1
PL/SQL Gateway Overview

Oracle9i Application Server consolidates Oracle's middle-tier products into a single solution for development and deployment of Web applications. The standard version of Oracle9i Application Server version 1.0 includes:

• Oracle HTTP Server (powered by Apache) and Servlet Engine

• Oracle Java Server Pages (JSP) Engine

• PL/SQL Gateway

• Oracle 8i Cache

• Oracle Tools (included in Enterprise Edition)

The PL/SQL Gateway provides support for building and deploying PL/SQL-based applications on the Web. PL/SQL stored procedures can retrieve data from database tables and generate HTTP responses containing data and code to display in a Web browser. The PL/SQL Gateway supports other Oracle products such as Oracle Portal 3.0 and includes a number of new features.

1.1 PL/SQL Gateway Configurations

The database session state includes the state of PL/SQL package variables, application state, and transaction state.

In a stateless environment, each HTTP request from a client maps to a new database session. Application state is typically maintained in HTTP cookies or database tables. Transaction state cannot span across requests. If a PL/SQL procedure executes successfully, an implicit commit is performed. If it executes with an error, an implicit rollback is performed.

In a stateful environment, each HTTP request from a client maps to the same database session. Application state is preserved in PL/SQL package variables. A transaction can span across requests because no implicit commits or rollbacks are performed

Oracle9i Application Server provides two configurations for deploying PL/SQL-based Web applications:

• Oracle9i Application Server and mod_plsql support running in stateless mode only. This is the recommended configuration for users who want to develop stateless PL/SQL-based Web applications. In stateless mode, mod_plsql has a connection pooling mechanism that can keep database sessions open between HTTP requests.

• Oracle9i Application Server and mod_ose support running in both stateless and stateful mode. This is the recommended configuration for users who want to develop stateful PL/SQL- and Java-based Web applications. When using mod_ose, the stateful mode is preferable because a new database session does not have to be created and destoyed for every HTTP request. For more information, see the mod_ose documentation.

1.2 Database Access Descriptors

Each PL/SQL Gateway request is associated with a database access descriptor (DAD), a named set of configuration values used for database access. A DAD specifies information such as:

• the database alias (SQL*Net V2 service name).

• a connect string if the database is remote.

• a procedure for uploading and downloading documents.

You can also specify a username and password information in a DAD; if they are not specified, the user will be prompted to enter a username and password when the URL is invoked. For maore information, see "Authentication".

1.3 Processing client requests

The following occurs when a server receives a request:

1. The Web server receives a PL/SQL Gateway request from a client and forwards the request to the PL/SQL Gateway.

2. The PL/SQL Gateway uses the DAD's configuration values (see "Configuring the PL/SQL Gateway" for more information) to determine how to connect to the database.

3. The PL/SQL Gateway connects to the database, prepares the call parameters, and invokes the PL/SQL procedure in the database.

4. The PL/SQL procedure generates an HTTP response (for example, an HTML page) which can include dynamic data accessed from tables in the database as well as static data.

5. The output from the procedure is returned back to the PL/SQL Gateway and the client.

The procedure that the PL/SQL Gateway invokes should return the HTTP response back to the client. To simplify this task, the PL/SQL Gateway comes with the PL/SQL Web Toolkit, a set of packages that you can use in your stored procedure to get information about the request, construct HTML tags, and return header information to the client. You install the toolkit in a common schema so that all users can access it. See "Using the PL/SQL Web Toolkit" for more information.

1.4 Invoking the PL/SQL Gateway

To invoke the PL/SQL Gateway in a Web browser, the URL must typically be in the following format:

protocol://hostname[:port]/prefix/DAD/[[!][schema.][package.]proc_
name[?query_string]]

where:

protocol can be either http or https. For SSL, use https.

hostname is the machine where the Web server is running.

port is the port at which the application server is listening. If omitted, port 80 is assumed.

prefix is a virtual path to handle PL/SQL requests that you have configured in the Web server. pls is the default setting for this parameter. For example, you can configure the Web server to set pls as the prefix so that all requests containing the pls prefix are routed to the PL/SQL Gateway.

DAD is the DAD entry to be used for this URL.

! character, if present, indicates that flexible parameter passing scheme must be used. See"Flexible Parameter Passing" for more information.

schema is the database schema name. If omitted, name resolution for
package.proc_name occurs based on the database user that the URL request is processed as.

package is the package that contains the PL/SQL stored procedure. If omitted, the procedure is stand-alone.

proc_name specifies the PL/SQL stored procedure to run. This must be a procedure and not a function. It can accept only IN arguments.

?query_string specifies parameters (if any) for the stored procedure. The string follows the format of the GET method. For example:

• Multiple parameters are separated with the & character, and space characters in the values to be passed in are replaced with the + character.

• If you use HTML forms to generate the string (as opposed to generating the string yourself), the formatting will be done automatically for you.

• The HTTP request may also choose the HTTP POST method to post data to the PL/SQL Gateway. See "POST and GET Methods" for more information.

For example, if a Web server is configured with pls as a prefix and the browser sends the following URL:

http://www.acme.com:9000/pls/mydad/mypackage.myproc 

the Web server running on www.acme.com and listening at port 9000 would handle the request. When the Web server receives the request, it will pass the request to the PL/SQL Gateway. This is because the pls prefix indicates that the Web server is configured to invoke the PL/SQL Gateway. The PL/SQL Gateway then uses the DAD associated with mydad and runs the myproc procedure stored in mypackage.

