Skip Headers
Oracle® Database Real Application Security Administrator's and Developer's Guide
12c Release 1 (12.1)

E10479-19
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Configuring Application Sessions

This chapter contains:

About Application Sessions

An application session contains information relevant to the application and its user. An application session stores application session state as a collection of attribute-value pairs. These attribute value pairs are divided into namespaces. Unlike traditional heavyweight database sessions, an application session does not hold its own database resources, such as transactions and cursors. Because application sessions consume far fewer server resources than heavyweight sessions, an application session can be dedicated to each end application user. An application session can persist in the database and resume later with minimal cost.

To configure an application session, you work in two phases:

  1. You create and maintain the application session.

  2. You can manipulate the session state during the life of the session.

You can use either PL/SQL APIs or Java APIs to configure application sessions. This chapter describes the programmatic creation, use, and maintenance of application sessions in PL/SQL, and includes specific links to comparable Java information.

The following table provides generic links to more information about these topics.

This section contains:

Application Sessions in Real Application Security

Figure 3-1 shows a Real Application Security architecture diagram and indicates how application sessions fit into it. The figure shows applications creating application sessions in the database. Some of these application sessions are associated with traditional database (DB) sessions.

Figure 3-1 also shows other components of Real Application Security such as ACLs, application privileges, application users, and application roles.

Figure 3-1 Real Application Security Architecture

Description of Figure 3-1 follows
Description of "Figure 3-1 Real Application Security Architecture"

Advantages of Application Sessions

Application sessions have functional advantages over traditional database sessions. For example, traditional database sessions are typically unaware of the end user identities or the security policies for those end users. On the contrary:

  • Application sessions encapsulate end user's security context. They enable applications to use database authorization mechanisms for access control based on the end user identity.

  • An application session can be associated with multiple database sessions simultaneously.

  • They are accessible by all nodes in an Oracle Real Application Clusters (Oracle RAC) environment.

Application sessions have these performance advantages over traditional database sessions:

  • They can be created with less overhead than traditional database sessions.

  • They can persist in the database and resume later with minimal cost.

  • Real Application Security can collect session attribute changes and session states on the client, using caches. Then, these changes are appended to the database until the next database roundtrip, reducing the number of database roundtrips.

Creating and Maintaining Application Sessions

This section contains:

Creating an Application Session

You can create an application session using the DBMS_XS_SESSIONS.CREATE_SESSION procedure in PL/SQL or using the createSession method of the XSSessionManager class in Java. To create an application session, the invoking user needs CREATE_SESSION application privilege. This privilege can be obtained through XS_SESSION_ADMIN Database role or by XS_ADMIN_UTIL.GRANT_SYSTEM_PRIVILEGE API call (see "GRANT_SYSTEM_PRIVILEGE Procedure" for more information). CREATE_SESSION procedure populates the unique identifier of the newly created session in sessionid out parameter. This unique identifier can be used to refer to the session in future calls. The DBA_XS_SESSIONS data dictionary view displays all the application sessions in the database.

You can also specify a list of namespaces to be created when the session is created. If you specify namespaces during creation of the session, the caller must have application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or the ADMIN_NAMESPACE system privilege.

Example 3-1 shows how to create an application session with lwuser1.

Example 3-1 Creating an Application Session

DECLARE
  sessionid RAW(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
END;

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "CREATE_SESSION Procedure"
The syntax of the Java createSession method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Create a Real Application Security Session in Java"

Creating an Anonymous Application Session

You can also create an anonymous application session using the DBMS_XS_SESSIONS.CREATE_SESSION procedure in PL/SQL or using the createAnonymousSession method of the XSSessionManager class in Java. To create an anonymous session through the PL/SQL API, you must specify the predefined user name XSGUEST.

Example 3-2 shows how to create an anonymous session with the predefined user XSGUEST.

Example 3-2 Creating an Anonymous Application Session

DECLARE
  sessionid RAW(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('XSGUEST', sessionid);
END;

After creating an anonymous application session, you can assign a named user to the session.

