Storm Petrel, LLC

oracle apex

Oracle APEX Low-Code User Management – Part II

by

Date

25 June 2021 | Version APEX 20.2

Low-Code User Managment – EEK!

In Part I, I asked: can I create an effective user management system using a low-code approach within Oracle APEX (v20.2)?

The answer is “No” or ought to be “No”. Maybe technically one might say “YES”, but it should NOT be done. I’ll will discuss why and how to fix this problem in this article.

When I envisioned writing this article, even through yesterday, I thought I would issue a series of warnings and caveats, which I will go through later. Then this morning while testing and polishing the sample application for publication, I locked myself out (again). A day’s worth of work is locked up, error messages blow, and while I am confident that with another couple of hours of effort, I can un-mess this mess, there are just too many risks.

As a newbie APEX developer, I spent hours reading articles and following the footprints of others. My feeling now is that if I lay a track of prints, some other well-intentioned human being will follow my path and miss my warnings, dismiss my risks, ignore my pointing fingers, and try anyway.

Of course, you are welcome to try to create a low-code user management system that incorporates the internal APEX users and APEX’s Access Control features. I’ll give you the links, but I’ll not give you the application.

In nearly a decade of reading articles and posts about Oracle APEX, I do not believe I have run across an author/developer who said: “Just Don’t Do It!”. Today, that is me.

Low-Code – A Definition

Low-code software application development involves techniques focusing on drag-n-drop, select lists, and check boxes to create an application. Oracle Application Express (APEX) is a free tool available for every modern Oracle database. It provides robust and professional level tools for the design, development, and operation of high-quality, secure, web-based applications.

This cloud-based tool has demonstrated its capabilities. One of our commercial applications underwent scrutiny by the U.S. Department of Homeland Security (DHS) cybersecurity teams. Our application has utilized by inspectors general. This application incorporates 58,000 lines of code in packages and uses over 300 tables. Granted this application has successfully managed $5B USD in federal funds and while managing/storing 400,000 PDF documents. This application is not low code.

My business partner has written a few low-code and no-code APEX applications. One of his low-code applications fetches the pool temperature and weather statistics of the pool outside of his Florida home and graphs changes the during the day. Low code because he used our template for the API with this weather station he bought and the rest was basic skills with a mouse. Maybe one or two simple queries for his graph. He’s also done a no-code application to help the homeowner’s group manage documents and photographs. It provided more power and capabilities than WordPress with nearly no more need for coding skills. APEX met the demands.

In each case, John creates users within APEX then assigns them to an application with the APEX Access Control Feature.

Low-code – write a few queries with SELECT statements, call a procedure or function as needed. Likely does not have any packages of compiled code.

No-code applications don’t even require queries or calls to procedures/functions. APEX can do it – does it all the time for people, even me!

Why Low-Code / No-Code?

Isn’t that the dream? How many of us have heard the line: “I’ve got an app for you” followed with some version of well all be rich. Anyone can write an application, that’s the promise. We have spent decades lowering the threshold for entry and making database application development more approachable and more accessible.

I love low-code/no-code because it serves me as a rapid prototyping and demonstration tool. I can do things immediately, now! It will work. I don’t have to destroy a prototype as ideas mature, as clients provide feedback. Low-code/no-code serves both as the pencil sketch pad foray to finished product.

Low-code / no-code works great for John and thousands like him. Toss Excel to the bin and have a website that uses data for managing and viewing data dynamically. Perfection.

A Gap

As mentioned in Part I, APEX includes a feature that can be installed with a new application called “Access Control”. Implied in this feature is that this Access Control process predicate on APEX users. This is not the case, this feature can be used with custom authentication process as described by Doug Gault in his article.

Given Oracle and the great team at developing our APEX tools emphasize the no-code/low-code benefits of APEX for rapid application development, I decided to explore using a low-code techniques for user management. In short, although I did not technically fail, the risks of what I explored significantly outweigh the benefits.

And, in subtle ways Oracle reinforces my positions.

Low-Code User Management

I decided that my low-code approach for user management should rely on Oracle data storage and Oracle procedures/functions. If I do need to write PL/SQL blocks of code, they ought to be:

  1. Within APEX and not in a package, procedure, or function
  2. A few lines long, certainly under 50 lines

In time, I conceded that if I can write a sample application that pushed these code limits a bit, but provided that application as a free download from my Github (don’t look, it is not there). Then sample app could be used by others risk-free in a low-code/no-code environment.

I was 99.999% successful. I was ready to push to GitHub and give the app to John for his homeowner’s association and his weather station thingy. Then, for the third time, I entirely fried my APEX environment. I believe myself to be expert, and the severity of the mistakes I made informed me that the architectural foundation of my premise and experiment Failed.

If this were an episode of Myth Busters, I’d stamp “Busted” on this effort.

Risk Identifier #1 – No Sample App from Oracle

I did ask myself why doesn’t Oracle, who is promoting low-code/no-code, provide a sample app for user management? Or even a softer edge to APEX that permits incorporation into an application?

This is a clue.

A low-code method would have to gain access to “Application Express Accounts” as show here. This is an image from Shared Components > Security Authentication Schemes.

Oracle provides a strong set of tools to manage APEX accounts.

A sample app, which can be installed by any developer, would require:

  1. Administrator Rights to APEX;
  2. Would have access to modify the rights to nearly any developer and administrator within APEX.

When I examined Risk Identify #1, I thought Oracle was protecting itself from lawsuits and the malice a disgruntled developer having a bad day at work. I was wrong. It protected APEX from me, a well-intentioned, experience developer working alone in a private space.

APEX relies on “Application Express Accounts” for proper access, and function. Sample applications are often treated as learning tools, toys, and templates. It is a bad idea to let a toy destroy your work environment.

Risk Identifier #2 – Removing Important Security Feature

In order to let developers and APEX applications modify APEX users accounts, you must remove a layer of protection from APEX. Buried deep in the security attributes for an application (Shared Components), there is a Check Box at the bottom of a page that reads:

Runtime API Usage

When checking the “Modify Workspace Repository”, you’ve now let application developers modify APEX user accounts and all sort of internal stuff.

If you want a security for your corporate or institutional environment, if you value your job, if you value your data, leave that box unchecked.

