Presentation is loading. Please wait.

Presentation is loading. Please wait.

10 th Anniversary 1999 - 2009 Many-to-One: Managing Multiple APEX Applications Scott Spendolini, Sumner Technologies.

Similar presentations

Presentation on theme: "10 th Anniversary 1999 - 2009 Many-to-One: Managing Multiple APEX Applications Scott Spendolini, Sumner Technologies."— Presentation transcript:

1 10 th Anniversary Many-to-One: Managing Multiple APEX Applications Scott Spendolini, Sumner Technologies

2 2 General Announcements Please turn off all cell phones/pagers If you must leave the session early, please do so as discreetly as possible Please avoid side conversations during the session Thank you for your cooperation!

3 3 About Me Scott Spendolini Ex-Oracle Employee of 10 years Senior Product Manager for Oracle APEX from 2002 through 2005 Founded Sumner Technologies in October 2005 Oracle Ace Director Co-Author, Pro Oracle Application Express Scott on OTN Forums

4 4 Agenda Overview APEX Components Database Objects The Framework Demonstration Summary

5 5 Overview

6 6 Has This Happened to You? Youve adopted APEX in your organization Based on a pilot project of a application or two It becomes successful. Wildly successful. APEX applications are popping up all over the place, leaving useless spreadsheets and desktop databases in their wake Others start to develop with APEX And start to release their own applications All of a sudden, your Access & Excel mess has simply moved from the client to the server

7 7 Common Early APEX Adoption Issues Multiple user accounts for the same person Some use APEX credentials, some use LDAP, others may use something else No single point of account management Because of the scattered nature of user accounts, it is difficult - if not impossible - to manage all accounts for a single user No centralized role management Impossible to tell which privileges a user has Each application deals with role management in its own different way

8 8 The Solution Develop and implement a centralized Framework which manages: Application Definitions Roles Users User to Role Mappings Other Components Themes/Templates Common Regions Navigation Bar Entries

9 9 Framework Components The Framework should provide: Single Sign On Single Point of User & Role Management Be extensible, yet simple Take advantage of APEX components as much as possible Easy to integrate New Development Existing Applications

10 10 Framework Components The Framework can also incorporate a number of other components useful for building multiple APEX applications Themes/Templates Associated Images & Cascading Style Sheets Navigation Bar Entries Lists of Values Shortcuts

11 11 Less is More Most importantly, the framework should also be easy for developers to use and extend as well as transparent to your users

12 12 APEX Components

13 13 APEX Components Most of what is required can be achieved with APEX components Very little custom code Which is almost 100% PL/SQL Important to understand how the APEX components work before trying to grasp the solution as a whole

14 14 APEX Components Shared Components Authentication Schemes Authorization Schemes Navigation Bar Entries Templates & Themes Page Zero APEX View APEX_APPLICATIONS Application Items & APEX_UTIL API APEX_UTIL.FETCH_APP_ITEM

15 15 Shared Components

16 16 Shared Components APEX components that can be shared: Within a single application In some cases, within multiple applications within a single workspace via Subscriptions Little known, less publicized underrated feature of APEX Subscriptions are the cornerstone of the Framework

17 17 Subscriptions Feature of APEX that allow you to link shared components from one application to another within a workspace When changes are made to the parent component, they can be pushed (published) or pulled (refreshed) to/by the child component Allows changes of Shared Components to be centralized and easily synchronized amongst multiple applications

18 18 Subscriptions Subscriptions work only within a single APEX Workspace Application IDs must be preserved when moving the framework from one instance of APEX to another Otherwise, all links will be broken But the applications will still work

19 19 Subscribe-able Shared Components

20 20 Authentication Schemes APEX mechanism used to authenticate a user APEX contains a number of built-in schemes: LDAP Oracle Single Sign On APEX Credentials Database Open Door Custom None

21 21 Authentication Schemes The Framework uses a Custom Authentication Scheme Stores usernames and hashed passwords in an Oracle table Easiest to demonstrate Does not require an additional server APEX Authentication is typically a one-time event APEX doesnt care HOW you authenticate, just that you DO authenticate Thus, it would be trivial to change the Authentication Scheme to LDAP, for instance More robust approach for enterprise user management

22 22 Authorization Schemes What do you have access to? Can be associated with almost every APEX Component Application Page Region Item Report Column When scheme evaluates to TRUE, item renders or process executes

23 23 Authorization Scheme Types Several different types Exists/Not Exists SQL Query Item is NULL/NOT NULL Item Comparison PL/SQL Function Evaluation Point Per Page View vs. Per Session