You can specify a URL without a DAD, schema or stored procedure name. For example, if you specify

 http://www.acme.com:9000/pls/mydad 

then the default home page for the mydad DAD (as specified on the PL/SQL Gateway configuration page) displays.

If you specify

http://www.acme.com:9000/pls 

the default DAD's default home page is invoked.

Generally, you do not need to be concerned with the order in which PL/SQL parameters are given in the URL or the HTTP header, because the parameters are passed by name. However, there are some exceptions to this rule. Please refer to Parameter passing for more information.

1.4.1 POST and GET Methods

POST and GET methods in the HTTP protocol instruct browsers how to pass parameter data (usually in the form of name-value pairs) to applications. The parameter data are usually generated by HTML forms.

PL/SQL Gateway applications can use either method. Each method is as secure as the underlying transport protocol (http or https).

When you use the POST method, parameters are passed in the request body. When you use the GET method, parameters are passed using a query string. These methods are described in the HTTP 1.1 specification, which is available at the W3C web site at:

http://www.w3.org/Protocols/HTTP/1.1/draft-ietf-http-v11-spec-rev-01.txt

The limitation of the GET method is that the length of the value in a name-value pair cannot exceed the maximum length for the value of an environment variable, as imposed by the underlying operating system. In addition, operating systems have a limit on how many environment variables you can define.

Generally, if you are passing large amounts of parameter data to the server, you should use the POST method instead.

1.5 Overview of PL/SQL Gateway Features

1.5.1 Authentication

The PL/SQL Gateway provides different levels of authentication in addition to those provided by the Web Server itself. Whereas the Web server protects documents, virtual paths, etc., the PL/SQL Gateway protects users logging into the database or running a PL/SQL Web application.

You can enable different authentication modes using the Authentication Mode parameter on the PL/SQL Gateway configuration page. This parameter can be set to one of the following values:

• Basic - authentication is performed using basic HTTP authentication. Most applications will use Basic authentication.

• Global Owa - authorization is performed in the schema containing the PL/SQL Web Toolkit packages.

• Custom Owa - authorization is performed using packages and procedures in the user's schema, or if not found, in the schema containing the PL/SQL Web Toolkit packages.

• PerPackage - authentication is performed by packages and procedures in the user's schema

• Single Sign-On - authentication is performed using the Oracle Single Sign-On feature of the Login Server. You can use this mode only if your application is set up to work with the Login Server

1.5.1.1 Database Controlled Authentication (Basic Authentication Mode)

The PL/SQL Gateway supports authentication at the database level. It uses HTTP Basic Authentication but authenticates credentials by using them to attempt to log on to the database. Authentication is verified against a user database account, using user names and passwords that are either:

• stored in the DAD. The end user is not required to log in. This method is useful for Web pages that provide public information

• provided by the users via a browser-based basic HTTP authentication dialog box. The end user must provide a username and password in the dialog box.

1.5.1.1.1 Deauthentication

The PL/SQL Gateway allows users to log off (clear HTTP authentication information) programatically through a PL/SQL procedure without having to exit all instances of the browser. Because of the use of cookies, this feature is supported on Netscape 3.0 or higher and Internet Explorer. On other browsers, the user may have to exit the browser to deauthenticate.

Another method of deauthentication is to add /logmeoff after the DAD in the URL, for example

http://myhost:2000/pls/myDAD/logmeoff

1.5.1.2 Custom Authentication (Global OWA, Custom OWA, and Per Package Authentication Modes)

Custom authentication enables applications to authenticate users within the application itself, not at the database level. Authorization is performed by invoking a user-written authorization function.

1.5.1.2.1 Implementing the authorize function

Custom authentication uses a static username/password that is stored in a configuration file. It cannot be combined with dynamic username/password authentication.

The syntax of the authorize function is:

function authorize return boolean;

To enable custom authentication, you must

1. Set the level of authentication on the DAD Configuration page.

2. Implement the authorize function.

The PL/SQL Gateway uses the username/password provided in the DAD to log into the database. Once the login is complete, authentication control is passed to the application. Application-level PL/SQL hooks (callback functions) are then called. The implementations for these callback functions are left to the application developers. The return value of the callback function determines if the authentication succeeded or failed: if the function returns TRUE, authentication succeeded. If it returns FALSE, authentication failed and code in the application is not executed.

You can place the authentication function in different locations, depending on when it is to be invoked:

If you want the same authentication function to be invoked for all users and for all procedures, choose Global OWA in the Authentication Mode list on the DAD Configuration Page. Then, implement the owa_custom.authorize function in the schema that contains the PL/SQL Web Toolkit, which is SYS.

If you want a different authentication function to be invoked for each user and for all procedures, choose Custom OWA in the Authentication Mode list on the DAD Configuration Page. Then implement the owa_custom.authorize function in each user's schema. For users who do not have that function in their schema, the owa_custom.authorize function in the PL/SQL Web Toolkit package schema will be invoked instead.

If you want the authentication function to be invoked for all users but only for procedures in a specific package or for anonymous procedures, choose Per Package in the Authentication Mode list on the DAD Configuration Page. Then, implement the authorize function in that package in each user's schema. If the procedure is not in a package, then the anonymous authorize function is called instead. The following table summarizes the parameter values:

Mode	Access control scope	Callback function

Global OWA	All packages	owa_custom.authorize in the OWA package schema
Custom OWA	All package	owa_custom.authorize in the user's schema, or, if not found, in the OWA package schema
Per Package	Specified package	packageName.authorize in the user's schema, or anonymous.authorize is called.