Risk Identifier #3 – Must be APEX Workspace Administrator

Within APEX there are classes of users and permissions. The king is Internal/Admin as this user sets up workspaces and users. Next down the ranks are Workspace Administrators. These folk can edit user permissions within a workspace: change passwords, do that cool stuff. Down the ranks another step: Workspace Developers. Developers can write applications and depending on toggles, access SQL and other stuff. The bottom rank are the Not-an-Admin and Not-a-Developer. This is the group of application users.

In order for an application to Modify Workspace Repository (APEX accounts) the application user must be a Workspace Administrator.

Seriously, we should never give the user of an application Workspace Administrator rights. It is an evil idea. What could possibly go wrong?

Risk Management

These protections exist on purpose!

Before starting I assess the risks and developed strategies to minimize the risks

  1. Developed app at the free tier of Oracle Cloud Infrastructure with APEX installed
    1. I did NOT do this on my own systems
    1. I did NOT do this on my corporate systems
  2. Know my PST (Primary, Secondary, Tertiary Actions)
    1. Primary recovery action: Run application backups
    1. Secondary recovery action: Have spare users, don’t mess with Internal/Admin
    1. Tertiary recovery action: Wipe my OCI space clean and start again

I still found trouble – I mean, I created my own trouble.

Mistake #1 – Update APEX Account with Null data

Whilst I did a complete fetch user and populated matching page items, I really didn’t want to update every parameter when I pushed the data back with Edit User.

First, I tried to limit the data I fetched but commenting out parameters I did not want. The code would not verify. Fail!

Next, I limited the data I pushed by commenting lines from apex_util.edit_user. Hey, this code compiled just fine! I edited my name and destroyed my APEX account. Yes, sent nulls back to all sort of important stuff.

I set my group IDs and developer roles to nulls. I turned my own account from Workspace Administrator to a User.

Recovery Step – Log in as Internal/Admin and fix my own account.

Mistake #2 – Remove All Administrators from Application

When using the APEX Access Management feature, you must have at least one account identified as an “Administrator” within the access control list for the application. That account must also be a Workspace Administrator.

I am working through the process of changing rights from application administrator to application contributor to application reader.

One can not just execute the repair code from SQL Developer. You must be within an APEX Session (essentially within an APEX application). I wrote code that executed blindly on page 1 to add myself back to the application administrator group.

Recovery Step – Execute a PL/SQL block from within an APEX session to add a workspace administrator user to access control list as an application administrator.

Prevention Step – I wrote come elegant code that prevent the user from removing the rights of the last administrator. This was not a novice level query, but it was short. This code does not qualify for “low-code/no-code”. It did prevent me from repeating this mistake.

Mistake #3 – WTF?

At Mistake #3, I decided I’d had just enough. I thought to myself: “Oh, I should permit a user to change their own password”. I popped in a quick modal page with two page items: old password, and new password. I dropped in the necessary reset password call, definitely a low-code effort (if you really want to leap after me, it is apex_util.reset_password).

I change my user’s password.

Now none of my users can log into my sample application. I couldn’t log into APEX. I fixed my APEX account with Internal/Admin (again). Found the application wrecked-beyond-recognition and decided I had enough evidence to write this article.

Don’t Do It

Hot coffee is often served in cups that read: Contents Maybe Hot. Fuel stations provide warning signs about gasoline being flammable.

If you care about your APEX environment, do not permit an external application to modify workspace repository stuff such as APEX user accounts. Hot stuff is hot. Don’t touch a hot stove top.

Do not give the administrator of an application the full permissions needed to be an APEX Workspace Administrator.

As a long-time paramedic and chief of an emergency medical service, I underwent annual training on infectious disease prevention. The lesson often started and ended with: “Don’t touch it; Don’t touch it; Don’t touch it.” Today, it would include, “wear a mask”.

Oracle APEX requires a secure and non-volatile environment in order to operate well, that includes the parameters and passwords for APEX administrators and developers. Please do isolate your applications from your development environment.

Hey Oracle, Help Us!

In striving to capture more marketspace in the low-code/no-code environment, the team at Oracle has the opportunity to provide an application-specific suite of tools for low-code/no-code user management.

Maybe there is a place for developers initially use their own developer accounts, but even that fosters bad security practices.

We should ask Oracle to remove the ability to permit applications to be authenticated against developer accounts. Instead, rely on a distinct and isolated dataset for application user accounts.

With cybersecurity risks front-and-center in news, we should all do every thing we can to envision a more secure world. Linking your database security, your developer’s security, and your application security with a single account is unwise.

Yes, No Code & No Sample Application

I am not providing sample code, code to copy, or a sample application. If you wish to recreate my stupid mistakes, go do your own research. I will not enable that level of stupid. Oracle has all the documentation you need.

Yes, this is an Oracle APEX blog post with no code.

Christina Moore

25JUN2021

Oracle APEX Low-Code Authentication and Authorization

by

Date

June 2021 | Version APEX 18.1 and higher

Context

When working with Oracle APEX whether on Oracle Cloud Infrastructure (OCI) or within your own environment, the wizard for creating a new application permits one to check a box that adds Oracle’s internal user management tools. Selecting this option only starts the process. More is needed to provide a complete security model for authentication and authorization. Let’s explore the robust features that Oracle APEX provides for free within this rapid-development/low-code tool – Application Express (APEX).

Doug Gault wrote a terrific article in September of 2019 (Twitter: @DougAGault) that provides insights into customizing and blending the internal Oracle toolset with hand-coded “custom” options.

For years, my team and I have only ever engaged in custom user authentication schemes augmented with complicated and hand-written authorization schemes. I carried the arrogance: I can do it better.

But can I?

Who has more experience securing massive amounts of important data? Me… or Oracle? Is my way better? Am I as current as I need to be with user authentication? I ought to have ignored that arrogance and explore the toolkit at our fingertips. These tools do a great job with username and password style authentication.

Progressively, our team has been engaging external service providers and API for Multifactor Authentication (MFA) and Single-Sign On (SSO). We’ve been using Okta and Microsoft and other solutions for both single-sign-on (SSO) and MFA. Adrian Png (Twitter: @fuzzieBrain) helped us repeatedly when we get in over our heads with SSO. The recent article by Plamen Mushkov (twitter: @plamen_9) is very good too: https://apexapplab.dev/2021/05/31/okta-authentication-for-apex-in-5-minutes/

Please acknowledge that hosting an application and the associated data on the internet carries risks. The risks and burden to protect these data rests on our shoulders, your shoulders.

