APEX Page Access Protection

Oracle APEX provides various types of Page access protection (Page level declarative). We can utilize them as per the required scenario.

Let’s see all of um one by one …

Available options include:

Unrestricted :-

The page may be requested using a URL, with or without session state arguments, and without having to have a checksum.

Arguments Must Have Checksum:-

If Request, Clear Cache, or Name/Value Pair arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.

No Arguments Supported

A URL may be used to request the page, but the URL can not contain Request, Clear Cache, or Name/Value Pair arguments.

No URL Access

The page may not be accessed using a URL. However, the page may be the target of a Branch to Page branch type, as this does not perform a URL redirect.

Exceptional case with Friendly URL (NO automatic checksum)

After APEX came up with a friendly URL feature, and I started using it in our applications, never realized that if we try to manually build the friendly URL then it doesn’t generate the checksum automatically.

Example

SELECT empno,
          '<a href ="'
       || APEX_UTIL.prepare_url (
                '/ords/r/web/ontoor-solutions-extras/page-access-unrestricted?session='
             || v ('APP_SESSION')
             || '&p11_empno='
             || empno,
             p_checksum_type   => 'SESSION')
       || '">Friendly URL</a>'
          link
  FROM emp


In an Interactive report, I am using the above query and enabled the required checksum on the target page in the “Page Access Protection” section. And if I try to click on the URL then it gives an error.

Attempt to save item P11_EMPNO in session state during show processing. Item protection level indicates: Item may be set when accompanied by a “session” checksum. No checksum was passed in or the checksum passed in would be suitable for an item with protection level “Item has no protection.”. Note: End users get a different error message.

So it means a friendly URL doesn’t generate checksum automatically. Thankfully we have the s“APEX_PAGE.GET_URL” function which can generate the checksum.

Let’s try with “APEX_PAGE.GET_URL”

SELECT empno,
          '<a href ="'
       || apex_page.get_url (p_page     => 'page-access-unrestricted',
                             p_items    => 'P6_empno',
                             p_values   => empno)
       || '">Friendly URL</a>'
          link_checksum
  FROM emp