Application attributes apply to an entire application. Once you create an application, the next logical step is to review and possibly update application attributes.
See Also:
"How to Create a Packaged Application" for information on using the Supporting Objects utility to create a packaged applicationYou use the attributes on the Edit Application page to edit the application name and availability and to define static substitution strings. Additionally, the Edit Application page displays defined build options, the associated theme, template defaults, and component defaults. Required values are marked with a red asterisk (*).
To edit the application definition:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click the Edit Application Properties button to the right of the application name.
The Edit Application page appears.
The Edit Application page is divided into the following sections: Name, Properties, Availability, Error Handling, Global Notification, Substitutions, Logo, Build Options, Theme, Template Defaults, and Component Defaults. You can access these sections by scrolling down the page, or by clicking a navigation button at the top of the page.
When you select a button at the top of the page, the selected section appears and all other sections are temporarily hidden. To view all sections of the page, click Show All.
The following sections describe the attributes available on the Edit Application page.
Use Name to define basic characteristics of your application, including the application name, an optional alphanumeric alias, and a version number. Table 7-1 describes all Name attributes.
Table 7-1 Application Definition, Name
Attribute | Description |
---|---|
Provides a short descriptive name for the application to distinguish it from other applications in your development environment. |
|
Assigns an alternate alphanumeric application identifier. You can use this identifier in place of the application ID. For example, suppose you create an alias of
See Also: "Using f?p Syntax to Link Pages" |
|
Includes the application's version number on a page. You can also automatically tie the version to the date of last modification using the following format masks:
If your application version uses YYYY.MM.DD, then Application Builder replaces this format mask with the date of last modification of any application attribute. |
|
Determines the virtual path the Web server uses to point to the images directory distributed with Application Builder. During installation, the virtual path is configured as When embedding an image in static text (for example, in page or region headers or footers), you can reference an image using the substitution string
<img src="#IMAGE_PREFIX#go.gif">
See Also: "IMAGE_PREFIX", "Managing Images", and "Referencing Images" |
|
Enter the Internet Media Type. An Internet Media Type is two-part identifier for file formats on the Internet. A Media Type is composed of at least two parts: a type, a subtype, and one or more optional parameters. This Media Type is used in the Content-Type HTTP header when rendering the page. The page-level Media Type overrides the application-level Media Type. The default value for this attribute is |
|
Use this field to specify a proxy server. For example, you may require a proxy server when using a region source type of URL. The URL region source embeds the results of the URL (that is, the page returned by navigating to the URL) as the region source. If you use a firewall and the target of a URL is outside the firewall relative to Application Builder, you may need to specify a proxy server. You can reference values entered into this field from PL/SQL using the PL/SQL package variable |
|
Specifies the schema that all SQL and PL/SQL in the application is parsed as. You may use the |
Use Properties to enable the following attributes: logging, debugging, exact substitutions, application group, feedback, and default error display location. Table 7-2 describes all Name attributes.
Table 7-2 Application Definition, Properties
Attribute | Description |
---|---|
Determines whether user activity is recorded in the Oracle Application Express activity log. When set to Yes, every page view is logged, enabling an administrator to monitor user activity for each application. Disabling logging may be advisable for high volume applications. |
|
Controls debug mode for the current application. Available options include:
Running an application in debug mode is useful when an application is under development. However, for a production application, it is a good idea to disable debugging and thus prevent users from viewing application logic. |
|
Determines if exact substitutions are supported. Use exact substitutions. Non-exact substitutions is a deprecated feature. Exact substitutions use the following syntax: &ITEM. Non-exact substitutions use the following syntax: &ITEM See Also: "Understanding Substitution Strings" |
|
Displays the application group currently associated with this application. To select another application group, make a selection from the list. To remove an application from an existing group, select Unassigned. See Also: "Creating Application Groups" |
|
Enables support for end user feedback for this application. Select Yes or No. See Also: "Managing Feedback" |
|
Identifies where validation error messages display for basic validations performed by Application Express or by plug-ins. Validation error messages can display in a "notification" area (defined as part of the page template), or within the field label. |
Use Availability to manage your application by defining an application status and build status. For example, if you select the status Restricted Access, you can specify which users have access and can run the application. To learn more, see Table 7-3.
