7.5 Managing Application Attributes

Name

Provides a short descriptive name for the application to distinguish it from other applications in your development environment.

Application Alias

Assigns an alternate alphanumeric application identifier. You can use this identifier for the application ID.

For example, suppose you create an alias of myapp for application 105. Using f?p syntax, you could call application 105 as either:

• f?p=105:1

• f?p=myapp:1

See Also: "About Using f?p Syntax to Link Pages"

Version

Includes the application's version number on a page. You can also automatically tie the version to the date of last modification using the following format masks:

• YYYY.MM.DD

• MM.DD.YYYY

• DD.MM.YYYY

If your application version uses YYYY.MM.DD, then Application Builder replaces this format mask with the date of last modification of any application attribute.

Application Group

Displays the application group currently associated with this application. To select another application group, make a selection from the list. To remove an application from an existing group, select Unassigned.

See Also: "Managing Application Groups"

Logging

Determines whether user activity is recorded in the Oracle Application Express activity log. When set to Yes, every page view is logged, enabling an administrator to monitor user activity for each application.

Disabling logging may be advisable for high volume applications.

This attribute can only be modified if the Application Activity Logging attribute in Oracle Application Express Administration Services is set to Use Application Setting.

See Also: "Enabling Application Activity" in Logging in Oracle Application Express Administration Guide.

Debugging

Controls debug mode for the current application. Available options include:

• Yes - Enables the application to run in a debug mode.

• No - Prevents end users from running an application in debug mode.

Running an application in debug mode is useful when an application is under development. However, for a production application, it is a good idea to disable debugging and thus obfuscate application logic.

Allow Feedback

Enables support for end user feedback for this application. Select Yes or No.

If enable this option, you must create a feedback page and navigation bar icon to call that page. If you later disable feedback, the navigation bar icon is hidden.

See Also: "Managing Feedback"

Compatibility Mode

This attribute controls the compatibility mode of the Application Express runtime engine. Certain runtime behaviors are changed from release to release. Use this attribute to obtain specific application behavior. To realize new behavior in an application, set the compatibility mode of the application to the current version.

Application Email from Address

Determines the email address to use as the from address in the application.

Enter a valid email address to use as the from address when sending email from an email download or subscription. The value can be a literal string containing a valid email or a static substitution reference defined in the application using substitution syntax APP_EMAIL. Examples:

john.doe@abc.com
&MY_APP_EMAIL_FROM.

Oracle does not recommend using an item substitution at the application or page-level since it only works in email download, but not for subscriptions.

You can also specify the from address on the Interactive Report Attributes page. See "Editing Classic Report Attributes in Component View."

Proxy Server

Use this field to specify a proxy server.

For example, you may require a proxy server when using a region source type of URL. The URL region source embeds the results of the URL (that is, the page returned by navigating to the URL) as the region source. If you use a firewall and the target of a URL is outside the firewall relative to Application Builder, you may need to specify a proxy server.

You can reference values entered into this field from PL/SQL using the PL/SQL package variable APEX_APPLICATION.G_PROXY_SERVER.

Status

Specifies whether the application is available or unavailable for use. Options include:

• Available - Application is available with no restrictions.

• Available with Developer Toolbar - Application is available for use. For developers, the Developer Toolbar displays on each page. Requires the developer to be logged in to the Application Builder in the same browser session.

• Available to Developers Only - Application is available to users having developer privileges.

• Restricted Access - Application is available to developers named in the Restrict to comma separated user list.

• Unavailable - Application cannot be run or edited. The message in Message for unavailable application displays when users attempt to access the application.

• Unavailable (Status Shown with PL/SQL) - Application cannot be run or edited.

• Unavailable (Redirect to URL) - Application cannot be run. The user is linked to the URL entered in Message for unavailable application.

See Also: "Changing Build Status for Multiple Applications" in Oracle Application Express Administration Guide, "Changing Application Build Status Set During Deployment" in Oracle Application Express Administration Guide, and "Controlling Access to Applications, Pages, and Page Components"

Build Status

Identifies the build status of the current application. Options include:

• Run and Build Application - Developers and users can both run and develop the application.

