Skip Headers

Oracle® HTML DB User's Guide
Release 1.5

Part Number B10992-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

10 Managing an Application

This section provides information about Application Builder utilities, how to export and import an application, and how to manage application security.

This section contains the following topics:

Accessing Application Builder Utilities

Application Builder includes a number of utilities to help you manage your application. You can access these utilities from the Application Builder Utilities tab.

To access Application Builder utilities:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select the Utilities tab.

    The Application Builder Utilities page appears displaying the following utilities:

    • Translate Application

    • Manage CSS and Image Files

    • Export/Import

    • View Export Repository

Viewing Application Summary and Utilization Reports

The bottom of the Application Builder Utilities page displays the following two lists:

  • Application Summary Reports

  • Utilization Reports

To view a specific report:

  1. Click the appropriate list to expand it.

  2. Select a report title.

  3. Follow the on-screen instructions.

Be aware that you can also access application reports by making selections in the Application Navigation Pane.

Exporting and Importing Applications

To move an application from one instance of Oracle HTML DB to another, you must export the application definition to a file. Exporting your application definition is the first step toward deploying it outside of your development environment.

You export and import application definitions and all associated files using the following utilities:

Topics in this section include:

How Exporting an Application Works

Whether you are moving an application to another workspace or just making a copy of it, the export process involves the following steps:

  • Export the application and all related files using Export.

  • Import the exported files into the target Oracle HTML DB instance. Note that if the target instance is a different database, you also need to export and import any required database objects.

  • Install the exported files from View Export Repository

You can import an application into your workspace regardless of the workspace in which it was developed.

About Managing Database Objects

Before you export an application and the appropriate related files, you need to determine if you also need to migrate the database objects referenced by the application.

If the target Oracle HTML DB instance is different from the development environment, you will need to migrate the database objects referenced by the application. In many cases this process can be as simple as using Oracle database export and import utilities to copy the application schema from the development environment to target Oracle HTML DB instance. The following are two common scenarios where this approach would not work:

  • When the object development schema refers to tablespaces to which the target instance schema does not have access

  • When the development instance schema has sample data that you do not to want migrate to the target instance schema

If a database administrator or an Oracle HTML DB administrator is the person responsible for exporting Oracle HTML DB applications, be sure to clearly communicate if he or she:

  • Should include all data when exporting your application

  • Should not include data from specific tables you identify

Exporting an Application and Related Files

Use Export to export an application and all related files. When you export a application, Oracle HTML DB generates a text file containing PL/SQL calls.

To export an application:

  1. Click the Build icon and select the Utilities tab.

    The Application Builder Utilities page appears.

  2. Click Export Import.

  3. When prompted to select a task, select Export and click Next.

    Export appears. To view a list of existing applications, expand the Existing Applications list at the bottom of the page.

  4. From the Application list, select an application.

  5. From File Format, select how rows in the export file will be formatted by choosing one of the following:

    • UNIX. Results in a file containing rows delimited by line feeds.

    • DOS. Results in a file containing rows delimited by carriage returns and line feeds.

  6. From Owner Override, select an optional overriding owner for this application.

    Entries made here replace the Owner attribute when the application is imported into the target instance. As discussed in "About Application Definition", the Owner attribute indicates the schema against which all of the application's SQL and PL/SQL will be parsed. This feature is useful when the development version of an application runs against a differently named schema then the one in the target instance.

  7. From Build Status Override, select one of the following:

    • Run Application Only

    • Run and Build Application

    Only select Run Application Only if you wish to run the application in the target instance but make it inaccessible to developers.

  8. Use As of to export your application as it was previously defined. Specify the number of minutes in the field provided.

    This utility uses the DBMS_FLASHBACK package. Because the timestamp to System Change Number (SCN) mapping is refreshed approximately every five minutes, you may have to wait that amount of time to locate the version you are looking for. The time undo information is retained and influenced by the startup parameter UNDO_RETENTION (the default is three hours). However, this only influences the size of the undo tablespace. While two databases may have the same UNDO_RETENTION parameter, you will be able to go back further in time on a database with fewer transactions since it is not filling the undo tablespace, forcing older data to be archived.

  9. Click Export Application.

Exporting Related Application Files

In addition to exporting the actual application file, you also use Export to export other related files such cascading style sheets, images, and script files.

To export related application files:

  1. Click the Build icon and then select the Utilities tab.

    The Application Builder Utilities page appears.