Table 7-3 Application Definition, Availability
Attribute | Description |
---|---|
Specifies whether the application is available or unavailable for use. Options include:
See Also: "Changing Build Status for Multiple Applications" in Oracle Application Express Administration Guide, "Changing Application Build Status Set During Deployment" in Oracle Application Express Administration Guide, and "Controlling Access to Applications, Pages, and Page Components", |
|
Identifies the build status of the current application. Options include:
See Also: "Changing Application Build Status Set During Deployment" in Oracle Application Express Administration Guide |
|
Use this attribute in conjunction with Status. If you set Status to Unavailable, Unavailable (Status Shown with PL/SQL), or Unavailable (Redirect to URL), the text you enter in this attribute displays. If you set Status to Available, the text you enter in this attribute does not display. |
|
Restrict to comma separated user list (status must equal Restricted Access) |
Use this attribute in conjunction with the Status Restricted Access. If you set Status to Restricted Access, only the users listed in this attribute can run the application. To use this attribute:
|
Use the attributes described in Table 7-4 to control or modify how an application logs errors. Error handling functions specified here are overridden by similar page-level attributes. See "About Page Attributes".
Table 7-4 Application Definition, Error Handling
Attribute | Description |
---|---|
Specifies where validation error messages display for validations, processes, plug-ins, or from the Oracle Application Express engine. Options include:
|
|
Error Handling Function |
Enter the name of a PL/SQL error function to modify the existing error message and display location or log the error if one occurs. The Error Handling Function is always called before an application, validation, or Application Express error is displayed to the user. It can be used to modify the existing error message and display location This function can reference a package function or standalone function in the database. For example: log_apex_error When referencing a database PL/SQL package or standalone function, use the #OWNER#.log_apex_error You must implement error handling functions using the syntax described in the
function <name of function> (
p_error in apex_error.t_error )
return apex_error.t_error_result
See Also: Note: Error handling specified at the page-level overwrites any error handling function specified here. See "About Page Attributes". |
You can use the Global Notification attribute to communicate system status to application users. For example, you can use this attribute to notify users of scheduled downtime, or communicate other messages regarding application availability. If the page templates used in your application contain the #GLOBAL_NOTIFICATION#
substitution string, the text entered here will display in that string's place.
To create a global notification:
Include the #GLOBAL_NOTIFICATION#
substitution string in your page template.
Navigate to the Edit Application page and enter a message in the Global Notification attribute.
Click Apply Changes.
Use these fields to define static substitution strings for your application. You can use static substitution string for phrases or labels that occur in many places within an application. To create a substitution string, enter the string name in the Substitution String column and the string value in the Substitution Value column.
Defining static substitution strings centrally enables you to change text strings in multiple places in your application by making a single change to the Substitution Value defined on this page.
See Also:
"Understanding Substitution Strings"Use Logo attributes to define an application logo. An application logo can be text-based or image-based. To use this feature, your page template must include the #LOGO#
substitution string.
To define an application logo:
For Logo Type, select one of the following:
Select Image to use an image for the application logo.
Select Text to use text for the application logo.
In Logo, enter the following:
For an image, enter the complete image name, including the filename extension. For example:
/i/oracle.gif
For text, enter the full text string. For example:
Sample Application
In Logo Attributes, enter the appropriate attributes for the logo or make a selection from the list.
Image example:
width="100" height="20" alt="Company Logo"
Text example:
style="font-family:Arial; color:#000000; font-size:18; white-space:nowrap; font-weight:bold;"
Displays existing build options. Most applications have a build option attribute. Build Options have two possible values: INCLUDE
and EXCLUDE
. If you specify an attribute to be included, then the Application Express engine considers it at run time. However, if you specify an attribute to be excluded, then the Application Express engine treats it as if it did not exist.