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "CREATE_SESSION Procedure"
The syntax of the Java createAnonymousSession method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Create a Real Application Security Session in Java"

Attaching an Application Session to a Traditional Database Session

To use an application session, it must be associated with a database session. This operation is called attach. You can attach an application session to a traditional database session using the DBMS_XS_SESSIONS.ATTACH_SESSION procedure in PL/SQL or the attachSession method of the XSSessionManager class in Java. A database session can only attach one application session at a time. The DBA_XS_ACTIVE_SESSIONS dynamic data dictionary view displays all attached application sessions in the database.

To execute this procedure, the traditional session user must have the ATTACH_SESSION application privilege. This privilege can be obtained through the XS_SESSION_ADMIN Database role or by the XS_ADMIN_UTIL.GRANT_SYSTEM_PRIVILEGE API call. If you specify namespaces, then the user is required to have the application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or ADMIN_NAMESPACE system privilege.

Example 3-3 shows how to attach an application session to a database session.

Example 3-3 Attaching an Application Session

DECLARE
  sessionid raw(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
END;

To attach a session with dynamic roles, a list of dynamic roles can be passed in attach.

Note:

When developing the application, ensure that all application end user actions are captured within an ATTACH_SESSION ... DETACH_SESSION programming block. (For more information, see "Detaching an Application Session from a Traditional Database Session").

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "ATTACH_SESSION Procedure"
The syntax of the Java attachSession method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Attach a Real Application Security Session in Java"

Setting a Cookie for an Application Session

You can associate a specific cookie with an application session using the DBMS_XS_SESSIONS.SET_SESSION_COOKIE procedure in PL/SQL or the setCookie method of the XSSessionManager class in Java. The cookie can also be associated at the time of creation of the session through the CREATE_SESSION PL/SQL API.

To execute this procedure, the user must be granted the MODIFY_SESSION application privilege. This privilege can be obtained through the XS_SESSION_ADMIN Database role or by the XS_ADMIN_UTIL.GRANT_SYSTEM_PRIVILEGE API call.

Example 3-4 shows how to set a cookie for an application session.

Example 3-4 Setting a Cookie for an Application Session

DECLARE
  sessionid raw(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.SET_SESSION_COOKIE('Cookie1', sessionid);
END;

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "SET_SESSION_COOKIE Procedure"
The syntax of the Java setCookie method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Set the Secure Session Cookie in Java"

Assigning an Application User to an Anonymous Application Session

You can assign a named application user to a currently attached anonymous application session using the DBMS_XS_SESSIONS.ASSIGN_USER procedure in PL/SQL or the assignUser method of the XSSessionManager class in Java. Assigning a user changes the user session from anonymous to a named user.

To execute this procedure, the dispatcher or connection user must have the ASSIGN_USER application privilege. This privilege can be obtained through the XS_SESSION_ADMIN Database role or by the XS_ADMIN_UTIL.GRANT_SYSTEM_PRIVILEGE API call. If you specify namespaces, then the user is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or ADMIN_NAMESPACE system privilege. A list of dynamic roles can also be enabled using the DBMS_XS_SESSIONS.ASSIGN_USER procedure.

Example 3-5 shows how to assign the application user lwuser1 to an application session.

Example 3-5 Assigning an Application User to an Application Session

DECLARE
  sessionid raw(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('XSGUEST', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.ASSIGN_USER('lwuser1');
END;

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "ASSIGN_USER Procedure"
The syntax of the Java assignUser method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Assign an Application User to a Session in Java"

Switching Current Application User to Another Application User in Current Application Session

You can switch or proxy the security context of the current application session to a newly initialized security context for a specified application user using the DBMS_XS_SESSIONS.SWITCH_USER procedure in PL/SQL or the switchUser method of the Session interface in Java. To proxy another application user, the current application session user must be set up as a proxy user for the target user before performing the switch operation. This is performed through the XS_PRINCIPAL.ADD_PROXY_USER PL/SQL API.

Switching a user changes the user session between two named users.

If the target application user of the proxy operation has a list of filtering roles (proxy roles) set up for the proxy user, they are enabled in the session.

You can either retain or clear the application namespace and attributes after a switch operation. When the keep_state parameter is set to TRUE, all application namespaces and attributes are retained; otherwise, all previous state in the session is cleared.