1.5.2 Transaction model

After processing a URL request for a procedure invocation, the PL/SQL Gateway performs a rollback if there were any errors. Otherwise, the Gateway performs a commit. This mechanism does not allow a transaction to span across multiple HTTP requests. In this stateless model, applications typically maintain state using HTTP cookies or database tables. For more information about stateful and stateless modes, see "PL/SQL Gateway Configurations" .

1.5.3 Parameter passing

PL/SQL Gateway supports:

• Parameter passing by name

  Each parameter in a URL that invokes procedure or functions identified by a unique name. Overloaded parameters are supported. See "Overloaded parameters" for more information.

• Flexible parameter passing

  Procedures are prefixed by a ! character. See "Flexible Parameter Passing" for more information.

• Large (up to 32K) parameters.

  See "Large parameters" for more information.

1.5.3.1 Overloaded parameters

Overloading allows multiple subprograms (procedures or functions) to have the same name, but differ in the number, order, or the datatype family of the parameters. When you call an overloaded subprogram, the PL/SQL compiler determines which subprogram to call based on the data types passed.

PL/SQL allows you to overload local or packaged subprograms; stand-alone subprograms cannot be overloaded. See the PL/SQL User's Guide in the Oracle Server documentation for more information on PL/SQL overloading.

You must give parameters different names for overloaded subprograms that have the same number of parameters. Because HTML data is not associated with datatypes, it is impossible for the PL/SQL Gateway to know which version of the subprogram to call.

For example, PL/SQL allows you to define the two procedures in the example below. If parameter names for these procedures are the same, an error occurs when you try to use them with the PL/SQL Gateway:

-- legal PL/SQL, but not for the PL/SQL Gateway

CREATE PACKAGE my_pkg AS

  PROCEDURE my_proc (val IN VARCHAR2);

  PROCEDURE my_proc (val IN NUMBER);

END my_pkg;

To avoid the error, name the parameters differently. For example:

-- legal PL/SQL and also works for the PL/SQL Gateway

CREATE PACKAGE my_pkg AS

  PROCEDURE my_proc (valvc2 IN VARCHAR2);

  PROCEDURE my_proc (valnum IN NUMBER);

END my_pkg;

The URL to invoke the first version of the procedure looks something like:

http://www.acme.com/pls/myDAD/my_pkg.my_proc?valvc2=input

The URL to invoke the second version of the procedure looks something like:

http://www.acme.com/pls/myDAD/my_pkg.my_proc?valnum=34

1.5.3.2 Overloading and PL/SQL Arrays

If you have overloaded PL/SQL procedures where the parameter names are identical, but where the data type is owa_util.ident_arr (a table of varchar2) for one procedure and a scalar type for another procedure, the PL/SQL Gateway can still distinguish between the two procedures. For example, if you have the following procedures:

CREATE PACKAGE my_pkg AS

  PROCEDURE my_proc (val IN VARCHAR2); -- scalar data type

  PROCEDURE my_proc (val IN owa_util.ident_arr); -- array data type

END my_pkg;

Each of these procedures has a single parameter of the same name, val.

When the PL/SQL Gateway gets a request that has only one value for the val parameter, it invokes the procedure with the scalar data type. When it gets a request with more than one value for the val parameter, it then invokes the procedure with the array data type.

Example 1: If you send the following URL:

http://www.acme.com/pls/myDAD/my_proc?val=john

the scalar version of the procedure executes.

Example 2: If you send the following URL:

http://www.acme.com/pls/myDAD/my_proc?val=john&val=sally

the array version of the procedure executes.

To ensure that the array version of the procedure executes, use hidden form elements on your HTML page to send dummy values that are checked and discarded in your procedure.

1.5.3.3 Flexible Parameter Passing

You can have HTML forms from which users can select any number of elements. If these elements have different names, you must create overloaded procedures to handle each possible combination, or you could insert hidden form elements to ensure that the names in the query string are consistent each time, regardless of which elements the user chooses.

The PL/SQL Gateway makes this easier by supporting a flexible parameter passing scheme. In order to use flexible parameter passing for a URL-based procedure invocation, prefix the name of the procedure with a `!' character in the URL.

The PL/SQL Gateway supports flexible parameters with two or four parameters.

Note: The two parameter interface is recommended for use with the PL/SQL Gateway because it provides improved performance. A four parameter interface is supported for compatibility.

The four parameter signature is shown below:

procedure [proc_name] is 
         (num_entires IN NUMBER  
          name_array  IN  [array_type]
          value_array IN  [array_type]
          reserved in [array_type]);

[proc_name] is the name of the PL/SQL procedure that you are invoking.

num_entries specifies the number of name_value pairs in the query string

name_array specifies the names from the query string (indexed from 1) in the order submitted.

value_array specifies the values from the query string (indexed from 1) in the order submitted.

reserved is not currently used. It is reserved for futire use.

[array_type] is any PL/SQL index-by table of varchar2 type (e.g., owa.vc_arr).

The two parameter signature is shown below:

procedure [proc_name] is 

		  	     name_array  IN  [array_type]

	       value_array IN  [array_type],

where: 

[proc_name] is the name of the PL/SQL procedure that you are invoking.

name_array specifies the names from the query string (indexed from 1) in the order submitted.

value_array specifies the values from the query string (indexed from 1) in the order submitted.

