Joel Kallman

Subscribe to Joel Kallman feed
Turning customers into rockstars, with the Oracle Database, PL/SQL and Oracle Application Express.Joel R. Kallmanhttp://www.blogger.com/profile/01915290758512999160noreply@blogger.comBlogger184125
Updated: 14 hours 42 min ago

Correlating APEX Sessions to Database Sessions

Fri, 2016-09-30 08:01
I received the following question via email today:

"Had a question from a client yesterday concerning the subject:  I want to know which database session (APEX_PUBLIC_USER)  is servicing which APEX session. Poking around in the V$ tables, I can see that in v$SQL, the module column will reveal the APEX Application and Page, but not the Session ID.  Even if the session ID was in there, I don’t see an obvious way to join back to V$SESSION." 

It's a bit of a puzzling problem for DBA's and developers - being able to correlate a database session with a specific APEX application and session.  As I wrote about earlier, all database sessions in the database session pool of ORDS are connected as APEX_PUBLIC_USER (or ANONYMOUS, if you're using the embedded PL/SQL Gateway).  If a user is experiencing slowness in their APEX application, how can a DBA look under the hood, identify the database session associated with the request from that user, and also look at the active SQL statement and possibly any wait events with that session?

This question comes up a lot, and should really be covered in the Oracle Application Express documentation.  But in the meantime, here's the definitive answer:

APEX populates the following information in GV$SESSION for ACTIVE sessions:

client_info: Workspace ID:Authenticated username
module: DB Schema/APEX:APP application id:page id
client_identifier: Authenticated username:APEX Session ID

For example, for a recent request I did on apex.oracle.com, I had the following values in the DB session that executed my request:

client_info: 3574091691765823934:JOEL.KALLMAN@FOOBAR.COM
module: JOEL_DB/APEX:APP 17251:4
client_identifier: JOEL.KALLMAN@FOOBAR.COM:12161645673208

There is no permanent, fixed correlation between an APEX session and a database session.  The assignment of a session in the session pool to service an APEX request is essentially unpredictable and not constant.  That's why this correlation can only be done for active database sessions, which are actively servicing APEX requests.

There's one caveat.  A developer could overwrite these values using the database-provided PL/SQL API, which I've seen customers do occasionally.  Otherwise, for active database sessions, you'll see these three elements populated in GV$SESSION, and module & client_identifer will also be present in the Active Session History.  Carlos Sierra has an excellent blog post about how to query the Active Session History and identify poor performing APEX applications and their associated SQL.


Lessons Learned in 20 Years at Oracle

Wed, 2016-09-14 20:59
I've known Mark, a technical pre-sales consultant at Oracle, for a number of years.  I was bcc'd on the farewell email message that he sent out today, his last working day at Oracle.  As he said, he's learned a few things over his past 20 years at Oracle and thought he would share them.  They were quite simple and powerful reminders - and important enough that I shared them with our entire development and QA teams.

OWN IT —  Things sometimes go off track.   Whether it was something on your team that went sideways or it was another team's responsibility, step up, own the problem and deliver a resolution.  LEARN IT —  There are always new technologies, solutions, processes, and procedures.   Set aside time to learn and master what is new so that you are prepared when the time comes.   TEACH IT — When you master something new, find someone else with whom you can share it.  GROW IT — Your team is incredibly valuable.   Take the time to invest in your teammates and equip them with new capabilities. OVERLOOK IT — People can make poor decisions.   Fight the urge to gossip about them.   Look for the best and ignore the rest.  

Securing Application Express when using Oracle REST Data Services (ORDS)

Sun, 2016-07-24 21:54
If you are using Oracle REST Data Services as the "PL/SQL Gateway" for Oracle Application Express, ensure that your ORDS configuration includes the following line:

wwv_flow_epg_include_modules.authorize

It is important that you do this, and let me explain why.

Fundamentally, the APEX "engine" is really nothing more than a big PL/SQL program running inside the Oracle Database.  When a browser makes a request for a page in an APEX application, that request is mapped to a PL/SQL procedure which is running inside the database.  If you examine an APEX URL in your browser, you may see something like 'f?p=...', and this is invoking a PL/SQL procedure in the database named 'F' with a parameter named 'P'.