If you specify namespaces, then the user is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or the ADMIN_NAMESPACE system privilege.

Example 3-6 shows how to switch the application user lwuser1 to application user lwuser2 in the current application session. Note that namespace templates ns1 and ns2 should have already have been created by SYSDBA.

Example 3-6 Switching an Application User to Another Application User in the Current Application Session

DECLARE
  sessionid RAW(16);
  nsList DBMS_XS_NSATTRLIST;
BEGIN 
  nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DBMS_XS_NSATTR('ns2'));
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.SWITCH_USER(username => 'lwuser2',
                               keep_state => TRUE,
                               namespaces => nsList);
END;

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "SWITCH_USER Procedure"
The syntax of the Java assignUser method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Switch an Application User in a Session in Java"

Configuring Global Callback Event Handlers for an Application Session

A global callback event handler is a predefined PL/SQL procedure that can be invoked to inspect, log, and modify the session state when certain session events of interest occur. You can add multiple global callback event handlers on a session event. After you create the PL/SQL procedure, you can register or deregister, or enable or disable it using these procedures, respectively:

  • DBMS_XS_SESSIONS.ADD_GLOBAL_CALLBACK

    Use this procedure to register a callback event handler.

  • DBMS_XS_SESSIONS.DELETE_GLOBAL_CALLBACK

    Use this procedure to deregister a global callback.

  • DBMS_XS_SESSIONS.ENABLE_GLOBAL_CALLBACK

    Use this procedure to enable or disable a global callback procedure by specifying a value of TRUE for enable or FALSE for disable.

To execute these APIs the user must have the CALLBACK application privilege. This can be obtained through the XSPROVISIONER application role or by calling the XS_ADMIN_UTIL.GRANT_SYSTEM_PRIVILEGE API. You can configure one or more global callback event handlers for use in an application session. If you configure multiple callback event handlers, Oracle Database executes the handlers in the order in which they were created.

Optionally, you can follow these steps to change the execution order:

  1. Run the DBMS_XS_SESSIONS.DELETE_GLOBAL_CALLBACK procedure to deregister any existing callback.

  2. Run the DBMS_XS_SESSIONS.ADD_GLOBAL_CALLBACK procedure to register the callback.

Table 3-1 lists session events that can use callback event handlers.

Table 3-1 Session Events That Can Use Callback Event Handlers

Session Event When the Callback Will Be Executed

Creating a new application session

After the session is created.

Attaching to an existing application session

After the session is attached.

Enabling a dynamic application role

After a dynamic application role is enabled.

Disabling a dynamic application role

After a dynamic application role is disabled.

Direct login of an application session

After the session is attached (if the session attach is called as part of the direct logon of an application session).

Assigning a named application user to an anonymous application session

After the named user is assigned to the anonymous application session.

Proxying from one named application user to another named application user

After the application user is switched (if the application user is not proxying back to the original application user).

Proxying back from a named application user to the original application user

After the application user is switched (if the application user is proxying back to the original application user).

Enabling a regular application role

After the application role is enabled.

Disabling a regular application role

After the application role is disabled.

Detaching from an existing application session or database session

Before the session is detached.

Terminating an existing application session or database session

Before the session is destroyed.

Direct logoff of an application session or database session

Before the session is detached (if the session detach is called as part of the direct logoff of an application session).


Suppose you want to initialize certain application-specific states after creating a session. Example 3-7 shows how to register a global callback that sets up the state CALLBACK_PROC, which is defined in the package CALLBACK_PKG and owned by the schema CALLBACK_SCHM.

Example 3-7 Registering a Global Callback in an Application Session

BEGIN
  DBMS_XS_SESSIONS.ADD_GLOBAL_CALLBACK 
   (DBMS_XS_SESSIONS.CREATE_SESSION_EVENT, 
   'CALLBACK_SCHM','CALLBACK_PKG','CALLBACK_PROC');
END;
/

The state CALLBACK_PROC is registered as a global callback for the event CREATE_SESSION_EVENT.