[array_type] is any PL/SQL index-by table of varchar2 type (e.g., owa.vc_arr).

Example 1: If you send the following URL:

http://www.acme.com/pls/myDAD/!scott.my_proc?x=john&y=10&z=doe

The `!' prefix tells the PL/SQL Gateway that it must use flexible parameter passing. It will invoke procedure scott.myproc and pass it the following two arguments:

name_array ==> (`x', `y', `z');
values_array ==> ('john', '10', 'doe')

Example 2: If you send the following URL, where the query_string has duplicate occurrences of the name "x":

http://www.acme.com/pls/myDAD/!scott.my_pkg.my_proc?x=a&y=b&x=c

The `!' prefix tells the PL/SQL Gateway that it must use flexible parameter passing. It will invoke procedure scott.my_pkg.myproc and pass it the following four arguments:

num_entries ==> 3 
name_array ==> (`x', `y', `x');
values_array ==> (`a', `b', `c')
reserved ==> ()

1.5.3.4 Large parameters

Section 1.5.3.2 and Section 1.5.3.3 above indicate that you can use the PL/SQL Gateway to invoke procedures with either scalar or index-by table of varchar2 arguments. The values passed as scalar arguments and values that are passed as elements to the index-by table of varchar2 arguments can be up to 32K in size.

For example, when using flexible parameter passing (described in "Flexible Parameter Passing"), each name or value in the query_string portion of the URL gets passed as an element of the name_array or value_array argument to the procedure being invoked. These names or values can be up to 32KB in size.

1.5.4 File Upload and Download

The PL/SQL Gateway allows you to:

• Upload and download files as raw byte streams without any character set conversions. The files are uploaded into the document table. A primary key is passed to the PL/SQL upload handler routine so that it can retrieve the appropriate row of the table.

• Specify one or more tables per application for uploaded files so that files from different applications are not mixed together.

• Provide access to files in these tables via a URL format that doesn't use query strings, for example
  

   http://www.acme.com:9000/mysite/pls/docs/cs250/lecture1.htm
  
  

  This is required to support uploading a set of files that have relative URL references to each other.

• Upload multiple files per form submission.

• Upload files into LONG RAW and BLOB types of columns in the document table.

1.5.4.1 Document Table Definition

The PL/SQL Gateway enables you to specify the document storage table on a per DAD basis. The document storage table must have the following definition:

CREATE TABLE [table_name] (	

NAME           VARCHAR2(256) UNIQUE NOT NULL,
MIME_TYPE      VARCHAR2(128),
DOC_SIZE       NUMBER,
DAD_CHARSET    VARCHAR2(128),
LAST_UPDATED   DATE,
content_type   VARCHAR2(128),
[content_column_name] [content_column_type]
[ , [content_column_name] [content_column_type]]

);

Users can choose the table_name. The content_column_type type must be either LONG RAW or BLOB.

The content_column_name depends on the corresponding content_column_type:

• If content_column_type is LONG RAW, the content_column_name must be CONTENT.

• If content_column_type is BLOB, the content_column_ name must be CONTENT_BLOB.

An example of legal document table definition is:

  NAME               VARCHAR(128)   UNIQUE NOT NULL, 
  MIME_TYPE          VARCHAR(128), 
  DOC_SIZE           NUMBER, 
  DAD_CHARSET        VARCHAR(128), 
  LAST_UPDATED       DATE, 
  CONTENT_TYPE       VARCHAR(128), 
  CONTENT            LONG RAW, 
  BLOB_CONTENT       BLOB ;

1.5.4.1.1 Semantics of the CONTENT column

The actual contents of the table will be stored in a content column. There can be more than one content columns in a document table. However, for each row in the document table, only one of the content column is used. The other content columns are set to NULL.

1.5.4.1.2 Semantics of the CONTENT_TYPE column

The content_type column is used to track which content column the document is stored in. When a document is uploaded, the PL/SQL Gateway will set the value of this column to be the type name (i.e. the [content_column_type] of the content column into which the document is uploaded).

For example, if a document was uploaded into the BLOB content column, then the CONTENT_TYPE column for the document will be set to the string `BLOB'.

1.5.4.1.3 Semantics of the LAST_UPDATED column

The LAST_UPDATED column reflects a document's creation or last modified time.When a document is uploaded, the PL/SQL Gateway will set the
LAST_UPDATED column for the document to be the database server time (as obtained from sysdate()) at the time of upload. If an application subsequently modifies or replaces the contents or attributes of the document, it must also update the LAST_UPDATED time.

The LAST_UPDATED column is used by the PL/SQL Gateway to check and indicate to the HTTP client (e.g., a browser) if it is okay for the HTTP client to use a previously cached version of the document. This helps reduce network traffic and response times and improves server performance and scalability.

1.5.4.1.4 Semantics of the DAD_CHARSET column

The DAD_CHARSET column keeps track of the character set setting at the time of the file upload. Note: This column is reserved for future use.

1.5.4.2 Old Style Document Table Definition

For backward capability with the document model used by older releases of WebDB 2.X, the PL/SQL Gateway will also support the following old definition of the document storage table where the CONTENT_TYPE, DAD_CHARSET and LAST_UPDATED columns are not present.