Sometimes username and password are the right solution right now. And why not examine the free tools from Oracle before doing what I did and writing hundreds of lines of code, creating a series of custom tables, etc.

Why This Article

#1: John

My business partner of 10+ years specializes in servers, networks, and cybersecurity. Now and again, he puts together an APEX application – a true demonstration how Oracle has created a low-code/no-code system for building web-based software. He wanted to make changes to the user security feature that installed automatically. We both had to reverse engineer where those features came from. We both learned he ticked a box that read: “Access Control Enable Role-based user authorization” when on the “Create an Application” wizard. In a quick effort to replicate the feature, we failed when running them within SQL Developer. I then read, researched, and discovered a surprise treat someone left for me (and you).

After understanding and playing, I recognized that this feature ought to have been including in many of our early development efforts… especially when I often preach “lean into APEX” – embrace the spirit and efficiencies of someone else’s labors, and of a damned good tool.

#2: The Gap

In time I saw the gap. I failed to discover how to update a user’s password. I recognized that this feature emphasized user authorization – who has access to what, once in. Where is the user authentication part? Authentication asks: “Are you, you?”.

The APEX feature, as shown, is called “Access Control”, another phrase for authorization. So where are the elements needed to manage user authentication? They are in the package APEX_UTIL. There is a gap in our Low-Code User Management presentation from Oracle.

Take a look at the section called “APEX Users” below for more information.

Low-Code User Management

My friends at Oracle included the “user authorization” part of user management in the New Application Wizard. The inference is that users will be managed through the APEX developer’s interface. APEX does provide functions and procedures within APEX_UTIL that permit the real management of users. Raised by parent who wrote a lot, one earning a major in English, I grew up hearing the phrase “Maintain Parallel Construction” – which is not a tenet of Oracle. In this case, when you need the data, you query views with public synonyms. When you want to modify data, you call APEX_UTIL, and sometimes you can use APEX_UTIL to fetch out data too. If you want to modify the permissions of a user within an application, then you want to use the package APEX_ACL and a different set of views.

Inventory

In the table below, I am going to inventory the major components needed. There are some smaller functions that are super useful, but slightly redundant.

PurposeDescriptionPackageView
Authentication
Add/Create UserAdd a user to the APEX user environment, including application usersAPEX_UTIL.CREATE_USERapex_workspace_apex_users
Edit UserEdit a UserAPEX_UTIL.EDIT_USERapex_workspace_apex_users
Reset PasswordReset a password for APEX/application userAPEX_UTIL.RESET_PASSWORD APEX_UTIL.CHANGE_CURRENT_USER_PWNot Applicable (seriously, we’re not querying passwords!)
Password StrengthTest a password against established criteriaAPEX_UTIL.STRONG_PASSWORD_CHECKNot Applicable
Delete UserDelete or remove a user from APEX/applicationAPEX_UTIL.REMOVE_USERapex_workspace_apex_users
Find APEX User IDRetrieve APEX User ID (Primary Key) with known usernameAPEX_UTIL.GET_USER_IDapex_workspace_apex_users
Create User Group/RoleCreating a Group which is used for Authorization RolesAPEX_UTIL.CREATE_USER_GROUPapex_appl_acl_roles apex_workspace_groups
Authorization
Assign User to ApplicationAssign a user to an application with a role (admin/ contributor/ reader)APEX_ACL.ADD_USER_ROLEapex_appl_acl_users
Change or Remove User’s rolesChange or remove a user’s authorization level or roleAPEX_ACL.REMOVE_USER_ROLE APEX_ACL.REPLACE_USER_ROLESapex_appl_acl_user_roles
Feature Control
Toggle User ACLTurn User access control management on or off (Access control list)apex_app_setting.set_value ( p_name  => ‘ACCESS_CONTROL_SCOPE’, p_value => ‘ALL_USERS’); 
Query User ACLIdentify if User ACL is running or nowapex_app_setting.get_value( p_name => ‘ACCESS_CONTROL_SCOPE’ ) 

Notes & Warnings

Many of the procedures listed above require that one calls them from within APEX. Additionally, the user must have sufficient permissions within APEX to add users – so an APEX Admin.

This is a situation where one ought to play within one’s personal APEX space. Please do not mess up a corporate environment without permissions. That may cause an unexpected change in employment status.

APEX Setting

You will not be able to use an API to edit users unless you permit it. You’ll need to go tick the following:

Shared Components > Security > Runtime API Usage

Add a check to “Modify Workspace Repository” thereby permitting an application to reach back into APEX to modify user profiles.

Low-Code versus No-Code

Low-Code means that a developer has a reduced burden for application development. The procedures and views listed above provide a superlative low-code approach to user management. To cross the threshold to No-Code, we’d have to have a sample application with a full suite of user management features included, ideally introduced to an application with a cool little checkbox such as we see with Access Management in the Create Application Wizard.

My goal for next week is to write a robust application in APEX 20.x using the modern DML features. I’ll post this on my GitHub as an APEX application one can install.

I gave myself a giggle about including this code in a Sample App. It could be a bit of a risk for Oracle to do this. You let someone install a sample app as a developer, then maybe it doesn’t work so well without Admin permissions. A developer installs an application that requires admin rights. Now developer wants admin rights, blah, blah, blah. I understand the hesitancy. Providing administrative level access for one application is a different risk level than giving administrative level access to your APEX. I’ll publish the application on Github ensuring my personal stuff and our corporate stuff is safe. And in the blog, I’ll provide code samples for ye olde copy-n-paste.

APEX Users

Can you use the Oracle APEX view/table apex_workspace_apex_users to provide all of the features you need for a proper user table. The basics are covered with fields including username, first name, last name, email. Fields needed for APEX are visible with expiry date for the password, failed attempt counter, and toggles for APEX admin and APEX developer. We also have 10 flexible fields called “attributes”. They are numbered 1 through 10 and can be use to enhance the user table to suit your needs. Maybe you put the user’s language preference in attribute 1, the code (run from within an APEX page and session):

BEGIN 
    APEX_UTIL.SET_ATTRIBUTE ( 
        p_userid => apex_util.get_user_id(p_username => 'FRED'), 
        p_attribute_number => 1, 
        p_attribute_value => 'en'); -- Language preference
END;

Observe that this function uses the numeric primary key for the User ID. When getting the same attribute, use the “username” as shown below:

DECLARE  
    l_language VARCHAR2(4000);
BEGIN 
    l_language	:= APEX_UTIL.GET_ATTRIBUTE ( 
        p_username => 'FRED', 
        p_attribute_number => 1
		);
		APEX_UTIL.SET_SESSION_LANG( P_LANG => l_language);
END;

Of course, if your needs for a user table exceeds the capabilities of this internal APEX table, then you can build a one-to-one relationship to your own table.