24 24 Navigation Bar Entries Links that appear on almost every page Typically used for common navigation control Home My Account Login/Logout Can link to either: Page URL

25 25 Themes & Templates Themes are collections of Templates Templates make up the UI of an application APEX ships with 20 pre-built Themes You can use one of them or make your own Less is More Recommend deleting 2/3 of the provided templates from any theme Will enforce consistency among your developers, causing your applications to look similar regardless of who developed them

26 26 Importance of Good Design Good design helps to convey credibility If you spend time on the design, then surely you also spent time on making the application work well Poor design leaves users wondering what other corners were cut If the design is bad, the application must be worse! Perception is reality, more often than not Phishing sites strive to look like those they are mimicing

27 27 Page Zero Page Zero is a special page Only contains Page Rendering UI components (Regions, Buttons & Items) Does not include Computations or Processes Items on Page Zero display on ALL pages in APEX unless conditionally restricted to do otherwise

28 28 Page Zero Common Uses: Breadcrumb Regions Lists Common Regions/Reports JavaScript Libraries

29 29 Page Zero

30 30 APEX Views Set of pre-created views which provide access to the APEX metadata Utilities > APEX Views List of all views and descriptions of their columns Can also be accessed via SQL Developer Views can be incorporated into your own applications Reuse APEX metadata to supplement your application's data Use to render a list of Applications and their properties rather than maintaining your own parallel list

31 31 APEX_UTIL API Application Items cannot technically be subscribed to from other applications However, you can determine the value of any APEX Application Item in any application in the same workspace by using the API: APEX_UTIL.FETCH_APP_ITEM Not well documented, but definitely supported APEX_UTIL.FETCH_APP_ITEM( p_item IN VARCHAR2, p_app IN NUMBER DEFAULT NULL, p_session IN NUMBER DEFAULT NULL) RETURN VARCHAR2;

32 32 Database Objects

33 33 Database Objects Application Definitions, Users, Roles and Role Assignments are all managed in a set of tables Could use LDAP to do the same and retrofit into the framework relatively easily Schema Objects consist of: 1 Context 4 Tables 8 Triggers 2 Views 1 Package 4 Functions & 2 Procedures


35 35 ST_APPLICATIONS Stores metadata about each application that is a part of the framework Most data about an application will be derived from the APEX_APPLICATION view ST_APPLICATIONS APPLICATION_ID NOT NULL NUMBER ACTIVE_FLAG NOT NULL VARCHAR2(1) DESCRIPTION VARCHAR2(4000) CREATED_BY NUMBER CREATED_ON DATE UPDATED_BY NUMBER UPDATED_ON DATE

36 36 ST_USERS Stores user information, such as USER_ID, USER_NAME and hashed PASSWORD Triggers will automatically hash the password and store the hash, not the actual password ST_USERS USER_ID NOT NULL NUMBER USER_NAME NOT NULL VARCHAR2(255) PASSWORD NOT NULL VARCHAR2(255) EXPIRES_ON DATE CREATED_BY NUMBER CREATED_ON DATE UPDATED_BY NUMBER UPDATED_ON DATE

37 37 ST_ROLES Stores the roles for a given application Roles are related via a parent-child relationship Not used in this demo, but could be activated ST_ROLES ROLE_ID NOT NULL NUMBER PARENT_ROLE_ID NUMBER APPLICATION_ID NOT NULL NUMBER ROLE_NAME NOT NULL VARCHAR2(255) ROLE_KEY NOT NULL VARCHAR2(255) DESCRIPTION VARCHAR2(4000) CREATED_BY NUMBER CREATED_ON DATE UPDATED_BY NUMBER UPDATED_ON DATE


39 39 Packages ST_FWK PROCEDURE logout PROCEDURE set_ctx FUNCTION hash_pw FUNCTION auth_user FUNCTION app_gatekeeper FUNCTION role_member

40 40 Views Two views that assist in simplifying the interaction with the data model ST_ROLE_USERS_V Lists all active roles for a the currently signed on user ST_USER_APPLICATIONS_V Lists all active applications that any user has at least one active role in

41 41 Context st_fwk_ctx Context created to store the G_USER_ID parameter

42 42 The Framework

43 43 Framework Applications Four applications make up the core framework Shared Components Master (999) Will never be run, but its shared components are used by all other applications Starter Application (998) Will never be run, but used to clone all additional applications Launchpad (1000) Framework Access Control (1001) Any number of child applications can be easily added to the Framework