/* older style document table definition (DEPRECATED) */
CREATE TABLE [table_name]
( 

NAME         VARCHAR2(128),
MIME_TYPE    VARCHAR2(128),
DOC_SIZE     NUMBER,
CONTENT      LONG RAW

);

1.5.4.3 Relevant Parameters

For each DAD, the following configuration parameters are relevant for file upload/download.

document_table (document_table_name)

The document_table parameter specifies the name of the table to be used for storing documents when file uploads are performed via this DAD.

Syntax

document_table = [document_table_name]

Examples

document_table = my_documents

or,

document_table = scott.my_document_table

1.5.4.4 document_path (Document Access Path)

This specifies the path element to immediately follow the DAD name in the URL to access a document. For example, if the document access path is docs, then the URL to access a document might look like:

http://neon/pls/myDAD/docs/myfile.htm 

where myDAD is the DAD name and myfile.htm is the file name. The document access path mechanism enables the standard-style document access URLs required for WebDB's features for building Web sites.

Syntax

document_path = [document_access_path_name]

1.5.4.4.1 document_proc (Document Access Procedure):

This is an application-specified procedure, with no parameters, that processes a URL request with the document access path. The document access procedure should call wpg_docload.download_file(filename) to initiate download of a file. It should figure out the filename based on the complete URL specification. This can be used by an application, for example, to implement file-level access controls and versioning. An example of such an application is shown in "File Download" .

Syntax

document_proc = [document_access_procedure_name]

Examples

document_proc = my_access_procedure

or,

document_proc = scott.my_pkg.my_access_procedure

1.5.4.4.2 upload_as_long_raw

The DAD parameter upload_as_long_raw is used to configure file uploads based on their file extensions. The value of an upload_as_long_raw DAD parameter is a (,) comma separated list of file extensions. Files with these extensions will be uploaded by the PL/SQL Gateway into the content column of long_raw type in the document table. Files with other extensions will be uploaded into the BLOB content column.

The file extensions can be text literals (jpeg, gif, etc.). In addition, an asterisk (*) can be used as a special file extension and matches any file whose extension has not been explicitly listed in an upload_as_long_raw setting.

Syntax

upload_as_long_raw = [file_extension][,[file_extension]]*

where [file_extension] is an extension for a file (with or without the `.' character, e.g., `txt' or `.txt') or the wild card character *.

Examples

upload_as_long_raw = html, txt
upload_as_long_raw = *

1.5.4.5 File Upload

To upload files from a client machine to a database, you create an HTML page that contains:

• A FORM tag whose enctype attribute is set to multipart/form-data and whose action attribute is associated with a PL/SQL Gateway procedure call, referred to as the "action procedure".

• An INPUT element whose type and name attributes are set to file. The INPUT type=file element enables a user to browse and select files from the file system.

When a user clicks the submit button to trigger the form action, the following events occur:

1. The browser uploads the contents of the file specified by the user as well as other form data to the server.

2. The PL/SQL Gateway stores the file contents in the database in the document storage table. The table name is derived from the document_table DAD setting.

3. The action procedure specified in the action attribute of the FORM is run similar to invoking a PL/SQL Gateway procedure without file upload.

The following example shows an HTML form that enables a user to select a file from the file system to upload. The form contains other fields that allow the user to provide information about the file.

<html>
<head> 
<title>test upload</title>
</head>
<body>
 <FORM 	enctype="multipart/form-data"
action="pls/myDAD/write_info"
method="POST">
<p>Author's Name:<INPUT type="text" name="who">
<p>Description:<INPUT type="text" name="description"><br>
<p>File to upload:<INPUT type="file" name="file"><br>
<p><INPUT type="submit">
</FORM>
</body>
</html>

When a user clicks a Submit button on the form, the browser uploads the file listed in the INPUT type=file element.

The write_info procedure then runs. The procedure writes information from the form fields to a table in the database and returns a page to the user. The action procedure does not have to return anything to the user, but it is a good idea to let the user know whether the upload operation succeeded or failed.

A sample write_info procedure might look like:

procedure write_info (
who         in varchar2,
description in varchar2,
file        in varchar2) as
begin
insert into myTable values (who, description, file);
htp.htmlopen;
htp.headopen;
htp.title('File Uploaded');
htp.headclose;
htp.bodyopen;
htp.header(1, 'Upload Status');
htp.print('Uploaded ' || file || ' successfully');
htp.bodyclose;
htp.htmlclose;
end;

The filename obtained from the browser is prefixed with a generated directory name to reduce the possibility of name conflicts. The "action procedure" specified in the form should rename this name to what it wants. So, for instance, when /private/minutes.txt is uploaded, the name stored in the table by the gateway would look like F9080/private/minutes.txt. The application can rename this to whatever it wants in the called stored procedure. For instance, the application can rename it to scott/minutes.txt.

1.5.4.6 Specifying Attributes (Mime Types) of Uploaded Files

In addition to renaming the uploaded file, the stored procedure that is the action target of the form can alter other attributes relating to the file. For example, the form in the example shown in the section, "File Upload" could display a field for allowing the user to input the uploaded document's mime type.

The mime type could be received as a parameter in write_info. The document table could then store the mime type for the document instead of the default mime type that is parsed from the multipart form by the PL/SQL Gateway when uploading the file.