Accessing the APEX user table can only be done within an APEX session, requires correct permissions within APEX. Updating data in the APEX user table must be done through functions/procedures provided by the APEX_UTIL package.

Better than Custom?

This approach may be better than custom, but not perfect. A custom table would normally be stored in the same database schema. Most of us store data in plain text except for the hashed password. Hashed passwords are better than encrypted passwords. Our early user tables had encrypted passwords – not good. Later we hashed. Putting user data including password information one step removed from your application schema requires bad actors to take that extra step. That is incrementally better. Better is better.

While these actions add layers and improve the shielding of user data, the responsibility to ensuring the security of data and access to applications belongs to the developers. These decisions rest with you.

APEX User Access

The APEX User Access Management feature assigns users to roles (groups) that are application specific. The native feature does not technically “add a user”, even though there is a button that says “Add User” – poor button, it doesn’t know it is lying to you. Once adding a user to a role within an application, you build out the Shared Component Authorization Scheme for these roles. With the Authorization Schemes created, you then add these to pages, menus, lists, etc.

The Steps

  1. Add a user to the APEX environment – make sure this person is not a developer, nor an APEX admin.
  2. “Add” the user to the application using the Access Control features described above as part of creating a new application.
  3. Assign a user to a role.
  4. Create or update the Authorization scheme (Shared Components)
  5. Assign Authorization to buttons, pages, navigation menu, lists, and other places as needed.

I noted that the APEX User Access Management feature installs with the legacy DML tools, predating the APEX forms. I spent most of my winter migrating hundreds of pages to the newer Forms. Normally, I am done with a few clicks. Instead, I got both stuck and frustrated with errors. With effort that involved returning to a known-good baseline (legacy DML), changing one variable at a time, I demonstrated to myself that the primary key must not be returned to the page item.

When installing this on APEX 20.x, we see the tag “legacy” which inspires us to push forward. That is shown in the illustration below.

We add the page elements to create a form, as shown.

Then confirm that the primary key is set correctly (Pxxx_USER_ID) as primary key.

Following those steps go to the page process to add the form DML. In there, de-select the return primary key option as shown.

Link It!

The APEX User Access Management feature includes a button that reads “Add User”. This button does not “Add User” to APEX. It adds permissions (roles) to a user. And this only works if the user exists within APEX. So how about a validation link between the two. Set the Pxxxx_USER_NAME to a select list, then add a query as shown:

select 
	user_name d,
	user_name r
from apex_workspace_apex_users
where user_name not in
	(select user_name from apex_appl_acl_users where APPLICATION_ID = :APP_ID)
order by user_name;

A screen shot to provide context on where this query would go…

This will reinforce the distinction between the ACL User (Access Control) and the APEX User who gets authenticated.

Remember set theory? We all live in the land of set theory from the first moment we query a database with an SQL statement. The ACL User list ought to be a subset of the APEX Users list. We certainly had fun adding Fred and Barney and Wilma to our ACL list, but none of my Flintstone characters found a way to log in, not without solving the authentication problem first.

Toggle On / Off

An application can be available to all APEX users, or you can restrict the user’s access using the Access Control features. When installing the User Access Management feature, APEX turns on the Access Control Scope for your application. When “On”, only users assigned roles and assigned to your application have access, also stated as “Access Control List”. When off, there is no ACL (access control list) and any APEX user has access.

To toggle the feature, use this pair of functions. One sets the value, the other queries it. These must be run from with in an APEX application and session.

begin
    if :P10010_ALLOW_OTHER_USERS = 'Y' then
        apex_app_setting.set_value (
            p_name  => 'ACCESS_CONTROL_SCOPE',
            p_value => 'ALL_USERS');
    else
        apex_app_setting.set_value (
            p_name  => 'ACCESS_CONTROL_SCOPE',
            p_value => 'ACL_ONLY');
    end if;
end;

if apex_app_setting.get_value( p_name => 'ACCESS_CONTROL_SCOPE' ) = 'ACL_ONLY' then
    return 'N';
else
    return 'Y';
end if;

Authorization Schemes

While researching this article, I came to appreciate scheme type “Is in Role or Group”. For all of my years writing applications in APEX, I focused on the very database-ness of what I saw – the exists query, the equality to an item, and PL/SQL functions. Certainly, my functions and query demonstrated the cleverest I could be (ok, complicated). Our team created groups of users without using the native groups or functions roles within APEX. I would not likely go backwards to re-do the authorization scheme. That said, I would not again undertake authorization without the simpler approach with Roles / Groups.

Please do go visit Doug’s article on setting this up.

What’s Next?

Seems like a fun challenge to make a sample application that “leans into APEX” for user management.

Update (What could possibly go wrong?!)

Hey reader, I am updating this article on the same day I published it. I started the aforementioned sample app to manage APEX User profile from within an APEX application. While I listed some risks including a sudden change in employment if mistakes happen.

Well… I am the only user on my own Oracle Cloud Infrastructure APEX instance. When I edited the profile, I entirely nullified my administrator permissions. I could not even view or edit the APEX code. In short, I blew myself up entirely. Oops.

oh my

I had to login into APEX Internal as Admin, then reset my lonely little user back to being an Administrator for APEX.

Please do this better than I did!

How to Query Oracle Font APEX

by

Abstract

This is an article about using classic Oracle database tools to query Font APEX as a dataset. This article is also about failure, my failure(s) in achieving this goal. If you don’t care about the journey, the frustrations, the cool news tools I explored, just click to the RESTful link to get FONT Apex as JSON. (link https://g2235c8c2b07256-cmoore.adb.us-ashburn-1.oraclecloudapps.com/ords/cm/font/apex)

I did explore Oracle 21C, Multilingual Engine (MLE), Javascript, JS variables, and a whole lot of other fun stuff for days and days before writing too much code to solve a simple problem that I had in 2017. In short, I failed. Ok, sure I got the data I wanted but I failed at elegant, efficient, pretty. I may have learned something including that writing about failure might be fun?