Do not specify a build option unless you plan to exclude that object from specific installations.
Displays the current theme applied to the application. Themes are collections of templates that can be used to define the layout and style of an entire application. Each theme provides a complete set of templates that accommodate every user interface pattern that may be needed in an application.
See Also:
"Managing Themes"Lists the default templates for this application. To specify a default template at the application level, you can either:
Select a new theme. See "Switching the Active Theme".
Select a new default page template on the Create/Edit Theme page. See "Changing the Default Templates in a Theme".
You can also override this default by making a selection from the Page Template list on the Page Attributes page.
Table 7-5 describes template defaults for the current application.
Table 7-5 Application Definition, Template Defaults
Attribute | Description |
---|---|
Indicates the default page template to display pages. You can override this selection by making a selection from the Page Template list on the Page Attributes page. See Also: "Altering Page Attributes" |
|
Identifies the template to be used when the Application Express engine is in printer friendly mode. When calling the Application Express engine to render a page, you have the option to specify whether the page should be displayed using the Print Mode Page Template specified. If you specify Yes, then the page displays using a printer friendly template. The Application Express engine displays all text within HTML Form Fields as text. The printer friendly template does not need to have the See Also: "Optimizing a Page for Printing" |
|
Optional. Specifies a page template to use for errors that display on a separate page, as opposed to those that display inline. |
Displays the default templates used when running wizards. You can override these settings on the attributes page for each control or component. Table 7-6 describes component defaults for the current application.
Table 7-6 Application Definition, Component Defaults
Attribute | Description |
---|---|
Default calendar template used when you create a calendar. |
|
Default label template used when you create page items. |
|
Default report template used when you create report. |
|
Default template used when you create a list. |
|
Default template used when you create a breadcrumb. |
|
Default template used when you create buttons that are template controlled. |
|
Default template used when you create a region. |
|
Default region template used when you create a chart or map. |
|
Default region template used when you create a form. |
|
Default region template used when you create a report. |
|
Default region template used when you create a tabular form. |
|
Default region template used when you create a wizard component. |
|
Default region template used when you create a breadcrumb. |
|
Default region template used when you create a list. |
You can provide security for your application by configuring attributes on the Edit Security Attributes page. The Security Attributes you choose apply to all pages within an application.
See Also:
"Managing Application Security"To access the Edit Security Attributes page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
The Shared Components page appears.
Under Security, click Security Attributes.
The Edit Security Attributes page appears.
The Edit Security Attributes page is divided into the following sections: Authentication, Authorization, Database Schema, Session State Protection, Browser Security, and Database Session. You can access these sections by scrolling down the page, or by clicking a navigation button at the top of the page.
When you select a button at the top of the page, the selected section appears and all other sections are temporarily hidden. To view all sections of the page, click Show All.
The following sections describe the attributes available on the Edit Security Attributes page.
Authentication is the process of establishing users' identities before they can access an application. Although you can define multiple authentication schemes for your application, only one scheme can be current at a time. Table 7-7 describes the attributes available under Authentication.
Table 7-7 Authentication Attributes
Attribute | Descriptions |
---|---|
Specifies a URL or procedure that should be run when you run the application. For example, Home Link could contain the relative URL used to locate the application home page. For example, You can also use this attribute to name a procedure. For example, you could create a procedure such as Note: Do not use the Home Link attribute to determine the page that displays after authentication. The page that displays after authentication is determined by other components within the application's authentication scheme. See Also: "HOME_LINK" |
|
Replaces the substitution strings See Also: "LOGIN_URL" and "Creating an Authentication Scheme" |
|
Identifies the Oracle schema used to connect to the database through the database access descriptor (DAD). The default value is Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string Note: Previous versions of Oracle Application Express used the built-in substitution string When
If the current application user ( For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using See Also: "HOME_LINK" and "Understanding Conditional Rendering and Processing" |
|
Click the link to define an authentication scheme. See Also: "Understanding How Authentication Works" and "Creating an Authentication Scheme" |
Authorization controls user access to specific controls or components based on user privileges. You can specify an authorization scheme for your application, by making a selection from the Authorization Scheme list. You can assign only one authorization scheme to an entire application. However, you can assign an authorization scheme to individual pages, page controls (such as a region, a button, or an item), or a shared component (such as a menu, a list, or a tab).