There are a number of procedures in the APEX engine which are intended to be invoked from a URL.  But there may be other procedures in your database, possibly owned by users other than the Application Express user, which are not intended to be called from a URL.  In some cases, these other procedures could leak information or introduce some other class of security issue.  There should be a simple list of procedures which are permitted to be invoked from a URL, and all others should be blocked.  This is known as a "whitelist", and fortunately, there is a native facility in APEX which defines this whitelist.  You just need to tell ORDS about this whitelist.

When you configure ORDS with the following entry in the configuration file:

wwv_flow_epg_include_modules.authorize

You are instructing ORDS to validate the PL/SQL procedure requested in the URL using the PL/SQL function wwv_flow_epg_include_modules.authorize.  This whitelist will contain all of the necessary entry points into the APEX engine, nothing more, nothing less.

If you rely upon functionality in your application which makes use of PL/SQL procedures not defined in this whitelist, this functionality will break when you specify the security.requestValidationFunction.  I often encounter customers who invoke PL/SQL procedures in their application schema to download files, but there are better (and more secure) ways to do this, which would not break when implementing this whitelist.

Like any change to infrastructure or configuration, you should thoroughly test your applications with this setting prior to introducing it into a production environment.  But if one or two things break because of this change, don't use that as an excuse to not implement this configuration change.  Identify the issues and correct them.  While there is a method in place to extend the whitelist, in practice, this should be seldom used.

If you're using ORDS as a mod_plsql replacement for your PL/SQL Web Toolkit application and not using APEX, then please avoid this configuration setting.  APEX typically won't be installed in your database, and the whitelist will be irrelevant for your application.

The function wwv_flow_epg_include_modules.authorize has been around for more than 10 years (our teammate Scott added it in 2005), and it has been a part of the embedded PL/SQL Gateway and mod_plsql default configuration for a long time.  And while it has been documented for use with ORDS, a reasonable person might ask why this isn't simply part of the default configuration of APEX & ORDS.  I did confirm with the ORDS team that this will be included in the default configuration when using the PL/SQL Gateway of ORDS, beginning in ORDS 3.0.7.

APEX session isolation across multiple browser tabs - Problem Solved (in APEX 5.1)

Mon, 2016-07-04 07:32
Since the genesis of Oracle Application Express, customers have asked for a way to open multiple browser tabs (or windows) of an APEX application and have the session state isolated between the respective tabs.  There is one and only one APEX session associated with a client, and because of this behavior in APEX, customers would find that the session state manipulated in one browser tab would collide with the session state of the other browser tab.

This has always been a vexing problem to solve for many years.  Back in 2007, I remember Carl Backstrom had spent countless hours researching for some handle or unique identifier to a browser window that we could correlate with a distinct browser session cookie, but he was never able to identify a feasible solution.  Customers have long asked for a solution, but all we were able to propose were rather cumbersome work arounds (ensure all items necessary for session state were posted with the page, or use the multiple DNS aliases "trick" for each tab).

In October 2015, our friends from BiLog arranged an informal meeting with a couple large enterprise customers from Croatia.  Goran, who was from one of the enterprise customers in the insurance industry, stated that the session management behavior of APEX presented a real problem for them.  Their typical scenario involved a sales representative who would meet with a customer in-person.  Because they wanted to offer insurance quotes or initiate insurance applications on multiple products, the sales representative would open up multiple tabs of their APEX application.  Of course, the session state across all of these tabs would collide and effectively corrupt the quoting process.  As Goran stated at the time, it became more and more difficult to justify the use of APEX because of this troublesome behavior.  I had no immediate answer, but I told him we would redouble our efforts and look at this problem again.

In February of this year, I had one of those lightbulb moments, and realized that we had been thinking about this problem the wrong way, and we needed to turn it inside out.  In APEX, there is always a single browser session cookie associated with an APEX session.  We were always trying to come up with a way to generate a new and differentiated browser session cookie every time a new tab was opened, and then associate this new browser session cookie with a new APEX session.  But the new approach was to simply keep the one and only one browser session cookie, and have this associated with multiple APEX sessions on the server.  I expressed my idea to the supremely intelligent Christian Neumueller of the APEX development team, and he went about with a masterful design and implementation of this feature.