Challenge

Please go do this then show me how easy and elegant it ought to be. Then ping me back with a positive and warm vibe on the Twitter (@cmoore_sp). Hey trolls, I already admitted I flopped and I got stuff to learn.

History

During the summer of 2017, our team supported a Toronto-based firm with custom application to help with quality assurance work. I thought it would be cool, when during setup and management of the application that the client could pick their own icons for various tasks that they setup in their QA tracking. Oracle is a terrific database. APEX, or Application Express, is a low-code rapid development tool. Sadly, that moniker under-represents the power of APEX. Our firm has managed billions of dollars with APEX and 400,000 PDF documents within a single application with 2,000 users engaging in daily tasks using both English and Spanish. APEX has serious capabilities.

I wasn’t successful at finding a view or a synonym with the information. When I digested the Universal Theme sample app, I got little more information there. I wrote Christian Neumueller (Twitter: @chrisNeumueller) with the Oracle APEX team in July of 2017 with the question. He wrote back stating that there was nothing “server-side” – meaning nothing in the database itself. Font APEX is thus buried within the labyrinth of CSS and JS.

I extracted the data I needed with expedience and zero grace – and decided I needed to explore further. Since then, I’ve deployed into Hurricane Harvey in Texas, then deployed to Puerto Rico for two hurricanes (Irma and Maria). For the last 16 months, our team has been supporting various COVID funding initiative with our software – y’know a global pandemic.

Four year later, I still want an ability to query APEX font choices with classic database tools. As I returned to the question, I also recognize I have absolutely no NEED to do this stupid task. I sure have spent days and days trying.

Objectives

I started this project in 2017, then again in May of 2021 with a few objectives.

  1. Do something cool that results in code worthy of praise, recognition, and challenges the boundaries of my knowledge – and may teach someone else something.
  2. Learning something cool along the way myself – push myself
  3. Publish both code and Font APEX as a data that can be refreshed with a click.

Successes

  • I pushed my knowledge and did learn stuff.
  • I pushed myself into 21C and JavaScript and Multilingual Engine (MLE).
  • Published a RESTFul link for Font APEX.

But I really consider my effort a failure, a flop, and a frustrating fizzle into the desire to publish even if that means recognizing I needed help long before I gave up.

Failure

Following the series of API articles and efforts I have published in the recent years, I thought I put up an APEX application with an API that fetched Font APEX dynamically making it available in an Oracle table and/or a JSON dataset.

Playing Along At Home

If you are going to follow along at home, please install the Universal Theme Sample Application on your own system. You can do this from the APEX main application page, click “Create>”, then click the Productivity App card. From there, install the “Universal Theme Sample Application”. It takes only a few minutes and as you explore and hack, you won’t be on someone else’s server whackin’ away. It is just more respectful to your neighbors and friends. We have an APEX workspace we call “Backyard” in which we play.

APEX Team Answer

In July of 2017, I got this in an email from the APEX team at Oracle:

You could also write some script to generate records from images/themes/theme_42/1.1/js/demo/icons.js, or use that (probably just the global JavaScript variable apexIcons) in your app’s UI to generate the “pick an icon” dialog.

APEX Team at Oracle

I haven’t a clue what I did 3 hurricanes and 1 pandemic ago. I do know we delivered an application with a table that included APEX fonts.

I acknowledge I am a JSI – JavaScript Idiot. Soy idiota. This handicap came about in the mid-1980 when I was learning programming. I resisted the computer science degree which focused on big iron mainframes. Instead, I learned Borland’s Turbo Pascal in independent study. Clancy and Cooper’s book “Oh, Pascal!” sits proudly on myself behind me. The syntax and structures I learned in the early 1980s subsequently became the foundations for our PL/SQL. I’d learned BASIC in high school on a PDP-11. I am clumsy and awkward with object-oriented languages.

We all must learn to celebrate diversity, mustn’t we.

I knew Christian left me a serious clue in his email. The clue is still there, ignored by me.

Step 1 – API

I had a plan! I can readily find the icons.js. I thought I could automate that a bit. The May 2021 (APEX 20) path, if you have the Universal Theme Sample Application installed, is something like:

/i/themes/theme_42/1.6/js/demo/icons.js

In July of 2017, it was:

/i/themes/theme_42/1.1/js/demo/icons.js

I see a pattern. We have a global substitution to get to the ‘/i/’ in APEX (#IMAGE_PREFIX#).

With a too-quick look I see squiggle brackets, square braces, and assume immediately I am looking at JSON. Sweet.

I pull out my trusty API template (see article: https://storm-petrel.com/2021/05/21/oracle-plsql-api-template/). With in a few minutes, I have pulled the data into my API_STAGING table as an HTTP Response (a clob).

Fail

Several of you playing along at home already know what I did not know. The icons.js is not JSON but a JavaScript variable or JS Object. I don’t know how to parse that. There has to be a way! I can admit I wrote some bad code in PL/SQL that tried – and failed.

Step 2 – JS Object to JSON

With the minor setback of not knowing much about JS variable, I rapidly developed a new plan.

I must learn how to Stringify an JavaScript object into my familiar JSON. Then I’ll win and move forward. I can now Stringify safely because I learned this last month.

<script>  
var icons= JSON.stringify(apexIcons);
document.write(icons);
</script>

I read a blog post by Joel Kallman that he posted in November of 2018 discussing Oracle Database Multilingual Engine (MLE) that is now available to us in 2021, as in it is in Oracle release 21c.

Great, toss my JSON.stringify into familiar PL/SQL code using Oracle’s MLE.

Now I am on the leading edge! Watch me go now. I just need 21C which came out in 2021 (clever name, eh?). Ok, but our team just got fully stable on 19C after a miserable few months, so I can’t ask us to upgrade.

This gives me an excuse to setup a project on Oracle Cloud Infrastructure (OCI) with the always-free option. I pop my API template up. Install the Universal Theme, fetch down a lovely CLOB filled with my JavaScript Object (variable). Because I am a database person, I know well how to do a SELECT on data. Christian’s hint about the “global JavaScript variable apexIcon” is still floating in the stupid corner of my brain. I don’t know how to connect that phrase with “write a script”.