44 44 Shared Components Master Application 999

45 45 Shared Components Master - App 999 Sole purpose is to store all Shared Components that will be subscribed to by all other applications There are no pages in this application, since no end user should ever need to (or be able to) login to it Any and all changes/additions to the subscribed shared components should be done here and published/subscribed to each subscriber Most changes will be done to the templates

46 46 Shared Components Master Contents Authentication Scheme ST Child Authentication Authorization Scheme Application Gatekeeper Navigation Bar Entries Home Logout Themes/Templates SumnerTheme

47 47 Authentication Scheme ST Child Authentication Acts as a pointer to the Launchpad application All authentication occurs only at the Launchpad Session Not Valid URL f?p=LAUNCHPAD:101 Cookie Name ST Logout URL f?p=&G_LAUNCHPAD_APP_ID.:102:&SESSION.

48 48 Authorization Schemes Application Gatekeeper Checks to see if a specific user has at least one active role for a specific application If so, then the user can access the application PL/SQL Function Returning BOOLEAN Evaluates for Every Page View RETURN st_fwk.app_gatekeeper( p_app_id => :APP_ID, p_app_user => :APP_USER);

49 49 ST_FWK.APP_GATEKEEPER FUNCTION app_gatekeeper (p_app_id IN NUMBER, p_app_user IN VARCHAR2)RETURN BOOLEANIS l_user_id st_users.user_id%TYPE; l_count NUMBER;BEGINSELECT count(*) INTO l_count FROM st_role_users_v WHERE application_id = p_app_id;IF l_count > 0 THEN RETURN TRUE;ELSE RETURN FALSE;END IF; EXCEPTION WHEN NO_DATA_FOUND THEN RETURN FALSE;END app_gatekeeper;

50 50 Navigation Bar Entries Home Redirects to the home page of the Launchpad Application URL Target: f?p=ST:1:&APP_SESSION. Logout Logs out of the suite of applications URL Target: &LOGOUT_URL. Which will be replaced with the value of Logout URL from the current Authentication Scheme

51 51 Themes/Templates SumnerTheme Set of pre-built custom templates Could be a built-in APEX theme/templates as well Only a total of 26 templates are included in SumnerTheme as compared to about for the APEX built-in themes Most templates in the built-in themes are not needed and can be safely and easily removed Additional templates can be added to this application and published/subscribed as needed

52 52 Starter Application Application 998

53 53 Starter Application - App 998 The Starter Application will have all of the Shared Component subscriptions established Thus, they are linked back to the Shared Components Master application This application will be the starting point for all NEW applications that will be a part of your suite No longer need to use Create Application Instead, start by Copying this application

54 54 Shared Component Subscriptions Subscribe to and Associate the Authorization Scheme Application Gatekeeper at the Application Level Subscribe to and make the Authentication Scheme ST Child Authentication current and delete all others Subscribe to the Navigation Bar Entries Home and Logout and delete all others

55 55 Shared Component Subscriptions Subscribe to each of the Templates in the theme SumnerTheme There is no easy way to do this You must do each one individually Best approach: Get a nice cup of coffee/tea Export the theme from the Subscription Master Import it into the Starter Application Edit each template in the Starter Application and subscribe it back to the corresponding one in the Subscription Master

56 56 Components Page Zero Pre-created Page Zero for items residing on multiple pages My Applications Report Lists all applications a given user has access to Pre-created Breadcrumb for site navigation and placed it on Page Zero Page One also has an entry pre-created in the breadcrumb No Login Page Since all authentication will be done at the Launchpad, there is no need to preserve the login page in the Starter Application

57 57 Components Call to Set Security Context Used to set both G_USER_ID & G_LAUNCHPAD_APP_ID Called from Security Attributes of Application Properties

58 58 Additional Components Any additional non-subscribe-able shared component or Page Zero items that you want all of your applications to have should be set up here Take the time to think this through, as its a lot easier to do it now verses when you have 20 applications up and running

59 59 Launchpad Application 1000

60 60 Launchpad Application - App 1000 The Launchpad will: Provide centralized authentication services for the suite of applications Any unauthenticated session will end up here All logins will occur on Page 101 of this application All logouts will occur on Page 102 of this application Provide a home page that users will see should they have access to more than one application Or automatically redirect the user to a single application, if that is all they have access to

61 61 Deep Linking The Launchpad Application supports deep linking Linking to a specific APEX application & page, typically from a bookmark Done in the Login process on Page 101 Uses the APEX item FSP_AFTER_LOGIN_PAGE Which is set automatically by the APEX engine