In Application Express 5.1, we are introducing a new request to the APEX engine named APEX_CLONE_SESSION.  When requested from an existing APEX session, this will generate a new APEX session identifier and associate it with the existing browser session cookie.  Additionally, it will copy all of the session state values from the old session to the new session.  You, the developer, would have to provide a link for your end users to open up new browser tabs, and include APEX_CLONE_SESSION in the request of the URL.  So instead of your end users manually opening up a new tab from your APEX application, you would have to give them a prescribed way to open new tabs - could be a dynamic action or a button or a link.  The URL in the new tab should include APEX_CLONE_SESSION in the "Request" portion of the APEX URL.

An example URL would be:
f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:APEX_CLONE_SESSION

Because we were a bit paranoid about this feature until we could thoroughly vet the security of it, by default, this capability is turned off.  You can override this setting for a specific workspace by using the Administration API:

apex_instance_admin.set_workspace_parameter(
p_workspace => 'JOELS_WORKSPACE',
p_parameter => 'CLONE_SESSION_ENABLED',
p_value => 'Y');

or you can enable it for the entire instance using:
apex_instance_admin.set_parameter(
p_parameter => 'CLONE_SESSION_ENABLED',
p_value => 'Y');

This feature is enabled instance-wide on the Application Express 5.1 Early Adopter site at https://apexea.oracle.com.  We would welcome your feedback about this feature.  And if you're reading this blog post after APEX 5.1 is generally available, please feel free to try it in your own APEX 5.1 (or later) instance or on https://apex.oracle.com.

An Important Change Coming for Oracle Application Express in Oracle Database 12cR2

Tue, 2016-03-29 21:20
A minor but important change is happening for Oracle Application Express in the forthcoming Oracle Database 12cR2.  Specifically, Oracle Application Express will not be installed by default in the Oracle Database.  This change was made specifically at our request.  We thought the pros far outweighed the cons, and we thought this was good for our customers and consistent with our recommendations.

Pros
  1. Provides flexibility for a DBA to run multiple APEX versions in an Oracle Multitenant Container Database.
  2. Customers are always advised to install latest version of APEX.  The version of APEX that is bundled with the Oracle Database is quickly out of date.
  3. Reduces the Oracle Database upgrade time if APEX is not installed.
  4. Will result in less space consumption on disk and in the Database.
  5. Consistent with the deployment of Application Express in the Oracle Database Cloud
  6. Consistent with our recommendations in Oracle documentation and from Mike Dietrich, Product Manager for Oracle Database Upgrade & Migrations.
  7. Reduces the attack surface for Oracle Multitenant Container Databases which do not require APEX.
Cons
  1. Requires more steps for customers to get up and running with APEX in a new Oracle Database.  (Granted, this would be with the version of APEX that is bundled with the Oracle Database, which as cited earlier, can get out of date rather quickly).

With all this said, a few things remain unchanged:
  • Oracle Application Express will continue to be a fully supported and included Oracle Database feature
  • Oracle Application Express will continue to ship with the Oracle Database 12cR2, in directory $ORACLE_HOME/apex.
  • It will continue to be supported to install and run Oracle Application Express in the "root" of an Oracle Multitenant Container Database
  • It will continue to be supported to install and run Oracle Application Express locally in a pluggable database in an Oracle Multitenant Container Database
  • Oracle Application Express will be an installable component in the Oracle Database Creation Assistant (DBCA)
The only thing that's changing is the out-of-the-box configuration of APEX, to not be installed by default.