• Run Application Only - Users can only run the application. This option is intended for applications in a production instance.

See Also: "Changing Application Build Status Set During Deployment" in Oracle Application Express Administration Guide

Message for unavailable application

Use this attribute with Status. If you set Status to Unavailable, Unavailable (Status Shown with PL/SQL), or Unavailable (Redirect to URL), the text you enter in this attribute displays. If you set Status to Available, the text you enter in this attribute does not display.

Restrict to comma separated user list (status must equal Restricted Access)

Use this attribute with the Status Restricted Access. If you set Status to Restricted Access, only the users listed in this attribute can run the application. To use this attribute:

1. From the Status list, select Restricted Access.

2. Enter a comma-delimited list of users who can run the application in the field provided.

Default Error Display Location

Identifies where the validation error messages display for basic validations performed by Application Express or by plug-ins. Validation error messages can display in a notification area (defined as part of the page template), or within the field label. Options include:

• Inline with Field and in Notification - Error messages display in a notification area defined as part of the page template.

• Inline with Field - Error messages display within the field label.

• Inline in Notification - Displays in the #NOTIFICATION_MESSAGE# template substitution string when an error occurs on the page.

Error Handling Function

Enter the name of a PL/SQL error function to be called to modify the existing error message and display a more user-friendly message or log the error if one occurs. This function can reference a package function or standalone function in the database. For example:

log_apex_error

When referencing a database PL/SQL package or standalone function, use the #OWNER# substitution string to reference the parsing schema of the current application. For example:

#OWNER#.log_apex_error

You must implement error handling functions using the syntax described in the apex_error package.

function <name of function> (
    p_error in apex_error.t_error )
    return apex_error.t_error_result

See Also: apex_error in Oracle Application Express API Reference

Note: Error handling specified at the page-level overwrites any error handling function specified here.

Public User

Identifies the Oracle schema used to connect to the database through the Database Access Descriptor (DAD). The default value is ANONYMOUS in environments where the database server version is Oracle Database Express Edition and it is APEX_PUBLIC_USER for all other versions of the database server.

Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string APP_USER.

Note: Previous versions of Oracle Application Express used the built-in substitution string HTMLDB_PUBLIC_USER.

When APP_USER equals this value, the Application Express engine considers the current session to be a public user session. The Application Express engine supports the following built-in display conditions:

• USER_IS_PUBLIC_USER

• USER_IS_NOT_PUBLIC_USER

If the current application user (APP_USER) equals the value of this attribute, then the user is logged on as a public user. Some applications have public (not logged in) and private (logged in) modes. By determining if the user is the public user, you can conditionally display or hide information.

For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using APEX_APPLICATION.G_PUBLIC_USER. The Application Express engine also has built in condition types USER_IS_PUBLIC_USER and USER_IS_NOT_PUBLIC.

See Also: "HOME_LINK" and "Understanding Conditional Rendering and Processing"

Authentication Scheme

Select from the authentication schemes defined for the application. To create an authentication scheme, click Define Authentication Schemes.

See Also: "How Authentication Works" and "Creating an Authentication Scheme"

Authorization Scheme

Make a selection from this list to specify an authorization scheme for your application.

For example, if you only want company employees to be able to log in to an application you could define an authorization scheme that is true if the users email address ends in '@somecompany.com' and then select that authorization scheme for this option.You can assign only one authorization scheme to an entire application. However, you can assign an authorization scheme to individual pages, page controls (such as a region, a button, or an item), or a shared component (such as a menu, a list, or a tab).

Define Authorization Schemes

Click Define Authorization Schemes to create an authorization scheme.

Run on Public Pages

Use Run on Public Pages to control whether the application-level authorization scheme is checked on public pages (that is, pages that do not require authorization). Options include:

• Yes - If you select Yes and the page is public, the application authorization is checked.

• No - If you select No and the page is public, the application authorization is ignored.

Application-level authorization is never evaluated on the login page (independent of Run on Public Pages), because authorizations typically are dependent on the username.

Rejoin Sessions

The Rejoin Sessions attribute control if Application Express should support application URLs that do not contain session IDs. When rejoin sessions is enabled, Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.

A more restrictive instance-level setting overrides this page level value.