For more examples, and for details about the syntax of these procedures, see the following:

Saving an Application Session

You can save the current user application session using the DBMS_XS_SESSIONS.SAVE_SESSION procedure in PL/SQL or the saveSession method of the XSSessionManager class in Java. Use the save operation when session changes need to be propagated immediately to other sessions using the same session as this one. If the save operation is not used, then the session changes would be reflected in other sessions only after this session is detached.

The calling user requires no privileges to perform this operation.

Example 3-8 shows how to save the current user application session.

Example 3-8 Saving the Current User Application Session

BEGIN
 SYS.DBMS_XS_SESSIONS.SAVE_SESSION;
END;

The following table provides links to additional information about these topics.

For... See Also
The syntax of these PL/SQL procedures "SAVE_SESSION Procedure"
The syntax of the Java detachSession method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Save a Real Application Security External User Session"

Detaching an Application Session from a Traditional Database Session

You can detach an application session from the traditional database session using either of these procedures:

  • DBMS_XS_SESSIONS.DETACH_SESSION(abort => FALSE)

    Use this procedure to detach the session and commit any changes that were made since the last time session changes were saved. When you specify the abort parameter as FALSE (the default value), all changes performed in the current session are persisted. The currently attached user can perform this operation without any additional privileges.

    DETACH_SESSION is always performed on the currently attached session.

  • DBMS_XS_SESSIONS.DETACH_SESSION(abort => TRUE)

    Use this procedure to detach the session without saving the changes. When you specify the abort parameter as TRUE, it rolls back the changes performed in the current session. The role and namespace changes made to the session since the attach are discarded.

Example 3-9 shows how to detach an application session from a database session and commit the changes. Note that you can call DETACH_SESSION anywhere to detach the currently attached session.

You can use the detachSession method of the XSSessionManager class in Java.

Example 3-9 Detaching and Committing an Application Session

DECLARE
  sessionid RAW(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
...
  DBMS_XS_SESSIONS.DETACH_SESSION;
...
END;

Example 3-10 shows how to detach a database session from an application session without saving any changes.

Example 3-10 Detaching and Not Committing an Application Session

DECLARE
  sessionid RAW(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
...
  DBMS_XS_SESSIONS.DETACH_SESSION(TRUE);
END;

Note:

When developing the application, ensure that all application end user actions are captured within an ATTACH_SESSION ... DETACH_SESSION programming block. (For more information, see "Attaching an Application Session to a Traditional Database Session")

The following table provides links to additional information about these topics.

For... See Also
The syntax of these PL/SQL procedures "DETACH_SESSION Procedure"
The syntax of the Java detachSession method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Detach a Real Application Security Session in Java"

Destroying an Application Session

You can terminate an application session using the DBMS_XS_SESSIONS.DESTROY_SESSION procedure in PL/SQL or using the destroySession method of the XSSessionManager class in Java. This procedure also detaches all traditional sessions from the application session.

To execute this procedure, the invoking user must have the TERMINATE_SESSION application privilege. This privilege can be obtained through the XS_SESSION_ADMIN Database role or by the XS_ADMIN_UTIL.GRANT_SYSTEM_PRIVILEGE API call.

Example 3-11 shows how to destroy an application session.

Example 3-11 Destroying an Application Session

DECLARE
  sessionid RAW(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.DETACH_SESSION;
  DBMS_XS_SESSIONS.DESTROY_SESSION(sessionid);
END;

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "DESTROY_SESSION Procedure"
The syntax of the Java destroySession method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Destroy a Real Application Security Session in Java"

Manipulating the Application Session State

This section contains:

Using Namespace Templates to Create Namespaces

An application uses a namespace to store application defined attribute-value pairs. Often, an application needs to use the same namespace across different application sessions. A namespace template provides a way to define and initialize a namespace.

A namespace template defines the namespace and its properties. It is used to initialize the namespace in an application session. The namespace name must be the same as the template that defines it.

This section contains:

Components of a Namespace Template

A namespace template includes the following:

  • Name of the namespace

    The name of the application namespace uniquely identifies the namespace. This name is used when creating the namespace in an application session.

  • Namespace handler

    The namespace handler is called when an attribute value is set or retrieved. Specifying a handler is optional.