1.5.4.7 Uploading Multiple Files

To upload multiple files per submit action, the upload form must include multiple <INPUT type="file" name="file"> elements. If more than one file INPUT element defines name to be of the same name, then the action procedure must declare that parameter name to be of type owa.vc_arr. The names defined in the file INPUT elements could also be unique, in which case the action procedure must declare each of them to be of varchar2. For example, if a form contained the following elements:

<INPUT type="file" name="textfiles">
<INPUT type="file" name="textfiles">
<INPUT type="file" name="binaryfile">

then the action procedure must contain the following parameters:

procedure handle_text_and_binary_files(textfiles IN owa.vc_arr, 

binaryfile IN varchar2).

1.5.4.8 File Download

After you have uploaded files to the database, you can download them, delete them from the database, and read and write their attributes.

To download a file, create a stored procedure with no parameters that calls
wpg_docload.download_file(file_name) to initiate the download. The document download packages in the PL/SQL Web Toolkit. See "Installing required packages" for more information.

The HTML page presented to the user will simply have a link to a URL which includes the Document Access Path and specifies the file to be downloaded.

For example, if the webview DAD specifies that the Document Access Path is docs and the Document Access Procedure is webview.process_download, then the webview.process_download procedure will be called when the user clicks on a URL such as

http://www.acme:9000/pls/webview/docs/myfile.htm.

An example implementation of process_download is:

procedure process_download is
	v_filename varchar2(255);
begin
  -- getfilepath() uses the SCRIPT_NAME and PATH_INFO cgi
  -- environment variables to construct the full pathname of

  -- the file URL, and then returns the part of the pathname
  -- following `/docs/'
  v_filename := getfilepath;
  select name into v_filename from plsql_gateway_doc
  where UPPER(name) = UPPER(v_filename);  
  -- now we call docload.download_file to initiate
  -- the download.
  wpg_docload.download_file(v_filename);
exception
  when others then
	v_filename := null;
end process_download;

Any time you call wpg_docload.download_file(filename) from a procedure running in the gateway, a download of the file filename will be initiated. The restriction, however, is that when a file downloaded is initiated, no other HTML (produced via HTP interfaces) generated by the procedure, will be passed back to the browser.

The PL/SQL Gateway looks for the file filename in the document table. There must be a unique row in the document table whose NAME column matches filename. The PL/SQL Gateway generates appropriate HTTP response headers based on the information in the MIME_TYPE column of the document table. The
content_type column's value determines which content columns get the document's content from. The contents of the document are sent as the body of the HTTP response.

1.5.5 Path Aliasing

Path Aliasing enables applications using the PL/SQL Gateway to provide direct reference to its objects using simple URLs. The PL/SQL Gateway allows you to directly access documents within an application using the document access path and a document access procedure.

For example, the docs keyword in the URL below tells the PL/SQL Gateway that this request is for document access.

http://<HostName>[:Port]/<DADName>/docs/<FolderName/Document>

The above assumes that the Document Access Path is docs.

Path Aliasing provides the equivalent function by allowing means of direct access to application objects other than documents. Two fields in Database Access Descriptor's configuration information support path aliasing:

• Path Alias

• Path Alias Procedure

If the PL/SQL Gateway encounters in an incoming URL the keyword entered in the Path Alias field, it invokes the the procedure entered in the Path Alias Procedure. field.

For example, if the incoming URL is

http://www.acme.com:9000/portal_DAD/URL/path_alias_URL

and the Path Alias is URL, the PL/SQL Gateway invokes the Path Alias Procedure, passing everything after the keyword URL to the invoked procedure.

Applications that use path aliasing must implement the Path Alias Procedure. The procedure will receive the rest of the URL (path_alias_URL) after the key word, URL, as a single parameter, and is therefore responsible and also fully capable of dereferencing the object from the URL.

Although there is no restriction on the name and location for this procedure, it can accept only a single parameter, p_path, with the datatype varchar2.

1.5.6 Caching

To improve performance of PL/SQL Web applications, you can leverage the caching feature provided by the PL/SQL Gateway. This feature allows caching of PL/SQL procedure Web content in the middle-tier, the PL/SQL Gateway. Subsequent requests for the content may be retrieved from the cache, with or without validation from the database, thereby decreasing the database workload. When enabled, caching increases the scalability of your Web application.

1.5.6.1 Overview

There are a number of cache mechanisms in the HTTP protocol suite. This section provides an overview of the existing techniques.

The HTTP protocol consists of Requests and Responses. A user agent, for example a Web Browser, can supply metadata in the Request Headers.

Content providers such as PL/SQL procedures can supply the cache-controlling metadata using one or more HTTP Response Headers. In subsequent HTTP requests, this metadata is supplied by the user agent so that the content provider can determine the validity of the user agent's cache entry.

In cases such as the Expires Response Header, the metadata indicates that the content is valid for a certain period of time. Subsequent requests need not be made until that period of time elapses. The content provider has indicated that it need not be reaccessed for a period of time, although the user agent may still do so.

1.5.6.1.1 Validation technique

When a Web page is initially generated, it contains a Last-Modified Response Header. This header indicates the date, relative to the server, of the content that was requested. User agents with caching capabilities save this date information along with the content. When subsequent requests are made for the URL of the Web page, the user agent:

• determines if it has a cached version,

• extracts the date information,

• generates the Request Header If-Modified-Since,

• and finally sends the request the content provider.

