');

          returns:

          f?p=9002:2:1400894538262901::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:9001,FRD_MASTER_BANSECR&c=STU_WS&cs=3190FB9A8CC967E5B3CED03460DF6F291

          I can press the button and app 9002 opens in a new window.

          When I try the same code in an application in another workspace, no checksum is returned:

          APEX_UTIL.PREPARE_URL('f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS','SESSION');

          returns:

          f?p=9002:2:8288147979401::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS

          and I get the error:

          Error     Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum.


          I have also tried it without the workspace '&c=STU_WS' and explicitly passing the parameters, but no checksum is returned.

          APEX_UTIL.PREPARE_URL(p_url => 'f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.',p_checksum_type => 'SESSION')

          If I do not try to pass any parameters, no checksum is produced, but the button successfully opens app 9002 in a new window:

          APEX_UTIL.PREPARE_URL('f?p=9002:4:&SESSION.::NO::&c=STU_WS','SESSION');
          This is wrong because you are passing string SESSION for url_charset parameter, that's why id is not adding any checksum
          See this http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21676/apex_util.htm#AEAPI160
          returns:

          f?p=9002:4:8288147979401::NO:::&c=STU_WS

          Again, the above code successfully opens app 9002 in a new window. In fact, when not passing parameters to app 9002, I would not seem to need to use PREPARE_URL.

          BUT. I do need to pass the calling app id and the calling app name to app 9002, because 9002 looks up information about the calling app. Since, I must pass parameters, I must use PREPARE_URL, and it does not seem to work when you call it for an app in a different workspace.

          Given all of the above, I have found a kludge. I call PREPARE_URL using the APP_ID of the current app and then replace that APP_ID with 9002.

          replace(APEX_UTIL.PREPARE_URL('f?p=&APP_ID.:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS','SESSION'),
          'f?p=&APP_ID.:2','f?p=9002:2')

          returns:

          f?p=9002:2:8288147979401::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS&cs=33B2BB2ECFE3555198CE3325CCF9F67B8

          And the button opens app 9002 just fine.

          Is there anyway to get PREPARE_URL to work with apps in another workspace? What am I missing? Is there a better way than the kludge I came up with?

          A little more information: my app 9002 is a help & info for ApEx DBAs and Developers. It is my attempt at code reuse. Calls to 9002 are in a master template. I can continually update and change the help in 9002 without having to update the apps that call it.
          Review all above API calls and make sure you pass right parameters
          • 2. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
            91527
            Good guess, but the char set is not the problem. As I stated in my original post, even without explicitly naming PREPARE_URL's parameters, a checksum was in fact returned for apps in the same workspace. Also, I had stated that I had also tried explicitly passing the parameters to PREPARE_URL to no avail.

            After your reply, I explicitly passed parameters again:

            APEX_UTIL.PREPARE_URL(p_url => 'f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS',p_checksum_type =>'SESSION')

            when I pass an app id from another workspace, NO CHECKSUM is returned:

            f?p=9002:2:636506971831301::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS

            However, when I use an app id in the same workspace, I get a checksum:

            APEX_UTIL.PREPARE_URL(p_url => 'f?p=&APP_ID.:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS',p_checksum_type =>'SESSION')

            returns:

            f?p=112:2:636506971831301::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS&cs=335D8CDB5218C5AD96352588E3F19D88C

            I even tried hard-coding the app id from the current workspace to see whether the problem is hard-coding the app id:

            APEX_UTIL.PREPARE_URL(p_url => 'f?p=112:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS',p_checksum_type =>'SESSION')

            A hard-coded app id also returns a checksum when the app_id is in the same workspace:

            f?p=112:2:636506971831301::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS&cs=335D8CDB5218C5AD96352588E3F19D88C

            Again, the problem does not seem to be that I am passing 'SESSION' as the character set parameter. The problem seems to be when an app_id in another workspace is used, PREPARE_URL does not return a checksum.
            • 3. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
              VC
              lewisc3 wrote:
              Good guess, but the char set is not the problem. As I stated in my original post, even without explicitly naming PREPARE_URL's parameters, a checksum was in fact returned for apps in the same workspace. Also, I had stated that I had also tried explicitly passing the parameters to PREPARE_URL to no avail.
              In PL/SQL you must pass the parameters naming explicitly OR at least in the same order like below.
              APEX_UTIL.PREPARE_URL('f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS',
              NULL,
              'SESSION');
              After your reply, I explicitly passed parameters again:

              APEX_UTIL.PREPARE_URL(p_url => 'f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS',p_checksum_type =>'SESSION')
              THIS IS BECAUSE YOUR PAGE IS NOT ENABLED FOR Page Access Protection

              edit your page 2 in application 9002 and set the property Page Access Protection to Arguments Must Have Checksum, then only it will add the checksum in the above API
              when I pass an app id from another workspace, NO CHECKSUM is returned:

              f?p=9002:2:636506971831301::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS

              However, when I use an app id in the same workspace, I get a checksum:

              APEX_UTIL.PREPARE_URL(p_url => 'f?p=&APP_ID.:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS',p_checksum_type =>'SESSION')

              returns:

              f?p=112:2:636506971831301::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS&cs=335D8CDB5218C5AD96352588E3F19D88C

              I even tried hard-coding the app id from the current workspace to see whether the problem is hard-coding the app id:

              APEX_UTIL.PREPARE_URL(p_url => 'f?p=112:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=STU_WS',p_checksum_type =>'SESSION')

              A hard-coded app id also returns a checksum when the app_id is in the same workspace:

              f?p=112:2:636506971831301::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=STU_WS&cs=335D8CDB5218C5AD96352588E3F19D88C

              Again, the problem does not seem to be that I am passing 'SESSION' as the character set parameter. The problem seems to be when an app_id in another workspace is used, PREPARE_URL does not return a checksum.
              If you read above your statement correctly (+passing 'SESSION' as the character set parameter+) it is obvious that you are passing wrong parameter for url_charset.

              Because although if you overcome the actual problem this will stop working because of passing 'SESSION' as the character set parameter
              • 4. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                91527
                It is not an incorrect passing of the parameters to PREPARE_URL.

                Also, page 2 in application 9002, "Page Access Protection" is set to "Arguments Must Have Checksum."

                Let's try once more.

                App 9002 is in workspace FREDONIA_WS. When I run app 9001 in the workspace FREDONIA_WS, this code:

                APEX_UTIL.PREPARE_URL(
                p_url => 'f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=FREDONIA_WS',
                p_checksum_type =>'SESSION')

                produces this result WITH CheckSum:

                f?p=9002:2:169973824944701::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:9001,FRD_MASTER_BANSECR&c=FREDONIA_WS&cs=3077BDD38DA4768A49261B59B5FA67597

                I am able to press the button that calls the above code and I go to page 2 of app 9002.

                I exported app 9001 and imported it into app 112 another workspace, FACE_WS. When I run app 112 in the workspace FACE_WS, this code:

                APEX_UTIL.PREPARE_URL(
                p_url => 'f?p=9002:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=FREDONIA_WS',
                p_checksum_type =>'SESSION')

                produces this result WITH NO CheckSum:

                f?p=9002:2:1249074951810501::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:112,Testing_Template&c=FREDONIA_WS

                When I press the button, I get the error:

                Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum.


                Just to make sure it was not a difference in privileges in the workspaces, I exported app 9002 (the one being called) from the FREDONIA_WS and imported it into the FACE_WS workspace as app 127. I then changed app 9001 in the FREDONIA_WS workspace to call app 127 in the FACE_WS rather than 9002 in the FREDONIA_WS. When I run app 9001 in the workspace FREDONIA_WS, this code

                APEX_UTIL.PREPARE_URL(
                p_url => 'f?p=127:2:&SESSION.::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:&APP_ID.,&G_APP_NAME.&c=FACE_WS',
                p_checksum_type =>'SESSION')

                produced this result WITH NO CheckSum:

                f?p=127:2:1009284914444901::NO::P2_CALLING_APP_ID,P2_CALLING_APP_NAME:9001,FRD_MASTER_BANSECR&c=FACE_WS

                When I press the button to call app 127 in the FACE_WS from app 9001 in the FREDONIA_WS, I get this error:

                Error     Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum.

                So, it does not seem to be an incorrect passing of the parameters to PREPARE_URL and it is not that the page 2 protection is incorrect.

                The simple fact is that if one uses PREPARE_URL to call an app in another workspace, NO CHECKSUM IS PRODUCED. As my original message indicated, one can kludge this by telling PREPARE_URL to use the APP_ID of the current app and then replacing it with 9002. PREPARE_URL then produces a checksum.

                Is it documented that PREPARE_URL does not work across workspaces?

                Does anyone have a better idea than my 'replace' command to allow me to reuse an app from another workspace? I do not want to have to duplicate 9002 in other workspaces. I want it in one spot because I need to constantly make changes to it. But I do need to call 9002 from all our other workspaces.

                Help please and thanks,

                Chris
                • 5. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                  fac586
                  APEX_UTIL.PREPARE_URL will only work for applications in the same workspace. This is by design: +{thread:id=2328983}+

                  (if you'd searched the forum before posting you'd have saved yourself an awful lot of time and typing...)
                  • 6. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                    Christian Neumueller-Oracle
                    Hi Chris,

                    a session-based checksum for an application in another workspace should never be valid. The prepare_url function uses a session-specific key to generate the checksum and sessions can not cross workspaces. When Apex processes the request, it should create a new session with a new key and detect a checksum error, since they keys differ. I am surprised that you managed to get this to work by that replace trick, but I could not reproduce the behaviour. Can you provide a test case, for example with 2 workspaces on apex.oracle.com? If there is a way to make this work, you found a bug in Apex.