Note: Enabling rejoin sessions exposes your application to possible security breaches, as it can enable attackers to take over existing end user sessions. See "About Rejoin Sessions."

Rejoin Sessions options include:

• Disabled - If the URL does not contain a session ID Application Express creates a new session.

• Enabled for Public Sessions - If the URL goes to a public page and does not contain a session ID, Application Express attempts to utilize the existing session cookie established for that application. Application Express only joins using the cookie when the session is not yet authenticated.

• Enabled for All Sessions - If the URL does not contain a session ID, Application Express attempts to utilize the existing session cookie established for that application, providing the following conditions are met:

  Session State Protection is enabled for the application and the URL includes a valid checksum. For public bookmarks, the most restrictive item level protection must be either Unrestricted or Checksum Required - Application Level.

  OR, the URL does not contain payload (a request parameter, clear cache or data value pairs).

  This option requires that Embed In Frames be set to Allow from same origin or Deny. This is not tied to a condition about the URL payload, but also applies to session state protected URLs.

Deep Linking

Use this attribute to enable or prevent deep linking to an application. Options include:

• Enabled - The URL to a specific page ultimately redirects there, possibly after the user has logged in.

• Disabled - If the URL does not contain a valid session ID, Application Express starts a new session and redirects to the application's home page.

For example, browsers often save the URLs of opened tabs and try to restore the sessions after a restart, causing a deep link. This behavior may be undesirable (for example if a URL points to a page in the middle of a multi-step wizard). By selecting Disable, Application Express starts a new session and redirects to the application's home page.

See Also: "Security" to learn more about overriding this behavior at the page-level.

Maximum Session Length in Seconds

Enter a positive integer to control how many seconds a session exists and should be used by this application. Leave the value null to revert the value to the instance level setting. Enter 0 to have the session exist indefinitely. The session duration may be superseded by the operation of the job that runs every eight hours which deletes sessions older than 12 hours.

Session Timeout URL

Enter an optional URL to redirect to when the maximum session lifetime has been exceeded. The target page in this URL, if implemented in Application Express, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If no URL is supplied, the user is redirected to the application home page.

Only three substitution items are supported:

• &APP_SESSION.

• &SESSION.

• &APP_ID.

Because of the particular purpose of this URL. it is not necessary to include either &APP_SESSION. or &SESSION. in the link.

Maximum Session Idle Time in Seconds

Enter a positive integer to control the seconds of inactivity or idle time for sessions used by this application. The idle time is the time between one page request and the next one. Leave the value null to revert the value to the instance level setting. Set to 0 to prevent session idle time checks from being performed.

Session Idle Timeout URL

Enter an optional URL to be redirected to when the maximum session idle time has been exceeded. The target page in this URL, if implemented in Application Express, should be a public page. A common use for this page would be to inform the user of the session timeout and to present a login link or other options. If no URL is supplied, the user is redirected to the application home page.

Only three substitution items are supported in this URL:

• &APP_SESSION.

• &SESSION.

• &APP_ID.

It is not necessary to include either &APP_SESSION. or &SESSION. in the link.

Session State Protection

Make a selection from the Session State Protection list, to enable or disable Session State Protection for your application. Selecting Enabled turns on session state protection controls defined at the page and item level.

Allows URLS Created After

Lists the date and time after which bookmarked links are usable to access pages in this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application.

Bookmarks created before this date and time are not usable to access this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application. Bookmarks that do not contain checksums or bookmarks that contain checksums that are unnecessary are not affected by this attribute. Their usability is determined using other criteria. A hidden application attribute (a checksum salt) is used during the computation and later verification of checksums included in f?p= URLs generated during page rendering. Checksums are included when Session State Protection is enabled for the application. You can reset this checksum salt attribute at any time by clicking the Expire Bookmarks button.

Bookmark Hash Function

Used to create checksums for application level and user level checksums in bookmarkable URLs.

Expire Bookmarks

Click Expire Bookmarks to reset this hidden application attribute (a checksum salt) salt attribute at any time. Clicking this button causes any bookmarked URLs that contain previously generated checksums to fail when they are subsequently used to access the application.

