5 Replies Latest reply on May 31, 2016 2:22 PM by Kris Rice-Oracle

    Request Validation / Pre / Post Processing Query


      Hey Folks,

      (if this is Kris reading this, we meet at Oracle Open World, I am only getting the chance now to research porting our application from mod_plsql)


      I am porting a very large application from OHS/Mod_PLSQL to ORDS, I am not using web services or APEX, simple OWA toolkit, I have a very simple hello world APP up and running.


      In our mod_plsql application we have some nice security facilities in the [PlsqlRequestValidationFunction] parameter, I now need to find a home for this code in ORDS. Having read the documentation I see options for





      I also read on Kris Rice's blog the option to run some nice Javascript validation before the dB is hit, this is very nice (Kris' blog: APEX Listener 2.0 !)

      A number of questions

      First, on the Javascript, in the blog it is using SQL Developer, I am not using SQL developer, where are the settings in the xml files for setting this Javascript validator.

      Can I have a JS validator and a dB validator i.e. I would offload some stuff to JS and leave the remainder in the dB.

      What are the parameters passed into the the following procedures [requestValidationFunction] [procedure.preProcess], in mod_plsql one parameter is passed into the function, where is it documented the parameters passed to these environment functions?

      In mod_plsql I am able to add additional CGI environment variables e.g. [PlsqlCGIEnvironmentList  X-CSRF], I can then use following in PLSQL owa_util.get_cgi_env('X-CSRF') to read the CSRF parameter, how can this be achieved with ORDS, remember I am not using APEX or Web Services.

        • 1. Re: Request Validation / Pre / Post Processing Query
          Kris Rice-Oracle



          Hope I don't miss anything.


          - For  PlsqlCGIEnvironmentList , we are telling folks to use the native ability of the webserver for injecting headers. So, in tomcat/wls/..  you can add directives to put in those headers then the same owa_util call will work.


          - There's both pre and post for OWA based things. These are both raw calls with no args but the OWA env will be all setup for grabbing from headers or whatever.

          here with a


          <entry key="procedure.preProcess">my plsql call </entry>

          <entry key="procedure.postProcess">my plsql call </entry>


          - the possible variables for validation are listed here: Kris' blog: APEX Listener 2.0 !


          - The validation just goes into the defaults.xml file something like this:


          <entry key="security.validationFunctionType">plsql</entry>

          <entry key="security.validationFunction">

          function isValid(){


          // no more ie6

              if ( USER_AGENT.indexOf("MSIE 6") > 0 ) {

                  return "false";


          // a procedure in the klrice schema named HI has been performing poorly so shut it off

             if ( SCRIPT_NAME == 'klrice.hi' ) {

                 return "FALSE";


            return "true";



          1 person found this helpful
          • 2. Re: Request Validation / Pre / Post Processing Query

            Ok thanks Kris,


            Pre and Post procedures - I am good on this answer.

            Environment Variables and Web Servers - I am also good on this answer.

            Parameters for the JS validator also good from read your blog.


            For a Javascript Function Type - is this Correct, this entry is PLSQL ?

            <entry key="security.validationFunctionType">plsql</entry>

            The parameters for the PLSQL Validation function, I have seen this syntax, as such I was wondering where or how I how i can use :URL, \:PROCNAME and where this is documented or if not what is the list of params I can use here? ifyou recall mod_PLSQL simply passed the ScriptName if i recall correctly and the had use OWA... for other environment variables.

            <entry key="security.requestValidationFunction">myuser.authorize(url=>:URL, procname=>:PROCNAME)</entry>

            • 3. Re: Request Validation / Pre / Post Processing Query

              having the PLSQL function as follows - does not execute on each URL GET Request

              <entry key="security.requestValidationFunction">security</entry>


              while, if I pass it a value as follows, it does execute on each GET Request


              <entry key="security.requestValidationFunction">security(p=>:URL)</entry>


              I wanted to know the list of bind variables; I found :URL in a another discussion.

              • 4. Re: Request Validation / Pre / Post Processing Query

                Just a couple of tips on security.requestValidationFunction.  First, be sure to specify the owner of the function or the APEX default function will execute.   Second, put in your argument list.   Third, put in the validation function type.   Example in defaults.xml:


                <entry key="security.validationFunctionType">plsql</entry>

                <entry key="security.requestValidationFunction">my_owner.my_verify_access(inurl=>:URL)</entry>

                • 5. Re: Request Validation / Pre / Post Processing Query
                  Kris Rice-Oracle

                  The possible bind names are the same as the javascript ones.

                       >> General :                :URL, :PROCNAME

                      >> Apex specific ones:   :P_FLOW_ID , :P_FLOW_STEP_ID, :P_INSTANCE, :P_PAGE_SUBMISSION_ID , :P_REQUEST

                  1 person found this helpful