                    Regards,
                    Christian
                    • 7. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                      91527
                      Glad I like typing. :)

                      Seriously, thank you for confirming the PREPARE_URL does not work across workspaces. I must have searched incorrectly and apologize to everyone.

                      However, that being said, Christian's reply was more to the point. I was able to get it to work using 'replace' as a kludge. I'll try to recreate the 'replace' at the oracle apex site.

                      But let's say it is made so that 'replace' does not work. What I am really trying to get at is more of a "philosophical" discussion:

                      What would be the best way to access an app from all workspaces or is that just never to be allowed?

                      I think I understand the security issue for it does not allow exposure to apps in other workspaces.

                      But, on the opposite side, what about better code reuse? Have the ApEx developers contemplated ways of allowing apps to call "centralized" apps and pages? Say, only apps in a workspace called 'common_ws' or registered in some special ApEx table or some such.

                      Additionally, our apps are all further protected. One must successfully log into oracle but then that user name must further exist is a table along with the app name+id in order to be able to go further.

                      If it is forever to be just a hard-and-fast rule not to allow cross workspace references, would you have any ideas about what I could do? Should I make my app public so no checksum is required and then use authorization on the pages? I guess I could put what the app does into packages, separate HTML pages, and the like.

                      I guess I just cannot imagine others wouldn't want to be able to have an ability to call some centralized apps and pages without having to copy those around.

                      I really am looking more for guidance and your thoughts would be greatly appreciated,

                      Chris
                      • 8. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                        91527
                        Thanks, Christian!

                        I'll try to recreate the 'replace' at the oracle apex site.

                        Chris
                        • 9. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                          Christian Neumueller-Oracle
                          Hi Chris,

                          we do not have plans to weaken the boundaries between workspaces. They are designed to provide strong isolation, while applications within the same workspace can be configured to work together, if they share the same session cookie name. With 4.2, we'll even introduce shared session state (application items with "Global" scope) for these kinds of apps.

                          That being said, I'm all for code reuse and interoperability. If it is a requirement for you to have applications work together across workspaces (or even between unconnected systems), there are ways to accomplish this. First of all, you'll have to decide if the data being passed needs to be secure in the first place. That's not always the case but if yes, you can implement a framework on your own. The overall system architecture dictates what is appropriate here. Just to give you an example, in a single database you could create message passing tables in a shared schema and pass handles to the messages plus a checksum made via a shared secret (you could also implement something based on pipes, alerts, AQ or contexts). I did something like that years ago to make Forms, Reports and Apex interoperate.

                          Regards,
                          Christian
                          • 10. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                            fac586
                            Christian Neumueller wrote:

                            we do not have plans to weaken the boundaries between workspaces. They are designed to provide strong isolation, while applications within the same workspace can be configured to work together, if they share the same session cookie name. With 4.2, we'll even introduce shared session state (application items with "Global" scope) for these kinds of apps.
                            Interesting news Christian. However for me shared session collections would be even more useful. Any chance of that?
                            • 11. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                              Christian Neumueller-Oracle
                              There are no plans yet to share collections between apps. However, if you provide a good example, I'll open an enhancement request ;-)
                              • 12. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                                fac586
                                Christian Neumueller wrote:
                                There are no plans yet to share collections between apps. However, if you provide a good example, I'll open an enhancement request ;-)
                                Use case:

                                A large system is implemented in modular fashion as several applications within the same workspace sharing the same session cookie/authentication scheme and some common authorization schemes. A per session user/module/role/organization unit look-up table should be created once on logging in to any module (app) in the workspace (for performance reasons we don't want to do this for every page view). This look-up table is used by authorization schemes, VPD, views etc to determine if users have visibility and privileges on organization unit data. Modules may have reason to use role information applying to other modules.

                                A per-session collection would be the easiest way to implement this, as it handles session management automatically, but it's not possible at present because the collections are on a per-session/application basis.

                                Basically, if cross-application sharing of scalar values in session state through "workspace items" is possible, cross-application sharing of structured data through "workspace collections" should be too.
                                • 13. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                                  Christian Neumueller-Oracle
                                  Thank you. I opended bug/er #14196075.
                                  • 14. Re: APEX_UTIL.PREPARE_URL does not work across workspaces?
                                    fac586
                                    Christian Neumueller wrote:
                                    Thank you. I opended bug/er #14196075.
                                    Thank you.
                                    1 2 Previous Next