Tip: You can also click Expire Bookmarks to change the Bookmark Hash Function to switch to a different algorithm for computing checksums.

Manage Session State Protection

Click Manage Session State Protection to configure Session State Protection.

Cache

Use Cache to enable or disable browser caching of application page contents. If enabled, the browser saves the contents of pages for this application in its cache, both in memory and on disk. Typically when caching is enabled and the browser back button is clicked, the page is loaded from the cache instead of from the server. If disabled, the browser is instructed not to save application page contents and requests the latest page content from the server whenever the URL changes.

To avoid the possibility of saving sensitive data, Oracle recommends that this attribute be disabled. Otherwise, it is possible to go back in the browser history after a logout and see cached content from a previous session. Disabling the browser cache also prevents issues with pages that use partial page refreshes, such as is the case with interactive reports.

If this attribute is set to Disabled, Application Express sends the HTTP header cache-control: no-store which instructs the browser to not cache the page contents on disk or in memory. Note that this feature requires modern browsers that support the HTTP header response variable cache-control.

Embed in Frames

Controls if a browser may display your application's pages within a frame. Available options include:

• Deny - The page cannot be displayed in a frame, regardless of the site attempting to do so.

• Allow from same origin - The page can only be displayed in a frame on the same origin as the page itself.

• Allow - The page can be displayed in any frame.

Displaying pages within frames can be misused with "clickjacking" attacks. In a clickjacking attack the attacker uses multiple layers to trick a user into clicking a button or link on another page when they were intending to click the top level page. Thus, the attacker is hijacking clicks (or keystrokes) meant for their page and routing them to another page.

HTML Escaping Mode

Defines how Oracle Application Express escapes special characters. Options include:

• Basic: Escape &, ", < and >

• Extended: Escape &, ", <, >, ', / and non-ASCII characters if the database character set is not AL32UTF8

HTTP Response Headers

Enter additional application specific HTTP headers that Oracle Application Express should send on each response and that it does not support in another way (for example, X-Frame-Options using the Embed in Frames attribute).

Example:

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Parsing Schema

Specifies the schema that all SQL and PL/SQL in the application will be parsed as. You may use #OWNER# to reference this value in SQL queries and PL/SQL (for example, in a region or a process).

Initialization PL/SQL Cod

Use this attribute to enter a PL/SQL block that sets a context for the database session associated with the current "show page" or "accept page" request. The block you enter here is executed at a very early point during the page request, immediately after the APP_USER value is established. The value of APP_USER (using :APP_USER or v('APP_USER')) may be used within the block. Values of other items in session state may be referenced as well, but any such items must have been established in session state before the initiation of the current page request. To view examples, see field-level Help.

Cleanup PL/SQL Code

Use this attribute to enter a PL/SQL block that runs at the end of page processing. It can be used to free or clean up resources that were used, like VPD contexts or database links. To view examples, see field-level Help.

Runtime API Usage

Control how this application can access Oracle Application Express APIs that modify applications and workspace data, while it is running. Options include:

• Modify This Application: The application can modify itself.

• Modify Other Applications: The application can change other applications in the workspace.

• Modify Workspace Repository: The application can change workspace users and groups.

Static File Prefix

Determines the virtual path the web server uses to point to the static files of the application. Use this attribute to centrally change where static application files should be loaded from without changing all file references in an application. For example, you can use this attribute to point to a directory on the web server to avoid having to load files from the database and improve application performance.

If you specify a Static File Prefix, the substitution string #APP_IMAGES# returns that value. For example, you could enter a valid URL to reference them:

/myFiles/
http://contentDeveliveryNetwork.com/myFiles/

If you do not specify a Static File Prefix, the substitution string #APP_IMAGES# returns a URL to reference files from Shared Components, Static Files which will load the files from the database.

Tip: Do not use this attribute to reference files which are stored with your application definition in the database.

Image Prefix

Determines the virtual path the web server uses to point to the images directory distributed with Application Builder. During installation, the virtual path is configured as /i/.

