Currently on Application Express 4.1.1.00.23
We have a download procedure that is in a lot of our applications. The procedure is used to download attachments, images, etc. from internal tables. The procedure is called from a page, a report column, and a URL, depending on the application. The syntax we use to call the procedure via a URL is shown below. The problem is that the syntax below is not secure. Anyone can call the procedure, even without being authenticated. Is there a way to make the URL procedure call more secure? By secure, I mean only allow the procedure to run if the user is authenticated. Is there a way to include the Session ID in the URL below and have it still work and be secure?
Thanks for the suggestion. Unfortunately, I'm not sure that will work for my instance. I am calling the procedure via a URL as part of an image map. As you can see below. The page dynamically builds the HTML as the page opens, then the image map displays.
div class="rc-content-buttons"> div class="rc-content-main">
Create an application process within APEX called 'download_image';
The link to the process should be;
<app id>&p_flow_step_id=0&x01=<your own internal id>
The process should simply call your schema process using the value passed in the x01 parameter;
schema.download_image(p_id => apex_application.g_x01 );
You can apply authorisation scheme to the APEX application process, or check :APP_USER, call APEX authentication functions etc within the code.