This discussion is archived
4 Replies Latest reply: Nov 7, 2013 7:50 AM by Recx Ltd RSS

How to securely call a procedure.

cloaked Newbie
cloaked Nov 7, 2013 5:58 AM
Currently Being Moderated

Greetings.

 

Currently on Application Express 4.1.1.00.23

 

We have a download procedure that is in a lot of our applications.  The procedure is used to download attachments, images, etc. from internal tables. The procedure is called from a page, a report column, and a URL, depending on the application.  The syntax we use to call the procedure via a URL is shown below.  The problem is that the syntax below is not secure.  Anyone can call the procedure, even without being authenticated.  Is there a way to make the URL procedure call more secure?  By secure, I mean only allow the procedure to run if the user is authenticated.  Is there a way to include the Session ID in the URL below and have it still work and be secure?

 

Thanks, Tony

 

http://server.xxx.com:7000/apex/schema.download_image?p_id=2088

  • 193 Views
  • 1. Re: How to securely call a procedure.
    jariola Guru
    jariola Nov 7, 2013 6:03 AM (in response to cloaked)
    Currently Being Moderated

    Hi,

     

    What you can do is create new page to your application that is authenticated.

    Call procedure in that new page before header process like

    schema.download_image(p_id => :REQUEST);
APEX_APPLICATION.STOP_APEX_ENGINE;

     

    Then point browser to

    server.xxx.com:7000/apex/f?p=<app_id>:<page_id>::2088


    You should see loging page , and then your procedure is called.


    Regards,

    Jari

  • 2. Re: How to securely call a procedure.
    cloaked Newbie
    cloaked Nov 7, 2013 6:32 AM (in response to jariola)
    Currently Being Moderated

    Hi Jari,

     

    Thanks for the suggestion.  Unfortunately, I'm not sure that will work for my instance.  I am calling the procedure via a URL as part of an image map.  As you can see below.  The page dynamically builds the HTML as the page opens, then the image map displays.

     

    Tony

     

    div class="rc-content-buttons"> div class="rc-content-main">
    img id="ImageMap" src="schema.download_image?p_id=3306" usemap="#ImageMap" border="0" width="859" height="408" alt="" /> map id="_ImageMap" name="ImageMap"> area shape="rect" coords="50,50,86,89" href="http://server.xxx.com:7000/apex/f?p=2031:10:309826909842601::NO::P10_HEADER_ID,P10_CELL_TITLE:489526,1-2" alt="1-2" title="1-2"    />
  • 3. Re: How to securely call a procedure.
    jariola Guru
    jariola Nov 7, 2013 6:34 AM (in response to cloaked)
    Currently Being Moderated

    Hi,

     

    That should work.

    You change img src to

    f?p=&APP_ID.:<page_id_where_is_before_header_process>:&APP_SESSION:3306

     

    Regards,

    Jari

  • 4. Re: How to securely call a procedure.
    Recx Ltd Explorer
    Recx Ltd Nov 7, 2013 7:50 AM (in response to cloaked)
    Currently Being Moderated

    Create an application process within APEX called 'download_image';

     

    The link to the process should be;

     

    wwv_flow.show?p_request=APPLICATION_PROCESS=download_image&p_instance=<session id>&p_flow_id=

    <app id>&p_flow_step_id=0&x01=<your own internal id>

     

    The process should simply call your schema process using the value passed in the x01 parameter;

     

    schema.download_image(p_id => apex_application.g_x01 );

     

    You can apply authorisation scheme to the APEX application process, or check :APP_USER, call APEX authentication functions etc within the code.

     

    regards,

Actions

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points