Give me a minute on 21C with MLE, a goodly handful of brilliant articles, and I’ll master this task.

For those wincing at home, I have wasted significant number of hours, even days at this point.

I give Oracle my personal credit card to setup my free OCI session – and that has gotten easier over the years. Cheers to Oracle for streamlining that and working at catching up. Well done, you.

I write a bit of code with my new-found friend MLE then put it into SQL Developer linked to my Oracle Cloud. It runs perfectly but I don’t see anything. I look carefully at the blog posts to see folks using APEX SQL Workshop “SQL Commands” to run this stuff. Ok, I haven’t been in SQL Commands since 2015. Copy/paste, run!

DECLARE
   ctx      varchar2(50);
   l_js     clob;
   l_var    clob;
BEGIN
    l_js := q'~
var apexIcons=
{
	ACCESSIBILITY:[
		{name:"fa-american-sign-language-interpreting"},
		{name:"fa-asl-interpreting"},
		{name:"fa-assistive-listening-systems"},
		{name:"fa-audio-description"},
		{name:"fa-blind"},
		{name:"fa-braille"},
		{name:"fa-deaf"},
		{name:"fa-deafness"},
		{name:"fa-hard-of-hearing"},
		{name:"fa-low-vision"},
		{name:"fa-sign-language"},
		{name:"fa-signing"},
		{name:"fa-universal-access"},
		{name:"fa-volume-control-phone"},
		{name:"fa-wheelchair-alt"}
	]
};
    var gfg = JSON.stringify(apexIcons);
    console.log(gfg);
    console.log("Goodbye Cruel World!");
    ~';
   ctx := DBMS_MLE.create_context();
   DBMS_MLE.eval(ctx, 'JAVASCRIPT', l_js );	
   DBMS_MLE.drop_context(ctx);
END;

I am scriptifying!

So close. And fail!

Fail

I need to fetch my APEX Icon data. We’ve established I don’t know how to dance the JS rhythm. And I know I have the JavaScript object warm and happy in my Oracle Table API_STAGING.HTTP_RESPONSE. I’ll just query that plop that in there, stringify objects, then I’ve won the game.

I can’t even inventory my attempts, the hours are lost to me forever. I roll into an APEX page to play there only to blow error after error. Eventually I suspect my data. A query with dbms_lob.getlength informs me that I have 44,036 characters in my clob. This exceeds my 32,767 limits on varchar2 stuff, good ole 2 to the 14th power. Ugh.

Achievement

Ok, I scriptified within PLSQL. There was no particular object-oriented elegance to the effort. I do have a real job that requires hours, effort, and attention. So far, I’ve burned at least 4 days on this effort. I must return to my real job.

RESTive

Brute-force programming results in ugly and longish code. It is also embarrassing. I’ll not publish my mess. I do have some ego left. While many of my efforts with API normally result in a restful state for myself, my writing, and even for data. This process left me entirely restive and frustrated.

Instead, I’ll publish the results:

https://g2235c8c2b07256-cmoore.adb.us-ashburn-1.oraclecloudapps.com/ords/cm/font/apex

Oracle PL/SQL Storing Large Objects on AWS S3

by

Abstract

Storing large files in an Oracle database can be expensive and cumbersome. The expense comes from the size of the on-line disk storage and the efforts to run backups with archive logs. Oracle Cloud Infrastructure introduced a REST API for large object storage (multi-media files, etc.) This feature has been available with Amazon Web Services (AWS) for years. I wrote and published an API for AWS S3 storage using PL/SQL in 2016 and 2017. With AWS S3, a development team can reliably store binary large objects (BLOB / multimedia files) securely and cost effectively. In this article, I’ll explore the advantages and updates I have made to the AWS S3 package.

Operational Challenge

When I went to play with AWS S3 in 2016, I discovered that the original work by Morten Braten and Jason Straub predated AWS’ version 4 security protocol. I have no memory of why I spent weeks working through my AWS4_S3_PKG that I published here: https://github.com/cmoore-sp/plsql-aws-s3 I am glad I did the work then.

Storm Petrel LLC earned a contract with the Government of Puerto Rico to support recovery efforts following the twin Hurricanes Irma and Maria that devastated the island during the autumn of 2017. By early 2018, we had 2,000 users on our Oracle APEX grants management application, Tempest-GEMS. Users entered financial data then uploaded supporting documentation (invoices, contracts) as PDF to our application. We stored these documents as BLOB in our Oracle table. We struggled to keep up with the demand for storage space. We also had an API that permitted specialty projects to upload documents. A few times, we experienced 20,000 new PDF in a single evening’s upload.

Data costs soared and our document table’s performance suffered some. When a document gets uploaded, we stored it in the table. Within 15 minutes, it would be duplicated into the transaction log by Oracle. Each evening, we ran full backups. Each weekend, we imaged our servers. 1 became 2, 2 becomes 4. If your archive/transaction log fills the disk space allocated, Oracle stops operating. We spent weeks chasing the exponential growth of our data storage.

On-line diskspace at AWS gets expensive with you get to very large sizes.

We created a support problem. We created a problem with escalating costs. We created a performance problem.

We identified decided to push our documents to external, long-term storage. The Oracle Cloud Infrastructure’s product did not then exist. Today, it would serve nicely as a solution. In February and March of 2018 rapidly implemented a process to store documents at AWS S3.

Storm Petrel’s Workflow

Our workflow took a very conservative approach. Our team supported the people of Puerto Rico through the early stages of a long-term financial recovery process. We must avoid failure and performance issues, both. People all over the islands were using mobile phones to push documents up to our application. We observed that pushing through Oracle directly to AWS S3 slowed the upload process – there was a two-hop between the user on a mobile network and the affirmative acknowledgement from AWS S3.

Storm Petrel opted to continue uploading the documents into a BLOB column within our documents table. We added several fields to this table:

  • S3 Bucket
  • S3 Prefix (file “path”)
  • S3 filename
  • S3 eTag
  • Document Filesize
  • S3 Version ID
  • S3 Last Modified Date
  • S3 Filesize
  • S3 Transferred
  • S3 confirmed
  • Status

These columns may appear redundant, but they provided us the incremental data we needed to be confident of our process.