    Namespaces can be associated with an event handling function. The server invokes this function whenever an operation on an attribute registered for event handling is performed. The event handling function is provided with the attribute name, attribute value, and the event code as arguments. For example:

    FUNCTION event_handling_function_name(
             session_id IN RAW,
             namespace  IN VARCHAR2,
             attribute  IN VARCHAR2,
             old_value  IN VARCHAR2,
             new_value  IN VARCHAR2,
             event_code IN PLS_INTEGER)
    RETURNS PLS_INTEGER;
    
  • Attribute List

    The attribute list includes the attributes defined for the namespace. These attributes are created in the session when the namespace is created.

    You can specify the following optional data for attributes:

    • The default value

      The attribute is initialized with the default value when the namespace is created in the application session. The default value and the event types FIRSTREAD_EVENT and FIRSTREAD_PLUS_UPDATE_EVENT cannot exist at the same time.

    • Event types

      You can specify the following event types for an attribute:

      • FIRSTREAD_EVENT

        Specify this event type to call the namespace handler when an attribute whose value has not been set is read for the first time. You can specify this event type only if a default value has not been set for the attribute.

      • UPDATE_EVENT

        Specify this event type to call the namespace handler when the attribute value is updated.

      • FIRSTREAD_PLUS_UPDATE_EVENT

        Specify this event type to call the namespace handler when an attribute whose value has not been set is read for the first time, or when its value is updated. You can specify this event type only if a default value has not been set for the attribute.

  • Namespace ACL

    The privilege model for namespace operations. Namespace operations are protected by the ACL set on the template. By default, NS_UNRESTRICTED_ACL is set on a template, which allows unrestricted operation on namespaces created from the templates.

Namespace Views

You can find information about namespace templates, namespace template attributes, and namespace attributes in current and all application sessions by querying these data dictionary views:

Creating a Namespace Template for an Application Session

You can create a namespace template using the XS_NAMESPACE.CREATE_TEMPLATE procedure in PL/SQL or the createNamespace method of the Session interface in Java.

Example 3-12 shows how to create the namespace template ns1 for an application session. It defines the attributes for this namespace using the list of attributes attrs. Because this namespace template has NS_UNRESTRICTED_ACL set on the template, this allows unrestricted operation on namespaces created from the template.

The calling user must have the ADMIN_ANY_SEC_POLICY application privilege, which allows it to administer namespace templates and attributes.

Example 3-12 Creating a Namespace Template

DECLARE
  attrs XS$NS_ATTRIBUTE_LIST;
BEGIN
  attrs := XS$NS_ATTRIBUTE_LIST();
  attrs.extend(3);
 
  attrs(1) := XS$NS_ATTRIBUTE('attr1','value1',
    XS_NAMESPACE.UPDATE_EVENT);
  attrs(2) := XS$NS_ATTRIBUTE('attr2',null,
    XS_NAMESPACE.FIRSTREAD_PLUS_UPDATE_EVENT);
  attrs(3) := XS$NS_ATTRIBUTE('attr3','value3');
 
  XS_NAMESPACE.CREATE_TEMPLATE(name=>'ns1',
                               description=>'namespace template 1',
                               attr_list=>attrs,
                               schema=>'SCOTT',
                               package=>'PKG1',
                               function=>'FN1',
                               acl=>'SYS.NS_UNRESTRICTED_ACL');
END;
/

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "CREATE_TEMPLATE Procedure"
The syntax of the Java createNamespace method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Create a Namespace in Java"

Initializing a Namespace in an Application Session

A namespace can be initialized, using a namespace template, during any of the following events, as described in this section:

Initializing a Namespace When the Session Is Created

When you create an application session using the DBMS_XS_SESSIONS.CREATE_SESSION procedure in PL/SQL or the createSession method of the XSSessionManager class in Java, you can specify a list of namespaces to initialize.

Example 3-13 shows how to initialize two namespaces, ns1 and ns2, while creating an application session.

If you specify namespaces during creation of the session, the caller is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or be granted the ADMIN_NAMESPACE system privilege.

