Monday, September 01, 2014

APEX 5 New Runtime API Lockdown Features

In APEX 4.x the developer could implement a feature that involves a call to the APEX API. E.g. you could create new pages on the fly if you would like to (just examine an export file for the how-to). You could drop an application using a procedure from the APEX_INSTANCE_ADMIN package. You could drop a user using APEX_UTIL.REMOVE_USER. If this is all on purpose and secured than that's fine. But maybe you created some opportunities for SQL Injection ... and someone else could use that technique to call those very same procedures. So the bad guy (or girl) could drop your application - or maybe even worse : could create a user and give himself full access to everything!
Of course you should prevent that from happening by fixing the SQL Injection holes. But next to that: You can prevent that your application uses those API's at all! And in APEX 5 that's even the default setting. So you're safe by default ;-)

But assume you really need access to those API's, there is an Application Level Security setting you can set.
So you can switch on access to API's that make changes to Applications or the Workspace. The only thing is - you have to figure out yourself what setting you should enable...
So what happens if your application has the option of creating a user on the fly - and thus calling APEX_UTIL.CREATE_USER - and you didn't switch the "Modify Workspace Repository" ?
Then you (or your user) gets this "nice" error page:
This sounds rather cryptic - and it is - but actually there is an entry in the Debug Messages with that ID. Even when you're not running in debug mode!
And this entry is:
But of course it is better to catch these errors (and all other ones as well) via an Error Handling Function. That way you can get an email when something like this happens and fix it - or be warned that some bad things are happening ....

But it's a nice additional security feature!


Friday, August 29, 2014

APEX 5 New Password Reset Features

Now and then it happens when we're logging in into our APEX instance: We have to change our password again .... And that means, typing it in an awful number of times:
1. Current Password
2. New Password (and of course preferably the same as the current one ...)
3. Confirm New Password
4. Press Apply Changes
5. Press Retun
6. And we're back at Square One : The login screen - and here we type that password again...
But in APEX 5 the APEX Development Team made it easier for us: When you have to change your password, you're automagically logged in with that brand new password. Finally. Sigh ....

It's a very small thing - but it takes away just that little bit of irritation every few months or so ;-)

Thursday, August 28, 2014

APEX 5 New Developer Preferences Features

As a lot of the new APEX 5 features are "by developers for developers", this one is also a nifty little thing that make our lives easier. Only the developer part of our lives of course....
In the upper right corner of APEX 5 you'll see your login name and a rather anonymous avatar. Just for fun - and recognisability - you can add your own face there. Or a picture of your dog of you like that one better. Just click "Edit Profile" to upload a picture. O yeah - you can change your username and password as well in that pop up.
Way more functional is what's below the "Preferences" button. You can specify here how you want APEX to act when you press a "Run Application" button. You can define whether the Application should start in a new tab or in a new window. What's pretty cool is that when you keep that tab or window open and press the Run button again, focus will switch to that tab/window and your page will be reloaded there. So you don't get multiple tabs/windows, but just one. And the way back using the Developer Toolbar is also supported!
And if you're working on multiple applications at the same time, you'll love the last preference: You can even share that tab/window over multiple applications...
One small pitfall : the changes you make to the Prefences / Photo etc will be functional after a page refresh - but that's probably a bug that will be fixed ;-)

My OOW14 Performances

Oracle Open World 2014 starts in just over 4 weeks from now. And I am one of the (50,000?) lucky people who will be there ....
I will even take part in three sessions, one straight at the start and one almost at the end:

What Are They Thinking? With Oracle Application Express and Oracle Data Miner [UGF2861]
Sunday, Sep 28, 9:00 AM - 9:45 AM - Moscone South - 304

Panel Discussion: Bring Your Questions About Integration (or Anything Else) [UGF9093]
Sunday, Sep 28, 3:30 PM - 4:15 PM - Moscone South - 300

The Best of Both Worlds: Going Hybrid with Your Mobile Oracle Application Express Applications [CON2296]
Thursday, Oct 2, 10:45 AM - 11:30 AM - Moscone South - 303

Hope to see you there!

Wednesday, August 27, 2014

APEX 5 New Column Link Features

In the current version of Oracle Application Express you could use up to three items in a Column Link.
Most of the times that is enough. But there were always some use cases where you needed four or even five. And of course, just like with all limitations, you can figure out a work around. But wouldn't it be just awesome if APEX offers us more items out of the box.

And in APEX 5 they do! The number of items you can use in a Column Link isn't restricted anymore. So you don't get four. Or five. Or even six. You get "unlimited" (between " because there's probably some 32k sizing limit somewhere.. but you'll get the point).