Oracle Database 12c Features Now Available on apex.oracle.com

Sat, 2016-01-30 06:42
As a lot of people know, apex.oracle.com is the customer evaluation instance of Oracle Application Express (APEX).  It's a place where anyone on the planet can sign up for a workspace and "kick the tires" of APEX.  After a brief signup process, in a matter of minutes you have access to a slice of an Oracle Database, Oracle REST Data Services, and Oracle Application Express, all easily accessed through your Web browser.

apex.oracle.com has been running Oracle Database 12c for a while now.  But a lot of the 12c-specific developer features weren't available, simply because the database initialization parameter COMPATIBLE wasn't set to 12.0.0.0.0 or higher.  If you've ever tried to use one of these features in SQL on apex.oracle.com, you may have run into the dreaded ORA-00406.  But as of today (January 30, 2016), that's changed.  You can now make full use of the 12c specific features on apex.oracle.com.  Even if you don't care about APEX, you can still sign up on apex.oracle.com and kick the tires of Oracle Database 12c.

What are some things you can do now on apex.oracle.com? You can use IDENTITY columns.  You can generate a default value from a sequence.  You can specify a default value for explicit NULL columns.  And much more.

You might wonder what's taken so long, and let's just say that sometimes it takes a while to move a change like this through the machinery that is Oracle.

P.S.  I've made the request to update MAX_STRING_SIZE to EXTENDED, so you can define column datatypes up to VARCHAR2(32767).  Until this is implemented, you're limited to VARCHAR2(4000).

Is Oracle Application Express Secure?

Tue, 2016-01-26 08:47
Is Oracle Application Express secure?  That's the question I received today, from the customer of a partner.  The customer asked:
"Do you know if Oracle or a third-party has verified how secure APEX is against threats or vulnerabilities? It would be nice to have something published saying how secure APEX is and how it’s never been compromised."Now I imagine smart people like David Litchfield or Pete Finnigan or Alexander Kornbrust would hope that I say something daft here.  But that's not going to happen.  As I replied to the partner:

Sorry, but this doesn't make sense, and for a couple reasons:

  1. There have been published security vulnerabilities in Application Express in the Oracle Critical Patch Update, and they have been fixed in subsequent releases of APEX.  It is incorrect to say that there have never been bugs in APEX itself.  Here's an example:  http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
  2. Secondly, even if APEX never had any security bugs in its existence, if someone built an APEX application which is susceptible to SQL Injection or cross site scripting, does that mean that APEX was compromised?
The request of this customer isn't practical for any piece of software.  If something has never been compromised, does that mean its secure?  If I find no bugs in an application written by your company, does that mean it's bug-free?

I can offer you the following:

  1. APEX 5.0.3 is the most secure version of APEX in our history.
  2. APEX 5.0.3 has more security features than any release of APEX in our history.
  3. We are never permitted to release any version of APEX with known security vulnerabilities, whether they are internally or externally filed.
  4. We routinely scan APEX itself for security vulnerabilities across a variety of threats, and do this for multiple times in a release cycle
  5. Oracle Database Cloud Schema Service runs APEX, and has endured yet another set of multiple rounds of Cloud Security testing.
  6. The Oracle Store runs APEX.
  7. APEX is used in countless military agencies and classified agencies around the globe.
  8. Even inside of Oracle, IT hosts an instance of APEX used by practically every line of business in the company, and it's cleared for the most strict information classification inside of Oracle.
  9. APEX is even used in the security products from Oracle, including Oracle Audit Vault & Database Firewall, Oracle Key Vault and Oracle Real Application Security.
There is security of APEX, and then there is security of the application you've written.  You can assess the security of an application via tools.  One of the best tools on the market is ApexSec from Recx Ltd., which we use internally for APEX applications, is used internally by the security assessment teams at Oracle for other APEX applications, and is used by numerous military and other classified agencies.

If you use Internet Explorer, change is coming for you in Oracle Application Express 5.1

Thu, 2016-01-21 13:45
With the ever-changing browser landscape, we needed to make some tough decisions as to which browsers and versions are going to be deemed "supported" for Oracle Application Express.  There isn't enough time and money to support all browsers and all versions, each with different bugs and varying levels of support of standards.

A position that's been adopted for the Oracle Cloud services and products is to support the current version of a browser and the prior major release.  We are adopting this same standard for Oracle Application Express beginning with Oracle Application Express 5.1.  This will most likely have the greatest impact on those people who use Microsoft Internet Explorer. 