  2. Click Export Import.

  3. When prompted to select a task, select Export and click Next.

  4. To export cascading style sheets, images, files, and script files, select one of the following tabs.

    • CSS

    • Images

    • Files

    • Script Files

    Note that when you choose to export cascading style sheets, images, files, or script files, this utility exports all files of the selected type in the workspace. Be aware that exporting workspace images only exports those images in your repository that are not associated with a specific application. If all of your images are associated with specific applications then the workspace image export file will be empty.

  5. Follow the on-screen instructions


See Also:

"Exporting and Importing Applications" for more information on using the Export Workspace tab

Importing Exported Application Files

Once you export an application and any related files, you need to import them into the target Oracle HTML DB instance before you can install them.

To import an application and related files:

  1. Click the Build icon and then select the Utilities tab.

    The Application Builder Utilities page appears.

  2. Click Export Import.

  3. When prompted to select a task, select Import and click Next.

  4. In Import file, specify the file you are importing.

  5. From File Type, select the type of file you are importing and click Next.

    Once you have imported a file, you have the option to install it. You can also install it later from the View Export Repository.

Installing Files from the View Export Repository

Once you have imported files into the target Oracle HTML DB instance, you must install them before they become active in Application Builder.

To install files stored in the View Export Repository:

  1. Click the Build icon and then select the Utilities tab.

    The Application Builder Utilities page appears.

  2. Click View Export Repository.

  3. To install a file, select it and click Install adjacent to the file you wish to install.

In addition to installing files, you can also use this page to:

  • Import an application and related files into the View Export Repository, by clicking Import File.

  • Delete an export file by selecting it and clicking Delete File.

To import an application and related files into the View Export Repository:

  1. Click the Build icon and then select the Utilities tab.

    The Application Builder Utilities page appears.

  2. Click Import File.

  3. Follow the on-screen instructions.

    Once you have imported your application and the related files into the View Export Repository, you have the option of installing it.

  4. To install your application, click Install.

    The Install Application page appears.

  5. From Parse as Schema, select a schema. This is the schema against which all of the application's SQL and PL/SQL will be parsed

  6. From Build Status, select one of the following:

    • Run Application Only

    • Run and Build Application

    Only select Run Application Only if you wish to run the application in the target instance but make it inaccessible to developers.

  7. From Install As Application, select one of the following:

    • Reuse Application ID from Export File

    • Auto Assign New Application ID

    • Change Application ID

    Use these options to avoid application ID conflicts. These options come in handy when you need to have two versions of the same application in the same workspace. For example, if you are migrating an application to a production instance but still need to maintain development version.

Uploading CSS, Images, and Static Files

You can upload cascading style sheets, images, and static files to your workspace using the CSS Repository, Image Repository, and Static File Repository.

To upload cascading style sheets, images, and static files to your workspace:

  1. Click the Build icon and then select the Utilities tab.

  2. Click Manage CSS and Image Files.

    The CSS Repository appears.

  3. Select the appropriate tab:

    • Cascading Style Sheets (CSS)

    • Images

    • Static Files

  4. Click Create.

  5. Follow the on-screen instructions.

Understanding Security

You can provide security for your application through authentication and authorization. Authentication is the process of establishing users' identities before they can access an application. Authorization controls user access to specific components based on predefined user privileges. You create and manage both authentication and authorization on the Security Home page.

To access the Security Home page:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select the Security tab.

  4. When the Security Home page appears, select either Authentication or Authorization.

Using the Security Navigation Pane

The Security Navigation pane displays on the left side of the Security Home page and offers quick access to a number a security functions.

To access the Security Navigation pane:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select the Security tab.

    The Security Navigation pane displays on the left side of the page.

  4. Click Navigate to expand the list.

Establishing User Identity Through Authentication

Authentication is the process of establishing each user's identify before they can access your application. Authentication may require a user identify a username and password or could involve the use of digital certificates or a secure key.

When you create an authentication scheme, you have the option of choosing from a number of preconfigured authentication schemes, copying an authentication scheme from an existing application, or creating your own custom authentication scheme.

Topics in this section include:

Understanding How Authentication Works

You determine how your application interacts with users. If all users have the same rights and privileges they are referred to as public users. However, if your application needs to track each user individually, you need to specify an authentication method.

Authentication establishes the identity of each user who accesses your application. Many authentication processes require a user provide some type of credentials such as a username and password. These credentials are then evaluated and they either pass or fail. If the credentials pass, the user has access to the application. Otherwise, access is denied.