62 62 Login Process on Page 101 DECLARE l_count NUMBER; l_flow_page VARCHAR2(4000);BEGINIF :FSP_AFTER_LOGIN_PAGE IS NULL THEN l_flow_page := :APP_ID || ':1';ELSE -- Count the number of |s in the FSP_AFTER_LOGIN_URL item SELECT INSTR(:FSP_AFTER_LOGIN_URL, '|', 1) INTO l_count FROM dual; IF l_count = 1 THEN -- Session ID is NOT included l_flow_page := REPLACE(SUBSTR(:FSP_AFTER_LOGIN_URL, 5),'|',':'); ELSE -- Session ID is included l_flow_page := REPLACE(SUBSTR(SUBSTR(:FSP_AFTER_LOGIN_URL, 1, INSTR(:FSP_AFTER_LOGIN_URL, '|',1,2)-1),5), '|', ':'); END IF;END IF;-- Perform the loginwwv_flow_custom_auth_std.login( P_UNAME => :P101_USERNAME, P_PASSWORD => :P101_PASSWORD, P_SESSION_ID => v('APP_SESSION'), p_flow_page => l_flow_page);END;

63 63 Creating the Launchpad The Launchpad will be unique in that it will be the only application in the Framework that has a login page It will also have a different authentication scheme than all other application in the framework Additional changes can be made to page 1, as this is the landing page for users who have access to more than 1 application

64 64 Application Alias Add the Application Alias LAUNCHPAD to Application 1000 This way, we can refer to the LAUNCHPAD and not rely on the Application ID always being 1000

65 65 What is G_USER_ID? Surrogate Key for the USERS table Also an Application Item in the Launchpad Could have opted to use APP_USER, as that is typically a unique key However, as people change their names, there would be more maintenance involved in preserving auditing records or role reports Thus, the surrogate key will never change Allowing for variance in APP_USER, should it be desired

66 66 Setting G_USER_ID Set via the Application Attribute VPD PL/SQL Call to Set Security Context Not actually using VPD, but any code there is executed at the proper place to set the context for any purpose st_fwk.set_ctx (p_user_name => :APP_USER, p_app_session => :APP_SESSION);

67 67 DBMS_SESSION.SET_CONTEXT dbms_session.set_context( namespace => 'ST_FWK_CTX', attribute => 'G_USER_ID', value => l_user_id, username => p_user_name, client_id => p_app_session);

68 68 G_USER_ID as a Context More efficient to use a Context in WHERE clauses Will only be evaluated once for X number of rows v('G_USER_ID') will be evaluated once per row for X number of rows Usage: WHERE user_id = SYS_CONTEXT('ST_FWK_CTX', 'G_USER_ID')

69 69 G_LAUNCHPAD_APP_ID Also set with st_fwk.set_ctx Refers to the Launchpad Application ID Set as a variable to allow for a different ID to be used if 1000 is not available

70 70 Authentication Scheme The Launchpad will have its own Authentication Scheme ST Parent Authentication Session Not Valid Page 101 Authentication Function RETURN st_fwk.auth_user Cookie Name ST Logout URL wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.& p_next_flow_page_sess=&G_LAUNCHPAD_APP_ID.:1

71 71 Custom Authentication Function Must have the following signature: p_username VARCHAR2 p_password VARCHAR2 And it must return a BOOLEAN Can be used for more than just a custom table that stores usernames & password Multiple LDAP servers Multiple authentication mechanisms based on username

72 72 st_fwk.auth_user FUNCTION auth_user (p_username IN VARCHAR2, p_password IN VARCHAR2)RETURN BOOLEAN AS l_password_hash VARCHAR2(4000); l_stored_password_hash VARCHAR2(4000); l_expires_on DATE; l_count NUMBER;BEGINSELECT count(*) INTO l_count FROM st_users WHERE UPPER(user_name) = UPPER(p_username);if l_count > 0 then SELECT password, expires_on INTO l_stored_password_hash, l_expires_on FROM st_users WHERE user_name = p_username;

73 73 st_fwk.auth_user IF l_expires_on > SYSDATE OR l_expires_on IS NULL THEN l_password_hash := hash_pw(p_password); IF l_password_hash = l_stored_password_hash THEN RETURN TRUE; ELSE RETURN FALSE; END IF; ELSE RETURN FALSE; END IF;ELSE RETURN FALSE;END IF;END auth_user;