Example 3-13 Initializing Namespaces When Creating an Application Session

DECLARE
  nsList DBMS_XS_NSATTRLIST;
  sessionid RAW(16);
BEGIN
    nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DBMS_XS_NSATTR('ns2'));
    DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid, FALSE, FALSE, nsList);
END;
/

Note:

The namespaces used in Example 3-13 must already have corresponding namespace templates defined.

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "CREATE_SESSION Procedure"
The syntax of the Java createSession method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Create a Real Application Security Session in Java"

Initializing a Namespace When the Session Is Attached

When you attach the session using the DBMS_XS_SESSIONS.ATTACH_SESSION procedure in PL/SQL or using the attachSession method of the XSSessionManager class in Java, you can specify a list of namespaces to initialize.

Example 3-14 shows how to initialize two namespaces, ns1 and ns2, while attaching an application session.

If you specify namespaces, then the user is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or the ADMIN_NAMESPACE system privilege.

Example 3-14 Initializing Namespaces When Attaching an Application Session

DECLARE
  nsList DBMS_XS_NSATTRLIST;
  sessionid RAW(16);
BEGIN
    nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DBMS_XS_NSATTR('ns2'));
    DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
    DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid, NULL, NULL, NULL, NULL, nsList);
END;
/

Note:

The namespaces used in Example 3-14 must already have corresponding namespace templates defined.

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "ATTACH_SESSION Procedure"
The syntax of the Java attachSession method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Attach a Real Application Security Session in Java"

Initializing a Namespace When a Named Application User Is Assigned to an Anonymous Application Session

When you assign an application user to an application session using the DBMS_XS_SESSIONS.ASSIGN_USER procedure in PL/SQL or the assignUser method of the XSSessionManager class in Java, you can specify a list of namespaces to initialize.

If you specify namespaces, then the user is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or ADMIN_NAMESPACE system privilege.

Example 3-15 shows how to initialize two namespaces, ns1 and ns2, while assigning an application user to an application session.

Example 3-15 Initializing Namespaces When Assigning an Application User to an Application Session

DECLARE
  sessionid RAW(30);
  nsList DBMS_XS_NSATTRLIST;
BEGIN 
  nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DBMS_XS_NSATTR('ns2'));
  DBMS_XS_SESSIONS.CREATE_SESSION('XSGUEST', sessionid);
  DBMS_XS_SESSIONS.ASSIGN_USER(username => 'lwuser2',
                               sessionid => sessionid,
                               namespaces => nsList);
END;
/

Note:

The namespaces used in Example 3-15 must already have corresponding namespace templates defined.

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "ASSIGN_USER Procedure"
The syntax of the Java assignUser method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Assign an Application User to a Session in Java"

Initializing a Namespace When the Application User Is Switched in an Application Session

When you switch an application user in an application session using the DBMS_XS_SESSIONS.SWITCH_USER procedure in PL/SQL or using the switchUser method of the Session interface in Java, you can specify a list of namespaces to initialize.

If you specify namespaces, then the user is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or the ADMIN_NAMESPACE system privilege.

Note:

To enable the switch from lwuser1 to lwuser2 after attaching the session, you must first define lwuser2 as the target user for lwuser1, as follows:
exec XS_PRINCIPAL.ADD_PROXY_USER('lwuser2', 'lwuser1');

Example 3-16 shows how to initialize two namespaces, ns1 and ns2, while switching an application user in an application session.

Example 3-16 Initializing Namespaces When Switching an Application User in an Application Session

DECLARE
  sessionid RAW(30);
  nsList DBMS_XS_NSATTRLIST;
BEGIN 
  nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DBMS_XS_NSATTR('ns2'));
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.SWITCH_USER(username => 'lwuser2',
                               namespaces => nsList);
END;
/

Note:

The namespaces used in Example 3-16 must already have corresponding namespace templates defined.

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "SWITCH_USER Procedure"
The syntax of the Java switchUser method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Switch an Application User in a Session in Java"

Initializing a Namespace Explicitly

You can explicitly initialize a namespace in an application session using the DBMS_XS_SESSIONS.CREATE_NAMESPACE procedure in PL/SQL or the createNamespace method of the Session interface in Java.