Once a user has been identified, the HTML DB engine keeps track of each user by setting the value of a built-in substitution string. As a user navigates from page to page, the HTML DB engine sets the value of APP_USER to identify who they are. The HTML DB engine uses APP_USER as one component of a key for tracking each user's session state.

From a programming perspective, you can access APP_USER using the following syntax:

  • From PL/SQL:

    v('APP_USER')
    
    
  • As a bind variable from either PL/SQL or SQL:

    :APP_USER
    
    

You can use APP_USER to perform your own security checks and conditional processing. For example, suppose you created the following table:

CREATE TABLE my_security_table (
  user_id   VARCHAR2(30),
  privilege VARCHAR2(30));

Once created, you could populate this table with user privilege information and then use it to control the display of application pages, tabs, navigation bars, buttons, regions, or any other application component.

Creating an Authentication Scheme

As you create your application, you need to determine whether to include authentication. You can:

  • Choose to not require authentication.

    Oracle HTML DB does not check any user credentials. All pages of your application are accessible to all users.

  • Select a built-in authentication scheme.

    Create an authentication method based on available preconfigured authentication schemes. Depending on which scheme you choose, you may also have to configure the corresponding components of Oracle 9iAS, Oracle Internet Directory, or other external services.

  • Create custom authentication scheme.

    Create a custom authentication method, giving you complete control over the authentication interface. To implement this approach, you must provide a PL/SQL function the HTML DB engine executes before processing each page request. This function's Boolean return value determines whether the HTML DB engine processes the page normally or displays a failure page.

To create an authentication scheme:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select the Security tab.

  4. Select Authentication.

    The Authentication Schemes page appears.

  5. To create a new authentication scheme, click Create Scheme.

  6. Specify how the scheme should be created by selecting one of the following:

    • Based on preconfigured scheme

    • As a copy of an existing scheme

    • From Scratch

  7. Follow the on-screen instructions

Using the Authentication Scheme Repository

Once created, available authentication schemes display in the Authentication Schemes Repository.

To navigate to the Authentication Schemes Repository:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select the Security tab.

  4. Select Authentication.

From the Authentication Schemes Repository, you can:

  • Make an authentication scheme current by selecting the make current link

  • Edit an authentication scheme by clicking the edit icon

  • View a flow chart explanation of an authentication scheme by clicking the View icon

  • Create a new authentication scheme by clicking Create Scheme and following the on-screen instructions

Viewing the Current Authentication Scheme for an Application

To view the current authentication scheme for an application:

  1. Click the Build icon.

    The list of pages for the selected application appears at the bottom of the page.

  2. Select the Edit Attributes icon.

    The Edit Application Attributes page appears.

  3. Scroll down to the Session Management attribute and click manage.

    The Authentication Schemes page appears. Available authentication schemes display in the Authentication Schemes Repository. You apply an authentication scheme to an application by designating it as current.

  4. To apply an authentication scheme to the current application, select the make current link

About Preconfigured Authentication Schemes

When you select a preconfigured authentication scheme, Oracle HTML DB creates an authentication scheme for your application that follows a standard behavior for authentication and session management. The following list describes available preconfigured authentication schemes:

  • Open Door Credentials enables anyone to access your application using a built-in login page which captures a username. This can be useful during application development.

  • HTML DB Account Credentials refers to the internal user accounts (also known as "cookie user" accounts) created and managed in the Oracle HTML DB user repository. Using this scheme authentication method, your application can easily authenticate against these accounts.

  • LDAP Credentials Verification requires you specify configuration parameters about the external LDAP directory you will be using.

  • No Authentication (using DAD) gets the username from the Database Access Descriptor (DAD), either as the value stored in the DAD configuration or, if the account information is not stored in the DAD configuration, as the username captured using the basic authentication challenge.

  • Oracle 9iAS Single Sign-On (HTML DB engine as Partner App) delegates authentication to the 9iAS Single Sign-On (SSO) Server. To you use authentication scheme, your site must have already been registered as a partner application with the SSO server. For more information, contact your administrator.

  • Oracle 9iAS Single Sign-On (My application as Partner App) delegates authentication to the SSO server. In this case, you must register an application with SSO as a partner application. See the next page for more details.

About DAD Credentials Verification

Database Access Descriptor (DAD) database authentication uses the Oracle database native authentication and user mechanisms to authenticate users using a basic authentication scheme. To use DAD credentials verification:

  • Each application user must have a user account in the Oracle database.

  • You must configure a PL/SQL DAD for basic authentication (without account information).

    This results in one username/password challenge for browser session for your application users. The user identity token is then made available in the APP_USER item.