  • A documents/multimedia file got uploaded to the table
    • The status set identify it remained in the table “only”
  • A DBMS scheduler job pushed the documents to S3
    • The status set to identify document is in the table and S3 “both”
    • We capture the S3 information such as eTag, version ID, modified date, filesize
  • A separate DBMS scheduler job confirms the S3 status. This runs hourly.
  • Weekly, on Sundays, we remove the BLOBs from the Oracle table that we have confirmed are present at S3

We could have chosen to be more aggressive with removing BLOBs from our table, executing the job daily. We would have saved space and thus costs for storage, but we took a balanced approach with costs and reliability. We run a full system image backup on Saturday nights. By deleting the BLOBs on Sunday, we gave ourselves a recovery path.

We executed this process on-the-fly while in production with thousands of simultaneous users.

By the end of 2018, we stored over 400,000 PDF documents. Those documents required 1.8Tb of storage at AWS S3. These were the financial records of over $5 billion U.S. grant moneys provided to the people and organizations of Puerto Rico – all of whom are U.S. citizen.

Storm Petrel did not win the long-term contract with Puerto Rico. That contract went to a much larger multi-national firm based in Canada. In December of 2018, we were tasked with providing the new contract with the documents. AWS S3 simplified the process of handing over the documents. The documents were isolated from our servers and databases. The hand-off resulted in very little risk to our systems.

On-Going Document Storage

Storm Petrel continues to support states and other organizations managing data related to disasters, including the COVID19 pandemic. The document storage process we implemented for Puerto Rico remains in place 2½ years later. The download process in Oracle APEX pulls from AWS S3 (or the Oracle table) seamlessly and rapidly. The user is never aware of the location and the download speed is fantastic (given your last-mile connection to Ye Olde Internet).

Challenges with Spanish

In the early days of pushing documents to AWS S3, we encountered challenges with filenames written in Spanish. Several of the characters commonly found on Spanish-based keyboard do not encode well for HTTP. We rapidly learned to use the document table’s primary key as the filename for S3. The filenames are entirely and totally ugly on AWS S3 given they are all strings of numbers.

PL/SQL AWS S3 Package Updated

Storm Petrel has written several application programming interfaces (API) in the recent years. I revisited my own work from 2016/2017. Some of that code includes work that dates to 2011. I strove to consolidate code more aggressively. The package has lost about 400 lines of code for the same performance.

AWS Workflow

Following the workflow above, these are the procedures/functions that get called.

  • A DBMS scheduler job pushed the documents to S3
    • Call procedure that loops through the document table for any document not yet pushed to S3
    • Calls AWS4_S3_PKG.Put_Object – copying the BLOB from the Oracle table to a designated AWS S3 bucket. “Key” to AWS is the file path.
  • A separate DBMS scheduler job confirms the S3 status. This runs hourly.
    • Calls procedure AWS4_S3_PKG.Object_Head – this process gets the HTTP “head” or header data from AWS. This biographical information provides us with the eTag, size, date, and last modified information in the headers returned from AWS (apex_web_service.g_headers).
    • We store the AWS object header data into our documents table after verifying the match.

We do not provide a means of deleting BLOBs nor the corresponding files on S3. We mark rows as “archived”. All of our queries, reports, procedures disregard data identified as archived (archived = ‘N’). We had engaged in this process long before arriving in Puerto Rico. Given that we work with financial funds related to the U.S. government, we tag data changes with date/time stamps, username, and the IP address of the change.

Of course, we did encounter a situation in 2018, where we were informed by the government that we’d lost 5,000 documents. They magically disappeared on a Saturday morning. Within an hour, we provided proof that the documents existed but were marked “archived” by a specific user. We provided the date, time, and IP address of the actions – actions that could only be executed with deliberate intent.

GitHub

I did nothing to maintain the PL/SQL code for the AWS S3 interface at my GitHub site for the last years. I know we had run into issues with bugs and such. The most common error is that our Oracle code and AWS disagreed about the time. Often it was the time zone offset from UTC.

I am not going to reconcile the old code with new. Instead, the code we’ve run in production is being posted. It is backwards compatible.

Please take from it as you will and enjoy.

The Github link is: https://github.com/cmoore-sp/plsql-aws-s3

Hey, of course, confidential stuff has been replaced with ‘xxxxx’. Do substitute your own API keys and such where needed.

Oracle PLSQL Template for RESTful API

by

Abstract

A key purpose of this blog entry is to communicate that we are publishing a template for PL/SQL-based API. It is located on my GITHub page (https://github.com/cmoore-sp/plsql-api.git) and communicates with a public website hosting public APIs.

Introduction

My first interesting exploration with writing API with Oracle APEX and PL/SQL involved exchanging data and documents between our database and AWS S3. It has been four years since I published that effort. In the ensuing years, our team continued to write API. We have benefited and appreciated the progressive improvements that Oracle made with writing these digital connectors. Release by release, year by year, Oracle smooths the process of connecting via HTTP and managing JSON data. In APEX 20.1, the team introduces us to APEX based wizard to exchange data via HTTP links.

A key purpose of this blog entry is to communicate that we are publishing a template for PL/SQL-based API. It is located on my GITHub page (https://github.com/cmoore-sp/plsql-api.git) and communicates with a public website hosting public APIs. I initially worked through the US Weather Service’s site. But when I hit it from Oracle, it denied me for the lack of authentication whereas I easily got data from Postman. C’est la vie. We’ve been using and refining this template for about 18 months, maybe longer.

Rarely is our goal writing code line by line. I reviewed our own work related to a data exchange link to the U.S. government’s FEMA data site. The version I wrote with the best tools at hand required 545 lines to parse JSON data. In 2021, that same effort took 124 lines. A quarter of the code to achieve the same results. The code is simpler, shorter, and easier to read. That all boils down to fewer errors and reduced development costs.

This is the first of a series blog posts related to writing application programming interfaces with Oracle PL/SQL. As I write this, I celebrate the APEX based efforts, which reduces code even further.

This blog is part of a series. The first dealt with error trapping and debug logging. That can be found here: Oracle APEX Standardize Error & Debugging

Design and Build an API with Oracle

Early Days

Step 1 research and explore. And do your early explorations with tools such as cURL or Postman or some tool other than Oracle. Sure, Oracle is the final destination so the data can mix happily with your tables. Tools like Postman provide better debugging and visibility into the feedback from the API host.