Cache-enabled content providers look for the If-Modified-Since header and compare it to their content's date. If the two match, an HTTP Response status header such as "HTTP/1.1 304 Not Modified" is generated, and no content is streamed. Upon receipt of this status code, the user agent can reuse its cache entry because it has been validated.

If the two don't match, an HTTP Response header such as "HTTP/1.1 200 OK" is generated and the new content is streamed, along with a new Last-Modified Response header. Upon receipt of this status code, the user agent must replace its cache entry with the new content and new date information.

Another validation method provided by the HTTP protocol is the ETag (Entity Tag) Response and Request header. The value of this header is a string that is opaque to the user agent. Content providers generate this string based on their type of application. This is a more generic validation method than the If-Modified-Since header, which can only contain a date value.

The ETag method works very similar to the date method. Content providers generate the ETag header value as part of the Response Header. The user agent stores this opaque header value along with the content that is steamed back. When the next request for this content arrives, the user agent passes the If-Match header with the opaque value that it stored to the content provider. Because the content provider generated this opaque value, it is able to determine what to send back to the user agent. The rest is exactly like the Last-Modified validation method as described above.

1.5.6.1.2 Expires technique

If a Web page contains an Expires Response Header the user agent may use this date value, combined with the Date Response Header, to determine how long the response is valid. It needn't contact the content provider during this time because the validity criteria have already been established. Therefore, the user agent can directly stream back the cached content for that request.

1.5.6.2 The PL/SQL Gateway cache

Using the HTTP protocol as the design basis, the PL/SQL Gateway can be thought of as a user agent and a PL/SQL procedure as the content provider. As with HTTP, headers and environment variables are the communication mechanism between the user agent and the content provider.

One of the assumptions is that the content being cached is varying and typically secured on a per user basis, although the physical URL being cached might be the same across users. Furthermore, content might be in different languages. These assumptions make this design somewhat different than the HTTP/1.1 protocol, in that HTTP/1.1 uses only the URL to create a cache key. The PL/SQL Gateway uses the URL in conjunction with the user and language to form the cache key.

There are two levels of caching for each request:

• User-level caching is for a specific user that is logged in. The stored cache is unique for that user. Only that user gets to use the cache.

• System-level caching is for a group of users that shares the cache.

For example, if no individual user chooses to customize a customizable PL/SQL Web application, then the application's output can be stored in a system-level cache. Therefore, there is only a single cache copy for every user on the system.

However, if one of the users customizes the application, then a new user-level cache is stored for that user only. All other users still use the system level cache. This is explained in more detail in "System- and user-level caching".

1.5.6.2.1 owa_cache package

The owa_cache package contains functions and procedures to set and get special caching headers and environment variables. These allow developers to use the PL/SQL Gateway cache more easily. This package should already be installed in your database (see "Installing required packages" for more information).

See "owa_cache" for a complete specification of the owa_cache package.

These are the primary functions to call:

• owa_cache.set_cache(p_etag IN varchar2, p_level IN varchar2)

  This function sets up the headers for the validation model of caching. The p_etag parameter is the string that tags the generated content. The p_level parameter is the caching level to use.

• owa_cache.set_expires(p_expires IN number, p_level IN varchar2)

  This function sets up the headers for the expires model of caching. The p_expires parameter is the number of minutes the generated content will be valid. The p_level parameter is the caching level to use.

• owa_cache.set_not_modified

  This function is only valid for the validation model. It sets up the headers to notify the gateway to use the cached content.

• owa_cache.get_level

  This function is only valid for the validation model. It gets the caching level, "USER" or "SYSTEM".

• owa_cache.get_etag

  This function is only valid for the validation model. It gets the tag associated with the cached content.

1.5.6.2.2 Validation model

This model is very similar to the HTTP ETag caching technique. Therefore, the PL/SQL Gateway will always ask the PL/SQL procedure whether the content has changed or not.

Assume a PL/SQL procedure is being called for the first time through the PL/SQL Gateway. The PL/SQL Gateway executes the procedure and passes the usual CGI environment variables. The procedure generates content to pass back. If the procedure decides that the generated content is cacheable, it calls the owa_cache procedure to set the tag and the cache level:

owa_cache.set_cache(p_etag, p_level);

where

p_etag is a string that the procedure generates to tag the content.

p_level is the caching level ("SYSTEM" for system level or "USER" for user level).

The set_cache function sets up the necessary headers to notify the PL/SQL Gateway that the content being streamed back can be cached. As a result, the PL/SQL Gateway caches the content on the local file system along with the tag and caching level information as it is streamed back to the browser.

Next, assume a second request for the same PL/SQL procedure. The PL/SQL Gateway detects that it has a cached content for the request. In this case, it does something special: it passes that same tag and caching level information, which it got last time from executing the same procedure, as part of the CGI environment variables. The procedure then uses these caching CGI environment variables to check if the content has changed. It does so by calling the following owa_cache functions:

owa_cache.get_etag;

owa_cache.get_level;

These functions get the tag and caching level respectively. Since the PL/SQL procedure generated these the last time, it can do any kind of processing on them to determine whether the content needs to be regenerated or not.

If the content is still the same, the procedure calls the following owa_cache procedure:

owa_cache.set_not_modified;

and generates no content. This tells the PL/SQL Gateway to use its cached content for this request. Therefore, the cached content is directly streamed back to the browser.

On the other hand, if the PL/SQL procedure determines that the content has changed, it generates the new content along with a new tag and caching level. It does not call owa_cache.set_not_modified because the PL/SQL Gateway has a stale copy of the content. Instead the PL/SQL Gateway replaces its stale cached copy with the newly generated one and updates the tag and caching level information associated with it.

1.5.6.2.3 Expires model

In the Validation model, the PL/SQL Gateway always asks the PL/SQL procedure to determine whether or not it can serve the content from the cache. In the expires model, the procedure preestablishes the content validity period. Therefore, the PL/SQL Gateway can serve the content from its cache without asking the procedure. This further improves performance because no interaction with the database is required.

Assume the same scenario described above for the Validation model, except the procedure uses the Expires model for caching. Once it has generated the content, the procedure calls the following owa_cache procedure:

owa_cache.set_expires(p_expires, p_level);

where

p_expires is the number of minutes that the content will be valid.

p_level is the caching level.

The set_expires procedure sets up the proper headers to notify the PL/SQL Gateway that Expires model caching is being used. The PL/SQL Gateway then caches the content to the file system along with the validity period and caching level information.

Next, assume the same procedure invoked a second time through the browser. The PL/SQL Gateway detects that it has a cached copy of the content that is expires-based, then checks for its validity by taking the difference between the current time and the time this cache file was created. If this difference is within the validity period, the cached copy is still fresh and served to the browser without any database interaction.

If the difference is not within the validity period, the cached copy is stale. In this case, the PL/SQL Gateway invokes the procedure. The procedure will then decide again whether or not to use expires-based caching again. Alternatively, it can use the validation model caching or no caching at all.

1.5.6.3 System- and user-level caching

The PL/SQL procedure determines whether generated content is system-level content or user-level. This helps the PL/SQL Gateway cache to store less redundant files if more than one users is looking at the same content.

The PL/SQL procedure decides whether the content generated is a system level cacheable content or user level:

• For system-level content, the procedure passes the string "SYSTEM" as the caching level parameter to the owa_cache functions (set_cache for validation model or set_expires for expires model).

• For user-level content, it passes the string "USER" as the parameter for the caching level.

The difference in the PL/SQL gateway between system- and user-level caching is the use of the user information. For system-level caching, user information is not used since the cache can be used by multiple users. Therefore, the user information is not a criteria for a system level cache hit.

For user level caching, the user information is a criteria for a user-level cache hit. User-level cache always overrides system -level cache. If both a system-level and user-level cache copy exist for a given user, the user-level is used.

1.6 CGI Environment Variables

The OWA_UTIL package provides an API to get the values of CGI environment variables, which serve to provide a kind of context to the procedure being executed via the PL/SQL Gateway. Although the PL/SQL Gateway is not operated through CGI, the PL/SQL application invoked from the PL/SQL Gateway can access these CGI environment variables.

The PL/SQL Gateway provides the following CGI environment variables:

• REMOTE_USER

• DAD_NAME

• DOC_ACCESS_PATH

• PATH_INFO

• SCRIPT_NAME

• SERVER_PORT

• SERVER_NAME

• REQUEST_METHOD

• REMOTE_HOST

• REMOTE_ADDR

• SERVER_PROTOCOL

• HTTP_USER_AGENT

• HTTP_PRAGMA

• HTTP_HOST

• HTTP_ACCEPT

• HTTP_ACCEPT_ENCODING

• HTTP_ACCEPT_LANGUAGE

• HTTP_ACCEPT_CHARSET

• REQUEST_CHARSET (see "REQUEST_CHARSET CGI environment variable" for more information)

• REQUEST_IANA_CHARSET

• DOCUMENT_TABLE (See "document_table (document_table_name)" for more information)

• AUTHORIZATION

• PATH_ALIAS

• SCRIPT_PREFIX

• REQUEST_PROTOCOL

• HTTP_COOKIE

A PL/SQL application can get the value of a CGI environment variable using the owa_util.get_cgi_env interface.

Syntax:

owa_util.get_cgi_env(param_name in varchar2) return varchar2;

where

param_name is the name of the CGI environment variable. param_name is case-insensitive.

1.6.1 NLS

For mod_plsql, the following restrictions apply:

• The NLS_LANG parameter of the database should match that of the Oracle HTTP Server (powered by Apache), or

• The NLS_LANG parameter of the database and Oracle HTTP Server (powered by Apache) should be of fixed character width and both should be the same size.

1.6.1.1 REQUEST_CHARSET CGI environment variable

Every request to the PL/SQL Gateway is associated with a DAD. The CGI environment variable REQUEST_CHARSET will be set as per the following rules:

• If NLS_LANG is specified as part of the Gateway's global configuration information, then the REQUEST_CHARSET CGI environment variable will be set to the character set portion of the global NLS_LANG parameter.

• Otherwise, the REQUEST_CHARSET will be set to the default character set in use.
  • For the embedded gateway this will be the database's default character set.

  • For the gateway deployed in the middle-tier (as part of WebDB listener or Oracle HTTP Server) this will be the character set information derived from the NLS_LANG environment variable of the WebDB listener process.

The PL/SQL application can access this information via a function call of the form:

	owa_util.get_cgi_env(`REQUEST_CHARSET');

1.6.1.2 REQUEST_IANA_CHARSET CGI environment variable

This is the IANA (Internet Assigned Number Authority) equivalent of the
REQUEST_CHARSET CGI environment variable. IANA is an authority that globally coordinates the standards for charsets used on the Internet.