To execute the DBMS_XS_SESSIONS.CREATE_NAMESPACE procedure, the calling user must have the MODIFY_NAMESPACE application privilege on the namespace or the ADMIN_NAMESPACE system privilege.

Example 3-17 shows how to explicitly initialize a namespace, ns1, in an application session.

Example 3-17 Initializing a Namespace Explicitly in an Application Session

DECLARE
  sessionid RAW(30);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.CREATE_NAMESPACE('ns1');
END;
/

Note:

The namespace used in Example 3-17 must already have a corresponding namespace template defined.

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "CREATE_NAMESPACE Procedure"
The syntax of the Java createNamespace method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Create a Namespace in Java"

Setting Session Attributes in an Application Session

You can set the value of a specific session attribute using the DBMS_XS_SESSIONS.SET_ATTRIBUTE procedure in PL/SQL or the setAttribute method of the SessionNamespace interface method in Java.

The calling user is required to be granted the MODIFY_ATTRIBUTE application privilege on the namespace or the ADMIN_NAMESPACE system privilege.

Note:

An attribute can store a string value up to 4000 characters long.

Example 3-18 shows how to set a value, val1, for an attribute, attr1, of the application session.

Example 3-18 Setting a Namespace Attribute for an Application Session

DECLARE
  sessionid RAW(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBS_XS_SESSIONS.CREATE_NAMESPACE('ns1');
  DBMS_XS_SESSIONS.SET_ATTRIBUTE('ns1', 'attr1', 'val1');
  DBMS_XS_SESSIONS.DETACH_SESSION;
  DBMS_XS_SESSIONS.DESTROY_SESSION(sessionid);
END;
/

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "SET_ATTRIBUTE Procedure"
The syntax of the Java setAttribute method (in Javadoc format) Oracle Database Real Application Security Java API Reference
Information about this task in Java "Setting a Session Namespace Attributes"

Getting Session Attributes in an Application Session

You can retrieve the value of a specific session attribute using the DBMS_XS_SESSIONS.GET_ATTRIBUTE procedure in PL/SQL or using the getAttribute method of the SessionNamespace interface method in Java.

The calling user is not required to be granted any privileges to get attributes using the DBMS_XS_SESSIONS.GET_ATTRIBUTE procedure.

Note:

If an attribute value has not been set, and the FIRSTREAD_EVENT has been specified for the attribute, then an attempt to read the the attribute value triggers a call to the namespace event handler. The namespace event handler procedure typically sets a value for the attribute, and performs other application-specific processing tasks.

Example 3-19 shows how to retrieve an attribute, attr1, of the application session.

Example 3-19 Getting a Namespace Attribute for an Application Session

DECLARE
  sessionid RAW(16);
  attrib_out_val VARCHAR2(4000);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.CREATE_NAMESPACE('ns1');
  DBMS_XS_SESSIONS.SET_ATTRIBUTE('ns1', 'attr1', 'val1');
  DBMS_XS_SESSIONS.GET_ATTRIBUTE('ns1', 'attr1', attrib_out_val);
  DBMS_XS_SESSIONS.DETACH_SESSION;
  DBMS_XS_SESSIONS.DESTROY_SESSION(sessionid);
END;
/

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "GET_ATTRIBUTE Procedure"
The syntax of the Java getAttribute method (in Javadoc format) Oracle Database Real Application Security Java API Reference
Information about this task in Java "Getting a Session Namespace Attributes"

Creating Custom Attributes in an Application Session

You can create custom attributes in a namespace using the DBMS_XS_SESSIONS.CREATE_ATTRIBUTE procedure in PL/SQL or the createAttribute method of the SessionNamespace interface method in Java.

Custom attributes differ from template attributes. Template attributes are part of the namespace template, and are automatically created in the session when the namespace is created. Custom attributes are programmatically created in a namespace, using the CREATE_ATTRIBUTE procedure.

The calling application is required to be granted the MODIFY_ATTRIBUTE application privilege on the namespace or the ADMIN_NAMESPACE system privilege.

Example 3-20 shows how to create a custom attribute, customattr, in a namespace of the application session.

