Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Fine-grained Authorization Scheme for APEX Components

krisscoJan 25 2025

I would like to secure individual components (mostly page items) through use of an authorization scheme. In order for this to work, I would need the authorization scheme to know which component it's being asked to evaluate at runtime. The scheme will return something like the following:

begin
 return auth_util.has_component_access(
   p_login => :APP_USER,
   p_application_id => :APP_ID,
   p_page_id => :APP_PAGE_ID,
   -- TODO, specify the component being evaluated to lookup authorization
   p_component_type => null, 
   p_component_id => null);
end;

This has_component_access stored procedure will do the appropriate lookup in my tables to determine if the logged-in user should have access (or not) to the component. I've looked through the docs, and unless I've overlooked something, this will not be possible.

In testing, I had APEX_DEBUG log all the documented built-in substitution variables, as well as quite a few undocumented ones (via the WWV_FLOWS spec source). The only attributes of interest are the APP_REGION_ID/APP_REGION_STATIC_ID variables and the result of apex_application.get_component (undocumented / internal). The latter gives ID,NAME,TYPE for the authorization scheme itself, not the component further up the stack. Darn!

One interesting result from APEX_DEBUG is that I can see the desired data just a couple messages prior (querying APEX_DEBUG_MESSAGES):

Here we see logging for the evaluation of the page, including a record for the page item, and a sub-record for the item's authorization scheme, followed by the scheme's PL/SQL. Obviously, this data will only exist if debug is enabled - so attempting to look it up from the current session (query APEX_DEBUG_MESSAGES from within the authorization scheme) is not viable outside of a proof of concept.

My current workaround is to define the authorization as a server-side condition, and hardcode the item name into the lookup function.

I'd like to hear if anyone has ideas about how to get the page item, or if there's another approach to fine-grained authorization schemes that I'm unaware of. Currently running APEX 24.1.7, Oracle 19c.

Thanks!

-Kris
Comments
Post Details
Added on Jan 25 2025
#authorization, #substitution
2 comments
292 views