DAD database authentication is useful when you need to implement an authentication method that requires minimal setup for a manageable number of users. Ideally these users would already have self-managed accounts in the database and your use of this authentication method would be short lived (for example, during the demonstration or prototyping stages of development).

The main drawback of this approach is burdensome account maintenance, especially if users do not administer their own passwords, or if their database accounts exist only to facilitate authentication to your application.

About HTML DB Account Credentials

HTML DB Account Credentials authentication uses internal user accounts (also known as "cookie user" accounts) created and managed in the Oracle HTML DB user repository. Workspace administrators can create and edit user accounts using the Manage Users page. HTML DB Account Credentials is a good solution when:

  • You want control of the user account repository

  • Username and password based approach to security is sufficient

  • You do not need to integrate into a single sign-on framework

This is an especially good approach when you need to get a group of users up and running on a new application quickly.


See Also:

"Managing Users" for more information on creating and managing user accounts

About LDAP Credentials Verification

Any authentication scheme that uses a login page may be configured to use Lightweight Directory Access Protocol (LDAP) to verify the username and password submitted on the login page. Application Builder includes wizards and edit pages that explain how to configure this option. These wizards assume that an LDAP directory accessible to your application for this purpose already exists and that it can respond to a SIMPLE_BIND_S call for credentials verification. When you create a LDAP Credentials authentication scheme, the wizard requests and saves the LDAP host name, LDAP port, and the DN string. An optional pre-processing function can be specified to adjust formatting of the username passed to the API.

About Single Sign-On Server Verification

Oracle HTML DB applications can operate as partner applications with Oracle Application Server's Single Sign-On (SSO) infrastructure. To accomplish this, you must register your application (or register the HTML DB engine) as the partner application. To register your application or the HTML DB engine as a partner application, follow the Oracle Application Server instructions for registering partner applications and install the Oracle9iAS Portal Developer Kit (PDK).

If you choose this approach, your application will not use an integrated login page. Instead, when a user accesses your application in a new browser session, the HTML DB engine redirects to the Single Sign-On login page. After the user is authentication by SSO, the SSO components redirect back to your application, passing the user identity and other information to the HTML DB engine. The user can then continue to use the application until they log off, terminate their browser session, or until some other session-terminating event occurs.

About Creating an Authentication Scheme from Scratch

Creating an authentication scheme from scratch gives you complete control over your authentication interface. This is the best approach for applications when any of the following is true:

  • Database authentication, or other methods are not adequate.

  • You want to develop your own login form and associated methods.

  • You want to delegate all aspects of user authentication to external services such as Oracle 9iAS Single Sign-On.

  • You want to control security aspects of Oracle HTML DB session management.

  • You want to record or audit activity at the user or session level.

  • You want to enforce session activity or expiry limits.

  • You want to program conditional n-way redirection logic before Oracle HTML DB page processing.

  • You want to integrate your application with non-Oracle HTML DB applications using a common session management framework.

  • Your application consists of multiple applications that operate seamlessly (for example, more than one Oracle HTML DB application ID).


See Also:

"HTMLDB_CUSTOM_AUTH" for more information

About Session Management Security

When running custom authentication, Oracle HTML DB attempts to prevent two improper situations:

  • Intentional attempts by a user to access session state belonging to someone else. However, users can still type in an arbitrary application session ID into the URL.

  • Inadvertent access to a stale session state (probably belonging to the same user from an earlier time). This would commonly result from using bookmarks to application pages.

Oracle HTML DB checks that the user identity token set by the custom authentication function matches the user identity recorded when the application session was first created. If the user has not yet been authenticated and the user identity is not yet known, the session state being accessed does not belong to someone else. These checks determine whether the session ID in the request can be used. If not, the HTML DB engine redirects back the same page using an appropriate session ID.

Building a Login Page

When you create a new application in Oracle HTML DB, a login page is created. The alias for the page is 'LOGIN'. You can use this page as the 'invalid session page' in an authentication scheme. The page is constructed with processes that call the Oracle HTML DB login API to perform credentials verification and session registration.

You can also create a login page after you create your application by selecting the Extend this Application link from the Tasks list on the Application Builder home page. You can also build your own login pages using the pre-built pages as models and tailoring all of the UI and processing logic to your requirements.

To create a login page after you create your application:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

    The list of pages for the selected application appears at the bottom of the page.

