4 Replies Latest reply: Nov 7, 2013 9:50 AM by Recx Ltd RSS

    How to securely call a procedure.

    cloaked

      Greetings.

       

      Currently on Application Express 4.1.1.00.23

       

      We have a download procedure that is in a lot of our applications.  The procedure is used to download attachments, images, etc. from internal tables. The procedure is called from a page, a report column, and a URL, depending on the application.  The syntax we use to call the procedure via a URL is shown below.  The problem is that the syntax below is not secure.  Anyone can call the procedure, even without being authenticated.  Is there a way to make the URL procedure call more secure?  By secure, I mean only allow the procedure to run if the user is authenticated.  Is there a way to include the Session ID in the URL below and have it still work and be secure?

       

      Thanks, Tony

       

      http://server.xxx.com:7000/apex/schema.download_image?p_id=2088

        • 1. Re: How to securely call a procedure.
          jariola

          Hi,

           

          What you can do is create new page to your application that is authenticated.

          Call procedure in that new page before header process like

          schema.download_image(p_id => :REQUEST);
          APEX_APPLICATION.STOP_APEX_ENGINE;
          

           

          Then point browser to

          server.xxx.com:7000/apex/f?p=<app_id>:<page_id>::2088


          You should see loging page , and then your procedure is called.


          Regards,

          Jari

          • 2. Re: How to securely call a procedure.
            cloaked

            Hi Jari,

             

            Thanks for the suggestion.  Unfortunately, I'm not sure that will work for my instance.  I am calling the procedure via a URL as part of an image map.  As you can see below.  The page dynamically builds the HTML as the page opens, then the image map displays.

             

            Tony

             

            div class="rc-content-buttons"> div class="rc-content-main">
            img id="ImageMap" src="schema.download_image?p_id=3306" usemap="#ImageMap" border="0" width="859" height="408" alt="" /> map id="_ImageMap" name="ImageMap"> area shape="rect" coords="50,50,86,89" href="http://server.xxx.com:7000/apex/f?p=2031:10:309826909842601::NO::P10_HEADER_ID,P10_CELL_TITLE:489526,1-2" alt="1-2" title="1-2"    />
            • 3. Re: How to securely call a procedure.
              jariola

              Hi,

               

              That should work.

              You change img src to

              f?p=&APP_ID.:<page_id_where_is_before_header_process>:&APP_SESSION:3306

               

              Regards,

              Jari

              • 4. Re: How to securely call a procedure.
                Recx Ltd

                Create an application process within APEX called 'download_image';

                 

                The link to the process should be;

                 

                wwv_flow.show?p_request=APPLICATION_PROCESS=download_image&p_instance=<session id>&p_flow_id=

                <app id>&p_flow_step_id=0&x01=<your own internal id>

                 

                The process should simply call your schema process using the value passed in the x01 parameter;

                 

                schema.download_image(p_id => apex_application.g_x01 );

                 

                You can apply authorisation scheme to the APEX application process, or check :APP_USER, call APEX authentication functions etc within the code.

                 

                regards,