When embedding an image in static text (for example, in page or region headers or footers), you can reference an image using the substitution string #IMAGE_PREFIX#. For example, to reference the image go.gif, you would use the following syntax:

<img src="#IMAGE_PREFIX#go.gif">

See Also: "IMAGE_PREFIX"

Media Type

Enter the Internet Media Type. An Internet Media Type is two-part identifier for file formats on the Internet. A Media Type is composed of at least two parts: a type, a subtype, and one or more optional parameters. This Media Type is used in the Content-Type HTTP header when rendering the page.

The page-level Media Type overrides the application-level Media Type. The default value for this attribute is NULL. If both the page-level and application-level values for Media Type are NULL, the Media Type text/html is used.

User Interface Type

Displays the selected interface type. A Desktop user interface is used for applications primarily designed for desktop use. A Mobile user interface is used for applications primarily designed for use on smartphones and tablets.

Display Name

Specify a display name for the user interface. The display names is shown in wizards, such as the create theme wizard.

Sequence

Specify the display sequence for the user interface.

Auto Detect

Select whether the user interface should be automatically detected. If auto-detection is enabled, the user will be redirected to the corresponding login page or home page.

Default

Select whether the user interface is the default interface for the application.

Home URL

Specify the home page of the application for the current user interface.

Login URL

Specify the login page of the application for the current user interface.

Theme

Shows the theme currently associated with the user interface. See Also: "Switching Themes"

Theme Style

Select a theme style. This option only displays for newer themes that support theme styles.

See Also: "Using Theme Styles"

Global Page

If defined, displays the global page for the application.

See Also: "Creating a Global Page to Display Components on Every Page"

Implementation

Select how to you wish to implement the navigation bar in this application. Options include:

• Classic - Renders the navigation bar as a classic navigation bar in the #NAVIGATION_BAR# position on your page template.

• List - Renders the navigation bar as a list, using the selected list and list template in the #NAVIGATION_BAR# position on your page template.

Navigation Bar List

Select the list utilized for the navigation menu for the application.

List Template

Select the list template used to render the navigation menu for this application.

Template Options

Set template options for the list template used for the navigation menu list for the application.

Content Delivery Network

Specify the Content Delivery Network used to load the 3rd party libraries jQuery and jQuery Mobile.

Using a Content Delivery Network can reduce the loading time of your application if the user has visited other websites which also use the same content delivery network to load the jQuery files. It is very likely that those calls are still in the browser cache and do not have to be downloaded again. Especially on mobile devices with limited browser caches, this can improve performance because it is not so likely that the files are purged from the cache.

Note: The Google and Microsoft Content Delivery Network do not currently host the correct version of the jQuery Mobile library, so selecting either of these will only influence the jQuery library being served from their Content Delivery Network, jQuery Mobile will still be served from your web server.

File URLs

Enter JavaScript file URLs for code to be loaded on every page. Each URL has to be written into a new line. If you provide a minified version of your file, you can use the substitution string #MIN# to include .min or #MIN_DIRECTORY# to include minified/ in your file URL for a regular page view and an empty string if the page is viewed in debug mode.

JavaScript file URLs you enter here replaces the #APPLICATION_JAVASCRIPT# substitution string in the page template.

Note: You do not need to include opening or closing script tags. Just write the URL.

Examples:

• Standard file reference:

  /myjs/main.js
  

• Standard file reference which loads the minified file main.min.js for regular page views and main.js in Debug mode:

  /myjs/main#MIN#.js
  

• Conditional file for Internet Explorer

  [if IE]/myjs/ie.js
  

Include Legacy JavaScript

Specifies if the legacy JavaScript functions are included on every page in the application. If you are confident your application does not contain any references to the legacy functions, set this to No to reduce the overall size of the JavaScript files loaded.

To determine what if any deprecated jQuery features are used, run the application with the Browser console log open and look for log messages displayed by jQuery Migrate.

See Also: "Legacy JavaScript APIs" in Oracle Application Express API Reference

Include jQuery Migrate

Specifies if the jQuery Migrate plug-in should be included on every page in the application.

The plug-in restores deprecated features and behaviors of jQuery so that old JavaScript code and jQuery plug-ins will still run properly with the jQuery version loaded by Application Express.

If you are confident your application and any used jQuery plug-in does not contain any references to deprecated jQuery features, set this to No to reduce the overall size of the JavaScript files loaded.