  3. From the Tasks list on the right side of the page, select Extend this Application.

  4. Select A login page, click Next, and follow the on-screen instructions.

About Deep Linking

Deep linking refers to the ability to link to an Oracle HTML DB page out of context (for example, from a hyperlink in an e-mail or workflow notification). When you link to a page out of context and the application requires the user be authenticated, the user will be taken to the login page. After credentials verification, the HTML DB engine automatically displays the page that was referenced in the original link. Deep linking support is supported for applications that use authentication schemes.

Providing Security Through Authorization

Authorization is a broad term for controlling access to resources based on predefined user privileges. While conditions control the rendering and processing of specific page components, authorizations control user access to specific components.

Topics in this section include:

How Authorization Schemes Work

An authorization scheme extends the security of your application's authentication scheme. You can specify an authorization scheme for an entire application, a page, or specific component such as a region, item, or button. For example, you could use an authorization scheme to selectively determine which tabs, regions, or navigation bars a user sees.

An authorization scheme either succeeds or fails. If a component level authorization scheme succeeds, the user can view the component. If it fails, the user cannot view the component. If an application or page level authorization scheme fails, then Oracle HTML DB displays a previously defined message.

When you define an authorization scheme you give it a unique name. Once defined, you can attach it to any component in your application. To attach an authorization scheme to a component in your application, simply navigate to the appropriate attributes page and select an authorization scheme from the Authorization Scheme list.

Creating an Authorization Scheme

Before you can attach an authorization scheme to an application or an application component, you must first create it.

To create an authorization scheme:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select the Security tab.

  4. When the Security Home page appears, select Authorization.

  5. Click Create.

  6. Specify how to create an authorization scheme by selecting one of the following:

    • From Scratch

    • As a Copy of an Existing Authorization Scheme

  7. Follow the on-screen instructions.

To edit attributes of an existing authorization scheme:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select the Security tab.

  4. When the Security Home page appears, select Authorization.

    Existing Authorization Schemes display at the bottom of the page.

  5. To edit attributes for an existing authorizations scheme, click the edit icon.

  6. Follow the on-screen instructions.

About the Evaluation Point Attribute

You can specify when your authorization scheme is validated in the Evaluation Point attribute. You can choose to have your authorization scheme validated once for each session or once for each page view.

Keep in mind, that if you specify that an authorization scheme should be evaluated once for each session and the authorization scheme passes, the underlying code, test, or query will not be executed again for the duration of the application session. If your authorization scheme consists of a test whose results might change if evaluated at different times during the session, then you should specify that the evaluation point be once for each page view.

About Resetting Authorization Scheme State

If an authorization scheme is validated once for each session, Oracle HTML DB caches the validation results in each user's session cache. You can reset a session's authorization scheme state by calling the HTMLDB_UTIL.RESET_AUTHORIZATIONS API:

Calling this procedure nulls out any previously cached authorization scheme results for the current session. Be aware that this procedure takes no arguments and is part of the publicly executable HTMLDB_UTIL package.

Attaching an Authorization Scheme to an Application, Page, or Component

Once you have created an authorization scheme you can attach it to an entire application, page, or component.

To attach an authorization scheme to an application:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select the Edit Attributes icon.

    The Edit Application Attributes page appears.

  4. Scroll down to Authorization and make a selection from the Authorization Scheme list.

To attach an authorization scheme to a page:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

    The list of pages for the selected application appears at the bottom of the page.

  3. Navigate to a specific page, by either:

    • Entering the page ID in the Edit Page field and clicking Go

    • Clicking the page name

  4. Under Page, click Edit to view the page attributes.

  5. Scroll down to Security and make a selection from the Authorization Scheme list.

To attach an authorization scheme to a page component:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

    The list of pages for the selected application appears at the bottom of the page.

  3. Navigate to a specific page, by either:

    • Entering the page ID in the Edit Page field and clicking Go

    • Clicking the page name

  4. Access the attributes for the component to which you want to apply the authorization scheme. (See "Managing Page Rendering Components".)

  5. Scroll down to the Authorization attribute and make a selection from the Authorization Scheme list.

Viewing the Authorization Scheme Utilization Report

You can use the Authorization Scheme Utilization Report to view details about authorization schemes included in your application.

To view Authorization Scheme Utilization Report:

  1. Click the Build icon.

  2. From the Available Applications list, select an application and click Go.

  3. Select Security tab.

  4. When the Security Home page appears, select Authorization.

    The Security Navigation pane displays on the left side of the page.

  5. Click Navigate to expand or collapse the list.

  6. Select Utilization.

  7. Make a selection from the Authorization Scheme list and click Go.