VPD "Lost" after validation fails
We have a custom in house VPD. In the application security section, under VPD, we call a procedure which sets our security context client_id in order to be used to make context references within secure views.
In our page we have a simple select list which is run against a "secure" view. Once the user selects a value they hit continue to go on. A validation is put in place to make sure that a value has been selected.
If the validation fails, we go back to the page and the validation error message displays (as it should) however the select list has no values. After doing a lot of testing, references to any view that uses the VPD returns no values when a validation fails.
We've done some test and it appears that the following happens:
- On a page submit the VPD function gets called (as per the application security / vpd)
- Validations are performed
- If validation fails, run: dbms_session.clear_identifier;
- Load the page along with the appropriate error messages.
Is this correct? Is their anyway around this?
We have tried to set an application process to run before header which would run the same function as that called in the VPD section, however the process isn't run when a validation fails.
APEX sets client identifier to: APP_USER:APP_SESSION. CLIENT_INFO is set to just APP_USER. Try the following query from the SQL Workshop as well as a region on a page to give you a better idea of what APEX sets:select sys_context('USERENV','CURRENT_SCHEMA') CURRENT_SCHEMA,sys_context('USERENV','SESSION_USER') SESSION_USER,
sys_context('USERENV','MODULE') module,sys_context('USERENV','ACTION') action,
sys_context('USERENV','CLIENT_INFO') CLIENT_INFO, sys_context('USERENV','CLIENT_IDENTIFIER') CLIENT_IDENTIFIER
from dualI would probably include the IP Address of your HTTP Servers in the policy to make sure it's not someone connecting from SQL*Plus: sys_context('USERENV', 'IP_ADDRESS')