Frankly, the error messaging from Oracle is a bit too blunt – non-specific and incomplete. Postman-like tools provide granular assessments including status (200-OK), time, size. Postman provide a cURL version of the effort and the full suite of headers is visible. It is a Leatherman or Swiss Army knife of utilities.

Furthermore, given many of us use Oracle from a cloud-based site, launching API tests from there (AWS or Oracle Cloud or whereever) introduces several other layers of variables and potential issues such as:

  • Oracle-based Access Control Lists (ACL)
  • Oracle’s management of HTTPS / SSL certificates
  • Routing issues within the cloud environment
  • Cloud-based Access Control Lists
  • Cloud-based Firewalls and Web Application Firewalls

For example, our WAF denies stuff that looks like SQL – thinking it may be seeing an SQL injection attack. Scraping the Oracle’s 1980’s bias and the cloud-edge from early work saves those problems for later. Maybe it is all perfect, but in the early hours limit your variable and source of trouble.

While on Step 1 “Research and Explore”, read those API instructions carefully.

At Storm Petrel, we look for the ‘Long Pole in the Tent’ or that deep dark hole that will trap the effort. Somewhere in the API documentation and in your effort there is easy work and tough work. Something will hold the entire effort up – that dreaded long pole.

I tend to be suspicious of the authentication process. We tackle that first. We tried for months to nail down an API with PayPal and got utterly frustrated, so frustrated with shopped for another vendor. When we did, we researched the API documentation and access as an integral part of the purchase decision.

The cost of building and supporting an API ought to be part of the long-term analysis of selecting a remote partner. Many vendors provide a sandbox or developer’s access to the API. We pursue that before plonking down a credit card on recuring costs – well we did after the PayPal mess.

After years of writing and supporting API with Oracle PL/SQL and APEX, we state to ourselves – if it can be done with Postman it can be done with Oracle.

API Workflow and Table Architecture

With few exceptions, like my partner’s application to check the weather outside is window and the pool temperature, data from the outside ought to be buffered and isolated as it transitions into your curated databases. It is foreign data why trust it explicitly?

Our workflow and architecture goes as follows (when getting data from a remote site)

  1. Execute the HTTP GET
    1. Store the entire GET syntax in a table called API_STAGING
      1. API Name,
      2. Module name,
      3. Base URL
      4. Appended bit of the URL
      5. HTTP status code
      6. JSON response
      7. HTTP response
      8. Ok to Delete (a date field)
    2. A HTTP failure also stores the API staging data.
    3. This packages manages the API, and looping needed to fetch a large number of data rows, and error trapping.
  2. Parse the JSON data
    1. Using a loop, spin through the API_Staging data
    2. Query the new JSON data
    3. Merge data to intermediate Oracle table
      1. We create a table based on the JSON data
      2. We name fields as close as possible to the JSON names
      3. We add a few fields to dates of updates and add – basic management
    4. Mark rows in the API_Staging table that they can be deleted after the JSON data has been successfully placed into Oracle tables as needed
  3. Merge with the real data inside the application
    1. We can validate primary keys and foreign keys
    2. Confirm integrity of the data
    3. Isolate and report on any anomalous data

When updating remote data with a POST or PUT, the process goes in reverse. We progressively convert the data and log each action. When ready, we put the out-bound data (a blob or clob) in the API staging table.

Tables

  • API Staging – tracks the API activity, behaves like a log for API calls and responses
  • Intermediate Tables – tables that mimic the JSON data structures but using classic relational database tools. We mimic JSON field names where possible.
  • Production Tables – These tables become the destination for the API data (or the source if sending out with a RESTful POST or PUT)

Data Merge

Historically, I have been comparing a few key elements of data to test if a change exists. Some API, such as FEMA, includes their last update date and a hash value. I can easily compare these. After examining work done by the Oracle APEX development team, I noticed that they are doing an MD hash of an entire row of data. I lifted their procedure into some tests recently.

They converted dates/timestamps to varchar2. They also converted numbers to varchar2. The first time I used their process, I got snagged by null values in fields. I updated the procedure to include an NVL. Now, new data gets inserted. Data that appears the same, I run through hash it, then compare old and new.

function api_publicAPI_MD5 (
  P_ROW  in api_publicAPI%rowtype
) return varchar2
as
  l_procedure	  varchar2(100) := 'api_publicapi_staging.api_publicAPI_MD5';
begin  
  -- please convert all values to VARCHAR with consistent formats and manage nulls
  -- such as to_char("P_ACTION_DATE",'yyyymmddhh24:mi:ss'), etc
  return apex_util.get_hash(
    apex_t_varchar2(
     nvl(P_ROW.api_name,'^')
     ,nvl(P_ROW.description,'^')
     ,nvl(P_ROW.auth,'^')
     ,nvl(P_ROW.https,'^')
     ,nvl(P_ROW.cors,'^')
     ,nvl(P_ROW.link,'^')
     ,nvl(P_ROW.category,'^')
     ));		
end api_publicAPI_MD5;

Template for API

As mentioned above, I am publishing an API template written in PL/SQL on my Github site. I endeavored to find an API site that did not require registration or authentication so that this package could run easily. API sites that are fully open run the risk of denial-of-service attacks. I respect the need for authentication. I did not include much guidance on authentication. We’ve rarely encountered the same rules twice. We plod through that effort after registering an account. Sorry.

The files include:

1. API_SETUP (procedure)

This procedure establishes a couple of tables

  1. API_STAGING for the logging of API data in a native format
  2. API_PUBLICAPI mimics the Public API data structure. Sorry for the awkward name. Our standard involves starting with “API_” then the name of the destination. In this case the destination is “PublicAPI”

2. API_PUBLICAPI_PKG

Again sorry about the stupid name. Our standard is API_Destination_PKG so when the damn thing is called PublicAPI, it looks odd. This package does the HTTP GET and stores the resultant data in the API_STAGING table. The package includes standard code for all normal aspects of a RESTful API. It also references a proxy. In some cases, we use an Apache server to proxy our calls. This permits us to bypass the misery of the Oracle certificate management stuff.

3. API_PUBLICAPI_STAGING

This package page loops through the API_STAGING table to parse the JSON data into an Oracle table. It has a few tricks for querying JSON data.

Close

I will cover detailed elements in upcoming blogs. We’ve have learned and struggled with JSON queries. Some of the features are not well documented.

Have fun, be safe.

Christina Moore (@cmoore_sp)