To create an authorization scheme, click Define Authorization Schemes.
An authorization scheme is a binary operation that either succeeds (equals true) or fails (equals false). If it succeeds, then the component or control can be viewed. If it fails, then the component or control cannot be viewed or processed. When you attach an authorization scheme to a page and it fails, an error message displays instead of the page. However, when you attach an authorization scheme to a page control (for example, a region, a button, or an item) and it fails, no error page displays. Instead, the control either does not display or is not processed or executed.
Use Parsing Schema to specify the database scheme for the current application. Once defined, all SQL and PL/SQL commands issued by the application will be performed with the rights and privileges of the defined database schema.
Use the following attributes to reduce exposure to abandoned computers with an open Web browser by application:
Maximum Session Length in Seconds - Enter a positive integer to control how many seconds a session exists and is used by this application. Leave the value null to revert the value to the instance level setting. Enter 0 to have the session exist indefinitely. The session duration may be superseded by the operation of the job that runs every eight hours which deletes sessions older than 12 hours.
On session timeout direct to this URL - Enter an optional URL to redirect to when the maximum session lifetime has been exceeded. The target page in this URL, if implemented in Application Express, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If no URL is supplied, the user will be redirected to the application home page.
Only three substitution items are supported in this URL:
&APP_SESSION.
&SESSION.
&APP_ID.
Because of the particular purpose of this URL. it is not necessary to include either &APP_SESSION.
or &SESSION.
in the link.
Maximum Session Idle Time in Seconds - Enter a positive integer to control the seconds of inactivity or idle time for sessions used by this application. The idle time is the time between one page request and the next one. Leave the value null to revert the value to the instance level setting. Set to 0 to prevent session idle time checks from being performed.
On session idle time timeout direct to this URL - Enter an optional URL to be redirected to when the maximum session idle time has been exceeded. The target page in this URL, if implemented in Application Express, should be a public page. A common use for this page would be to inform the user of the session timeout and to present a login link or other options. If no URL is supplied, the user will be redirected to the application home page.
Only three substitution items are supported in this URL:
&APP_SESSION.
&SESSION.
&APP_ID.
Because of the particular purpose of this URL. it is not necessary to include either &APP_SESSION.
or &SESSION.
in the link.
See Also:
"Understanding Session Timeout" and "Configuring Session Timeout" in Oracle Application Express Administration GuideEnabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.
To enable or disable Session State Protection for your application, make a selection from the Session State Protection list. Setting Session State Protection to Enabled turns on session state protection controls defined at the page and item level.
Allows URLS Created After lists the date and time after which bookmarked links are usable to access pages in this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application.
Bookmarks created before this date and time are not usable to access this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application. Bookmarks that do not contain checksums or bookmarks that contain checksums that are unnecessary are not affected by this attribute. Their usability is determined using other criteria. A hidden application attribute (a checksum salt) is used during the computation and later verification of checksums included in f?p= URLs generated during page rendering. Checksums are included when Session State Protection is enabled for the application. You can reset this checksum salt attribute at any time by clicking the Expire Bookmarks button. Clicking this button causes any bookmarked URLs that contain previously generated checksums to fail when they are subsequently used to access the application.
To configure Session State Protection, click Manage Session State Protection.
See Also:
"Understanding Session State Protection"Use Cache to enable or disable browser caching of application page contents. If enabled, the browser is allowed to save the contents of pages for this application in its cache, both in memory and on disk. Typically when caching is enabled and the browser back button is clicked, the page is loaded from the cache instead of from the server. If disabled, the browser is instructed not to save application page contents and requests the latest page content from the server whenever the URL changes.