Example 3-20 Creating a Custom Namespace Attribute for an Application Session

DECLARE
  sessionid RAW(16);
  attrib_out_val VARCHAR2(4000);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.CREATE_NAMESPACE('ns1');
  DBMS_XS_SESSIONS.CREATE_ATTRIBUTE('ns1','customattr','default_value_custom',NULL);
  DBMS_XS_SESSIONS.SET_ATTRIBUTE('ns1','customattr','newvalue');
  DBMS_XS_SESSIONS.GET_ATTRIBUTE('ns1', 'customattr', attrib_out_val);
  DBMS_XS_SESSIONS.DETACH_SESSION;
  DBMS_XS_SESSIONS.DESTROY_SESSION(sessionid);
END;
/

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "CREATE_ATTRIBUTE Procedure"
The syntax of the Java createAttribute method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Create a Session Namespace Attribute in Java"

Deleting a Namespace in an Application Session

You can delete a namespace and all attributes identified by it from an application session using the DBMS_XS_SESSIONS.DELETE_NAMESPACE procedure in PL/SQL or the deleteAttribute method of the SessionNamespace interface method in Java.

The calling user must have the MODIFY_NAMESPACE application privilege on the namespace or the ADMIN_NAMESPACE system privilege.

Example 3-21 shows how to delete a namespace ns1 from an application session.

Example 3-21 Deleting a Namespace in an Application Session

DECLARE
  sessionid RAW(16);
  out_value VARCHAR2(4000);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.CREATE_NAMESPACE('ns1');
  DBMS_XS_SESSIONS.SET_ATTRIBUTE('ns1', 'attr1', 'val1');
  DBMS_XS_SESSIONS.GET_ATTRIBUTE('ns1', 'attr1', out_value);
  DBMS_XS_SESSIONS.DELETE_NAMESPACE('ns1');
  DBMS_XS_SESSIONS.DETACH_SESSION;
  DBMS_XS_SESSIONS.DESTROY_SESSION(sessionid);
END;
/

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "DELETE_NAMESPACE Procedure"
The syntax of the Java deleteNamespace method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Delete a Namespace in Java"

Enabling Application Roles for a Session

You can enable only directly granted regular application roles of an application session user using the DBMS_XS_SESSIONS.ENABLE_ROLE procedure in PL/SQL or the enableRole method of the Session interface in Java.

The DBA_XS_SESSION_ROLES dynamic data dictionary view lists application roles enabled in all application sessions. The V$XS_SESSION_ROLES dynamic data dictionary view lists application roles enabled in the currently attached application session.

Example 3-22 shows how to enable a role in an application session.

Example 3-22 Enabling a Role in an Application Session

DECLARE
  sessionid RAW(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.ENABLE_ROLE('auth1_role');
  DBMS_XS_SESSIONS.DETACH_SESSION;
  DBMS_XS_SESSIONS.DESTROY_SESSION(sessionid);
END;
/

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "ENABLE_ROLE Procedure"
The syntax of the Java enableRole method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Enable a Real Application Security Application Role in Java"

Disabling Application Roles for a Session

You can disable application roles for a specific session using the DBMS_XS_SESSIONS.DISABLE_ROLE procedure in PL/SQL or the disableRole method of the Session interface in Java.

Example 3-23 shows how to disable a role in an application session.

Example 3-23 Disabling a Role in an Application Session

DECLARE
  sessionid RAW(16);
BEGIN
  DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
  DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
  DBMS_XS_SESSIONS.ENABLE_ROLE('auth1_role');
  DBMS_XS_SESSIONS.DISABLE_ROLE('auth1_role');
  DBMS_XS_SESSIONS.DETACH_SESSION;
  DBMS_XS_SESSIONS.DESTROY_SESSION(sessionid);
END;
/

The following table provides links to additional information about this topic.

For... See Also
The syntax of this PL/SQL procedure "DISABLE_ROLE Procedure"
The syntax of the Java disableRole method (in Javadoc format) Oracle Database Real Application Security Java API Reference
A Java example of this task "How to Disable a Real Application Security Application Role in Java"

Administrative APIs for External Users and Roles

This section describes the following administrative APIs that are required for external users and roles: