APEX 5.1.4
I have thousands of PDF files that I would like to securely stream via an APEX report to authorized users. In a web application architecture like .NET, PHP, Python, etc., this would be done by simply making the files available on the web server, the application logic could check for authorization and serve up the file using an application link e.g download?file=1234. In APEX, the best we can do is secure the link with checksum using apex_util.prepare_url but the file itself has to be stored in Oracle BLOB column otherwise there is nothing to prevent a malicious user from changing the URL they see in the browser and retrieving another file.
APEX architecture is such that the web server (Tomcat/ORDS) is simply used to transfer the HTTP request/response between the browser and the Oracle database. Static files like JS, CSS & images are served via the /i/ path but those are publicly accessible, there is no way to restrict access based on application logic like in this example. In other words, sys.wpg_docload.download_file can only be used to stream files that are stored in a BLOB column.
This seems to be one of the (few) shortcomings of the APEX architecture where all page content is generated inside the database so there is no way to securely serve up a static file that is accessible to the web server but not to the Oracle/APEX rendering engine.
Am I missing something? Any ideas?
Thanks