To avoid the possibility of saving sensitive data, it is recommended that this attribute be disabled. Otherwise, it is possible to go back in the browser history after a logout and see cached content from a previous session. Disabling the browser cache also prevents issues with pages that use partial page refreshes, such as is the case with interactive reports.
Use Embed in Frames to control if a browser may display your application's pages within a frame. Available options include:
Deny - The page cannot be displayed in a frame, regardless of the site attempting to do so.
Allow from same origin - The page can only be displayed in a frame on the same origin as the page itself.
Allow - The page can be displayed in any frame.
Displaying pages within frames can be misused with clickjacking attacks. In a clickjacking attack the attacker uses multiple layers to trick a user into clicking a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks (or keystrokes) meant for their page and routing them to another page.
Tip:
Both of these features require modern browsers that support the HTTP header response variable x-frame-options.Attributes available under Database Session include:
Initialization PL/SQL Code
Use this attribute to enter a PL/SQL block that sets a context for the database session associated with the current "show page" or "accept page" request. The block you enter here is executed at a very early point during the page request, immediately after the APP_USER
value is established. The value of APP_USER
(using :APP_USER
or v
('APP_USER
')) may be used within the block. Values of other items in session state may be referenced as well, but any such items must have been established in session state before the initiation of the current page request. Consider the following example:
dbms_session.set_context('CTX_USER_QRY','USERPRIV',my_package.my_function(:APP_USER));
The previous example sets the value of USERPRIV
in the context named CTX_USER_QRY
to the value returned by the function my_function
in package my_package
. The function is passed the current value of APP_USER
as an input argument. Presumably, the named context would be used in a VPD policy (created within the application's parsing schema) to effect the generation of predicates appropriate to the authenticated user.
Virtual Private Database, also known as Fine-Grained Access Control or FGAC, is an Oracle database feature that provides an application programming interface (API) that enables developers to assign security policies to database tables and views. Using PL/SQL, developers can create security policies with stored procedures and bind the procedures to a table or view by means of a call to an RDBMS package. Such policies are based on the content of application data stored within the database, or based on context variables provided by Oracle database. In this way, VPD permits access security mechanisms to be removed from applications, and to be situated closer to particular schemas.
The code entered in this section need not pertain to VPD/FGAC and may not be related to security at all. Any code that must be executed at the earliest point in a page request can be placed here. For example, to set the database session time zone for every page request:
BEGIN EXECUTE IMMEDIATE 'alter session set time_zone = ''Australia/Sydney'' '; END;
Cleanup PL/SQL Code
Use this attribute to enter a PL/SQL block that runs at the end of page processing. It can be used to free or clean up resources that were used, like VPD contexts or database links.
Example 1:
dbms_session.clear_context('CTX_USER_QRY');
This call resets the application context named CTX_USER_QRY
before the database session is given back to the session pool, to ensure that no information will be leaked when it gets reused.
Example 2:
dbms_session.close_database_link('SALES');
This call closes the database link SALES
, which might have been opened in the Initialization PL/SQL Code or implicitly, just by querying data through the link. Again, this frees resources and prevents resource leakage when the database session is reused.
In Application Builder you can develop applications that can run concurrently in different languages. A single application can be translated to support different languages. Use the attributes on the Edit Globalization Attributes page to specify globalization options such as the primary application language.
See Also:
"Managing Application Globalization"To access the Edit Globalization Attributes page:
On the Workspace home page, click the Application Builder icon.
Select an application.
The Application home page appears.
Click Shared Components.
The Shared Components page appears.
Under Globalization, click Globalization Attributes.
The Edit Globalization Attributes page appears.
The following sections describe the attributes available on the Edit Globalization Attributes page.
Identifies the language in which an application is developed. This language is the base language from which all translations are made. For example, suppose application 100 was authored in English, translated into French, and published as application 101. English would be the Application Primary Language.