74 74 Authorization Scheme The Launchpad application has no authorization scheme associated with it Users with no roles will simply get a message stating such and will not be able to login to any other application

75 75 Branches Create a Before Header Branch on Page 1 Checks to see how many applications a user has access to Will branch directly to that application if the user only has access to a single application Otherwise, it will stay on Page 1 and display the Welcome page, allowing the user to choose which application to run Possible Enhancements: Remove this; always end up on Page 1 Allow the user to choose and save a Default Application to branch to and go there

76 76 Logout Page Page 102 is the Framework Logout Page Clears the context Logs the users out of the Framework More actions can occur here, is desired -- Unset the contextdbms_session.clear_context( namespace => 'ST_FWK_CTX', client_id => v('APP_SESSION')); -- Process the logoutwwv_flow_custom_auth_std.logout( p_this_flow => v('G_LAUNCHPAD_APP_ID'), p_next_flow_page_sess => v('G_LAUNCHPAD_APP_ID') || ':1');

77 77 Framework Flow App 1000 Page 101 Page 1 App PagesPages App PagesPages Authenticate

78 78 Framework Flow App 1000 Page 101 Page 1 App PagesPages App PagesPages Authenticate

79 79 Framework Flow App 1000 Page 101 Page 1 Authenticate App PagesPages App PagesPages

80 80 Framework Access Control Application 1001

81 81 Access Control Application - App 1001 Access to Framework Application is managed by an APEX Application Mostly made up of out-of-the-box APEX components Born from cloning the Starter Application Subscriptions and Authentication/Authorization schemes are still in tact Access to the Access Control application is managed via the Access Control application Thus, you will need to seed the first application, user, role & role mapping with SQL*Plus

82 82 Access Control - Overview 8 Pages One of which is Page Zero 4 Reports Applications, Roles, Users, User Roles 4 Forms Applications, Roles, Users, User Roles

83 83 Additional Applications

84 84 Additional Applications As new applications are needed, the Starter Application is cloned and used as a starting point All subscriptions to the Shared Components Master are preserved this way Development can then begin on the cloned application as normal Caution: If a developer removes or alters the Framework Authentication or Authorization Schemes, things will likely stop working

85 85 Retro-fitting an Existing Application Retro-fitting existing applications is just as simple Subscribe to the ST Child Authentication Scheme Make Current Subscribe to the App Gatekeeper Authorization Scheme Associate it at the application level Subscribe to Home & Logout Navigation Bar Entrires Configure application via the Framework Access Control application Add Application & Roles Assign Users to Roles

86 86 Mapping Existing Authorization Schemes Existing Authorization Schemes can be mapped to Roles in the Framework Use the Member of Role: Demo example Authorization Scheme as a model PL/SQL Function Returning Boolean Passing in a Role Key will return TRUE if the currently signed on user is a member of the associated role defined in the Framework Otherwise, it will return FALSE RETURN st_fwk.role_member( p_role_key => 'DEMO')

87 87 ST_FWK.ROLE_MEMBER FUNCTION role_member (p_role_key IN VARCHAR2, p_app_id IN NUMBER DEFAULT nv('APP_ID'))RETURN BOOLEANIS l_count NUMBER;BEGINSELECT count(*) INTO l_count FROM st_role_users_v WHERE role_key = p_role_key AND application_id = p_app_id; IF l_count > 0 THEN RETURN TRUE;ELSE RETURN FALSE;END IF;EXCEPTION WHEN NO_DATA_FOUND THEN RETURN FALSE;END role_member;

88 88 Demonstration

89 89 Demonstration Overview of the Access Control application Creating a New Application Integrating it Into the Framework Changing a Template Pushing Changes to All Applications Integrating the APEX Sample Application Authentication Scheme Authorization Schemes Navigation Bar Entry

90 90 Practical Framework Applications Manage Multiple Applications Module-based application Release and manage (and charge for) components individually Multiple code lines for multiple developers Easier to release a subset of functionality APEX does this White-listed Subset of Functionality Easier to secure a small application entirely than a small portion of a large application

91 91 Summary

92 92 Summary Consider implementing some sort of centralized framework in your APEX environment Sooner than Later It will pay for itself by means of: Centralized User & Role Management Better auditing capabilities Flexibility to adapt to both new and existing APEX investments

93 93 Download Files

94 Copyright © 2009 Sumner Technologies - All Rights Reserved

Download ppt "10 th Anniversary 1999 - 2009 Many-to-One: Managing Multiple APEX Applications Scott Spendolini, Sumner Technologies."

Similar presentations

Ads by Google