4 Replies Latest reply on Nov 7, 2013 3:50 PM by Recx Ltd

    How to securely call a procedure.




      Currently on Application Express


      We have a download procedure that is in a lot of our applications.  The procedure is used to download attachments, images, etc. from internal tables. The procedure is called from a page, a report column, and a URL, depending on the application.  The syntax we use to call the procedure via a URL is shown below.  The problem is that the syntax below is not secure.  Anyone can call the procedure, even without being authenticated.  Is there a way to make the URL procedure call more secure?  By secure, I mean only allow the procedure to run if the user is authenticated.  Is there a way to include the Session ID in the URL below and have it still work and be secure?


      Thanks, Tony



        • 1. Re: How to securely call a procedure.



          What you can do is create new page to your application that is authenticated.

          Call procedure in that new page before header process like

          schema.download_image(p_id => :REQUEST);


          Then point browser to


          You should see loging page , and then your procedure is called.



          • 2. Re: How to securely call a procedure.

            Hi Jari,


            Thanks for the suggestion.  Unfortunately, I'm not sure that will work for my instance.  I am calling the procedure via a URL as part of an image map.  As you can see below.  The page dynamically builds the HTML as the page opens, then the image map displays.




            div class="rc-content-buttons"> div class="rc-content-main">
            img id="ImageMap" src="schema.download_image?p_id=3306" usemap="#ImageMap" border="0" width="859" height="408" alt="" /> map id="_ImageMap" name="ImageMap"> area shape="rect" coords="50,50,86,89" href="http://server.xxx.com:7000/apex/f?p=2031:10:309826909842601::NO::P10_HEADER_ID,P10_CELL_TITLE:489526,1-2" alt="1-2" title="1-2"    />
            • 3. Re: How to securely call a procedure.



              That should work.

              You change img src to





              • 4. Re: How to securely call a procedure.
                Recx Ltd

                Create an application process within APEX called 'download_image';


                The link to the process should be;


                wwv_flow.show?p_request=APPLICATION_PROCESS=download_image&p_instance=<session id>&p_flow_id=

                <app id>&p_flow_step_id=0&x01=<your own internal id>


                The process should simply call your schema process using the value passed in the x01 parameter;


                schema.download_image(p_id => apex_application.g_x01 );


                You can apply authorisation scheme to the APEX application process, or check :APP_USER, call APEX authentication functions etc within the code.