All modifications to the application should be made to the primary language specified here.
Determines how Application Builder determines or derives the application language.
The application primary language can be static, derived from the Web browser language, or determined from a user preference or item. The database language setting also determines how the date is displayed and how certain information is sorted.
This option enables you to disable browser derived language support. You also have the option of having the application language derived from an application preference. To learn more, see Field-level Help.
Determines the date format to be used in the application.
This date format is used to alter the NLS_DATE_FORMAT
database session setting before showing or submitting any page in the application. This value can be a literal string containing a valid Oracle date format mask or an item reference using substitution syntax. If no value is specified, the default date format is derived from the database session at runtime. Consider the following examples:
Month DD, YYYY &MY_DATE_FORMAT.
Specify the date time format to be used in the application.
This date time format can be referenced in an application using the substitution reference &APP_DATE_TIME_FORMAT.
, or in PL/SQL using the function v('APP_DATE_TIME_FORMAT')
. This attribute does not alter any NLS settings. This value can be a literal string containing a valid Oracle date format mask or an item reference using substitution syntax. If this attribute value is not specified, then a reference to APP_DATE_TIME_FORMAT
will return the NLS database session date format and the NLS time format. Consider the following examples:
Month DD, RRRR HH24:MI &MY_DATE_TIME_FORMAT.
Determines the timestamp format to be used in the application. Select a timestamp format from the list of values.
This timestamp format is used to alter the NLS_TIMESTAMP_FORMAT
database session setting prior to showing or submitting any page in the application. This value can be a literal string containing a valid Oracle timestamp format mask or an item reference using substitution syntax. If no value is specified, the default timestamp format is derived from the database session at runtime. Consider the following examples:
DD-MON-RR HH.MI.SSXFF AM &MY_TIMESTAMP_FORMAT.
Determines the timestamp with time zone format to be used in the application.
This date format is used to alter the NLS_TIMESTAMP_TZ_FORMAT
database session setting prior to showing or submitting any page in the application. This value can be a literal string containing a valid Oracle timestamp with time zone format mask or an item reference using substitution syntax. If no value is specified, the default timestamp with time zone format is derived from the database session at runtime. Consider the following examples:
DD-MON-RR HH.MI.SSXFF AM TZR &MY_TIMESTAMP_TZ_FORMAT.
Controls the setting of the database session time zone. When set to Yes, the client time zone is derived from the client's Web browser and set for the duration of the Application Express session.
Subsequent page views will have the database session time zone set properly per page view. Once set, this setting can be overridden using APEX_UTIL.SET_SESSION_TIME_ZONE
, or reset using APEX_UTIL.RESET_SESSION_TIME_ZONE
.
See Also:
Oracle Application Express API ReferenceAutomatic CSV Encoding controls the encoding of all comma-delimited (CSV) report output in an application. The default value for Automatic CSV Encoding is No. If Automatic CSV Encoding is set to Yes, CSV report output is converted to a character set compatible with localized desktop applications. The character set for the CSV encoding is determined by the Application Language Derived From setting.
The encoding of pages in Application Builder is determined by the character set of the database access descriptor (DAD) used to access Oracle Application Express. For example, if the character set of the database access descriptor is AL32UTF8, all pages in all applications in the Oracle Application Express user interface are encoded in UTF-8.
By default, the CSV output from report regions is encoded in the same character set as the database access descriptor. However, some desktop spreadsheet applications require that the data is encoded in the client desktop operating system character set. In the case of multibyte data, the CSV output from report regions will often appear corrupted when opened by a desktop spreadsheet application. This is because the CSV output is encoded differently than what is required by the desktop application. Enabling Automatic CSV Encoding resolves this issue.
For example, if the user's language preference for an application is de
, the CSV data is encoded in Western European Windows 1252
, regardless of the Database Access Descriptor character set setting. If the user's language preference is zh-cn
, the CSV data will be encoded in Chinese GBK.