But wait ... there's more!
The "Target Type" isn't limited to "URL" or "Page in this Application". You can now - declaratively ! - link to Pages in other Applications as well as you can see below.
So one more reason to add to the already long lists of reasons to upgrade to APEX 5 as soon as we can ... maybe general availability will be announced at OOW ?? 

Tuesday, August 26, 2014

APEX 5 New Supporting Objects Features

In the current version of APEX the Supporting Objects feature is undervalued. You can create (sort of) self installing applications with it, but it is not widely used. Why? Because people don't realy know the feature or people do and experience lack of functionality. In both cases : Check out the functionality of APEX 5!
When you have scripts for creating tables, packages etc., in the current version you have to manually keep those install scripts in sync with "reality". You have to do it manually - so it'll go wrong sooner or later. But in APEX 5 you can sync your scripts with the click of a button. Well, in fact two clicks: one for the check box and one for the button. See the animation below.
So when you click "Refresh Checked" your script will be recreated, reflecting the current situation of your database.
Well how does that work? If you click on the pencil icon and then navigate to the "Script Editor' tab, you'll see that the script is associated with objects. You can add objects here or remove the association - your script will be recreated automagically. Please notice you can't add your own code in these scripts because it'll be overwritten.
And to make it even easier for you - and eliminating the need to run APEX in Developer Mode in the target environment - you can now enable "auto install" of Supporting Objects. Thus Supporting Objects will be installed even from withing SQL*Plus or SQLDeveloper!
When you export an application you can set the corresponding preference like below.
One nice enhancement request maybe: I would like to have a "Refresh Checked" option on export as well! So I can refresh all my source code upon export ....

 So these are a few more reasons to use Supporting Objects in your next APEX5-project!

Friday, August 22, 2014

APEX 5 New Calendar Features

While playing around in the APEX 5 EA2 environment I discovered a few neat little features for Calendar regions.

First of all you can export the data of the calendar - only the data that's currently visible - to four types of format. Especially the iCal format is new and interesting as this is readable by most calendar applications. Right now, in EA2, the PDF option doesn't seem to work yet. And alas, the iCal format is not readable by the Apple Calendar - but I hope that'll be fixed when the product becomes available! It is promising nevertheless....

Another cool feature is the Google URL. You can enter a URL of a public Gcalendar (or your private calendar if you want to) and your appointments will show up in your APEX application (see the green entries in the screenshot below)!

And last but not least : You can add your own (or someone else's) RESTful webservice feed to the calendar as well. By defining your own Resource Handler using a query to return a JSON string, you can add even more data sources to your calendar. The purple entry below is created by the SQL statement:

select 'Presentation APEX5 Hidden Features' as "title"
,      sysdate - 0.5/24 as "start"
,      sysdate + 0.5/24 as "end"
from dual


The JSON format is fixed, so we have to embed the columns in quotes to get a proper SQL statement (otherwise we are using reserved words and return uppercase attribute names).


Thursday, June 26, 2014

Kscope Wednesday

Also today is packed with excellent sessions. The first one, "Cookie Monster", by Tim St.Hillaire covered the different type of cookies and how you can set and read them from within your APEX application. For a lot of purposes you could nowadays use local storage as well, but there's still a case for cookies - and that's not a jar ;-)
The second one, "Single Sign On", by Anton Nielsen was excellent as well. He made clear that just Authentication is not enough: In most cases we need to get back our previous session state as well. A feature that will be included in APEX 5: Session joining. Only in a multi-tenant infrastructure it is not a good idea to enable this as this might open up the possibility to hijack a session. He also explained that from a security point of view, it is important that the APEX authentication is based on both the cookie and the sessionID in the URL.
In session number three, "Pins, Polygons and Perspective", Christoph Ruepprich showed how you can add very nice - and rather easy - geo information to your APEX application. Especially LeafletJS is something to check out, as it is perfect for mobile devices and can use different layers.
After a long break I attended "Production Level Trouble Shooting", especially because I have done sessions on that same subject as well. The key take away is that it is a good idea to instrument your code in a way that you can switch on debugging in a production environment for a single user, a single page and/or a period of time. You can do that - even when debugging is disabled, as it should be - issuing a (conditional) apex_debug.enable command before both page rendering and page processing.
Then, my personal highlight of the day, John Scott did his NodeJS presentation. With some great examples / use cases he made clear that this is something we definitely should check out. With just a few lines of NodeJS code you can create a webserver, a proxy server, create a REST server, create an APEX exporter or a mail reader and websockets server.
The final presentation about APEX URLs by Christian Rokitta gave insight why your URLs should be (more) readable by the user and search engines and some great options and tips how to accomplish this: using intelligent rewrite by either PL/SQL, the ORDS (APEX Listener) and/or by changing the Listener configuration. 

A long, but very interesting day, And now it's time for the big event....