Beginning with Oracle Application Express 5.1, the planned minimum version of Internet Explorer to both build and deploy applications, will be Internet Explorer 11.  I say "planned", because it's possible (but unlikely) that Microsoft releases a new browser version prior to the release of Oracle Application Express 5.1.

Granted, even Microsoft themselves has already dropped support for any version of IE before Internet Explorer 11.  And with no security fixes planned for any version of IE prior to Internet Explorer 11, hopefully this will be enough to encourage all users of IE to adopt IE 11 as their minimum version.

Oracle APEX development and multiple developers/branches

Thu, 2016-01-21 11:53
Today, I observed an exchange inside of Oracle about a topic that comes up from time to time.  And it has to do with the development of APEX applications, and how you manage this across releases and a larger number of developers.  This topic tends to vex some teams when they start working with Oracle Application Express on broader development projects, especially when people are not accustomed to a hosted declarative development model.  I thought Koen Lostrie of Oracle Curriculum Development provided a brilliant response, and it was worth sharing with the broader APEX community.

Alec from Oracle asked:
"Are there any online resources that discuss how to work with APEX with multiple developers and multiple branches of development for an application?  Our team is using Mercurial to do source control management now. The basic workflow is that there are several developers who are working on mostly independent features.  There are production, staging, development, and personal versions of the application code.  Developers implement bug fixes or new features and those get pushed to the development version.  Certain features from development get approved to go to staging and pushed.  Those features in staging may be rolled back or promoted to go on to production.  Are there resources which talk about implementing such a workflow using APEX?  Or APEX instructors to talk to about this workflow?"
And to which I thought Koen gave a very clear reply, complete with evidence of how they are successfully managing this today in their Oracle Curriculum Development team.  Koen said:

"I think a lot of teams struggle with what you are describing because of the nature of APEX source code and Database-based development.  I personally think that the development flow should be adapted to APEX rather than trying to use an existing process and apply that for APEX.

Let me explain how we do it in our team:

  • We release patches to production every 3 weeks. We have development/build/stage and production and use continuous integration to apply patches on build and stage.
  • We use an Agile-based process. At the start of each cycle we determine what goes in the patch.
  • Source control is done on Oracle Developer Cloud Service (ODCS)  – we use git and source tree. We don’t branch.
  • All developers work directly on development (the master environment) for bugs/small enhancement requests. We use the BUILD OPTION feature of APEX to prevent certain functionality from being exposed in production. This is a great feature which allows developer to create new APEX components in development but the changes are not visible in the other environments.
  • For big changes like prototypes, a developer can work on his own instance but this rarely happens. It is more common for a developer to work on a copy of the app to test something out. Once the change gets approved. it will go into development.

From what I see in the process you describe, the challenge in your process is that new changes get pulled back after they have made it to stage. This is a very expensive step. The developers need to roll back their changes to an earlier state which is a very time consuming process. And… very frustrating for the individual developer.  Is this really necessary ? Can the changes not be reviewed when in development ? Because that is what is proposed in the Agile methodology: the developer talks directly to the person/team that requests the new feature and they review as early as on development.  In our case stage is only for testing changes. We fix bugs when the app is in stage, but we  don’t roll back features once they are in stage – worst case we can delay the patch entirely but that happens very rarely.

There is a good paper available by Rob Van Wijk. He describes how each developer works on his own instance but keeps his environment in sync with the master. In his case too, they’re working on a central master environment. The setup of such an environment is quite complex. You can find the paper here: http://rwijk.blogspot.com/2013/03/paper-professional-software-development.html"

If you're new to the APEX community, here are some tips to get engaged

Thu, 2016-01-07 20:29
Last night (January 6, 2016) we had our first-in-2016 APEX Meetup meeting in Columbus, Ohio, USA.  For being on short notice, we had a nice turnout, and I was able to distribute the new apex.world stickers.  I was most impressed that a gentleman (by the name of Shannon) drove down from Cleveland, Ohio - almost 2 hours drive each way.  He's been using APEX for all of two weeks, was using it with PowerSchool, and wanted to see what this APEX was all about.

Today, I wrote on our Oracle APEX Columbus Meetup board a short summary of the information we reviewed last night.  For those people who've been doing APEX for years, none of this is going to be new.  But the information I posted may be especially helpful to those who are very new to APEX, or even curious about APEX.  I decided to simply share it again here, in the hopes that someone else just as new as Shannon will find this useful.

--

We discussed a few things last night and I wished to summarize them here:

1)  There are ways to remain connected to the APEX community via Social media:

Facebook:  https://www.facebook.com/orclapex
LinkedIn:  http://linkedin.com/groups/8263065
Twitter:  The hashtag for Oracle Application Express is #orclapex.  Most everyone who attended last night is on Twitter.  You can follow many of us.  I’m at @joelkallman.  The APEX news is at @oracleapexnews.  If you don't know anyone on twitter, just do a Twitter search for #orclapex.

I’ll be honest - almost everyone in the APEX community is heavily engaged on Twitter, a lot less on LinkedIn, and almost never on Facebook.

2)  You should get registered on https://apex.world

It’s the APEX Community site, written by others in the APEX community (outside of Oracle).  There are jobs, plug-ins, open source, twitter feeds, news, and more.  You should also get registered on Slack, because apex.world is also integrated with Slack.  Follow the instructions on apex.world to get a Slack invitation.  It’s worth it.

3)  I spoke of some upcoming conferences

There is an upcoming conference in May in Cleveland, the Great Lakes Oracle Conference.  Not only will Jason Straub and I be there, doing a couple sessions (about what’s coming in APEX 5.1), but we’re also doing a pre-conference workshop.  There will be other non-Oracle people there presenting on APEX.  You should think about presenting at this conference, and you can submit your abstracts until February.  As I tried to convey to attendees last night, don’t think that you have to submit the most exotic, obtuse topic possible.  How you’re using APEX, the challenges you’ve encountered and how you worked around them, may be a very useful topic.  The conference committee wants to expand their APEX offerings, and I think those of us in Ohio should help them. https://www.neooug.org/gloc/

b)  In June, in Chicago, is the Oracle Development Tools User Group (ODTUG) annual Kscope conference.   This is the place to be on the planet if you do any APEX whatsoever.  Just in the APEX track alone, there will be 46 sessions over 5 days.  On the Sunday before the conference starts, there will be the Sunday Symposium, which will be exclusively from the Oracle APEX product development team.  From a global perspective, this is the place to be for APEX.  It’s highly technical, and attendees and speakers from around the world assemble here.  http://kscope16.com

4)  How to get started, especially for someone who is new.  I offered a couple suggestions:

a)  Go to https://apex.oracle.com, and scroll down to the "Learn More" section, where there are links to documentation, tutorials, videos, hands-on-labs, etc.
b)  An Oracle employee mentioned that he took the APEX training class on Udemy, and for 7 hours of training, he thought it was pretty good.  I can't vouch for the training, and this isn't an official recommendation, but he thought it was worth his time and money.  He also said that while it's priced at $25, they often run specials for as low as $10.  https://www.udemy.com/create-web-apps-with-apex-5/

5)  Lastly, I showed Oracle’s community site for APEX, https://apex.oracle.com/community

I showed the numerous customer quotes we’ve received, and I put another plea out to attendees that, if you’re using APEX, please consider going through your management chain to get approvals for a quote.  At least ask.   There is no huge legal process involved, approvals can all be done via email.  The hard part is taking time out of your day job and pursuing this at your employer (or customer).  It will be a huge benefit to the entire APEX community.

P.S. I never showed it last night, but ODTUG also has a nice community site for APEX, at http://odtug.com/apex

A Few Resolutions for 2016

Fri, 2016-01-01 09:15


Jenny, from the Oracle Database Insider Newsletter, asked a number of us in the Database division at Oracle to share our New Year's resolutions for 2016.  And while I'm a bit reluctant to share this somewhat personal information, I like the fact that publicizing these resolutions may force me to remain a bit more focused on these goals.  So here goes...my resolutions for 2016:


  1. Attend an Oracle Real World Performance Training class.  I thought I knew a fair amount about the Oracle Database, SQL and tuning. But at a conference in 2015, I was able to spend some quality time around Vlado Barun from the Oracle Real World Performance team, and it quickly become clear I knew very little compared to these folks. I’m asked to diagnose “APEX issues” all the time, and the vast majority of cases are simply database configuration or SQL tuning exercises.  To become a better database developer, I need to become deeper in my understanding of the Oracle Database and performance.
  2. Broaden the message of APEX, Database and Oracle Cloud development to those we’re not reaching today.  And I specifically would like to share our message with higher education institutions and students attending university.  Developing Web and responsive applications is cool and I believe the combination of technologies (SQL, PL/SQL, APEX, Oracle Database, Cloud, REST) results in an incredibly rich application development platform.  University students probably think of “big, bad corporate” when they hear the word “Oracle”.  I want them to think “hip, cool, innovative, modern”.
  3. Be more patient and understanding of those who ask me questions.  I can actually credit a customer (Erik van Roon) who helped me to recalibrate my understanding on this topic.  Sometimes I’ll get questions where it’s clear someone hasn’t done the least bit of research into the topic.  And it was at those rare times when (to a fellow employee, never a customer), I’d reply with a lmgtfy.com link.  But as Erik correctly pointed out - I have 20 years experience, and they don’t.  Arrogance may not be the message I intend to send, but it may very well be the message that is received.  And that’s not how I wish to be perceived by anyone, ever.  Thus - time to drop my impatience and arrogance, for every occasion.
  4. Spend more time with my family.  2015 was a great year for Oracle Application Express, and I’ve never worked harder in my career than I did in 2015.  But that has a price, and I value the finite time with my family more than anything else.  While I love working for Oracle and I dearly love the team I’m blessed to work with, I value my family even more.  And I need to define a bit more rigid boundaries between work and family time.
  5. Read a novel.  When I read, it’s usually one of the following:  the Bible, a functional specification, a military history book, a computer programming/Web design book or the Wall Street Journal. My wife is an avid reader and gets such joy from well-written and captivating novels.  I’d like to expand my imagination (and vocabulary), and be able to set aside time for some reading at leisure.
  6. Learn a language.  I’ve dabbled back and forth with German over many years.  And I know enough German to order food in a restaurant.  But I’m not fluent enough for even the shortest of conversations in German. It’s time to either forge ahead with my self-study of German and practice it with the 3 native German speakers on the APEX team, or simply switch gears and direct my focus to Spanish which is probably much more practical, living in America.
  7. Exercise at least 3 times a week.  The older I get, the easier it is to gain weight and get out of shape, and the more difficult it is to lose it and get back in shape.  And by "exercise", I don't mean walk around the block.  Instead, I'm referring to something that causes you to sweat - running, biking, jumping rope, or resistance exercises (the Total Gym will work just fine!).  While I fantasize about training enough to run a 1/2 marathon in 2016, I'll be happy enough to just consistently exercise 3 times a week.
These are the goals.  Some are easy.  Some will span the entire year.  I probably won't meet them all, but they're a goal.

What are your goals for 2016?

I Had Low Expectations for the APEX Gaming Competition 2015 from ODTUG. Wow, Was I Ever Wrong!

Mon, 2015-11-23 16:27


When the APEX Gaming Competition 2015 was announced by Vincent Morneau from Insum at the ODTUG Kscope15 conference this past year, I was very suspect.  I've seen many contests over the years that always seemed to have very few participants, and only one or two people would really put forth effort.  Why would this "Gaming Competition" be any different?  Who has time for games, right?  Well...I could not have been more wrong.

I was given the honor of being a judge for the APEX Gaming Competition 2015, and not only did I get to see the front-end of these games, I also was able to see them behind the scenes as well - how they were constructed, how much of the database they used, how much of declarative APEX did they use, etc.  I was completely blown away by the creativity and quality of these games.  There were 15 games submitted, in all, and as I explained to the other judges, it was clear that people really put their heart and soul into these games.  I saw excellent programming practices, extraordinarily smart use of APEX, SQL and PL/SQL, and an unbelievable amount of creativity and inventiveness.

I hated having to pick "winners", because these were all simply a magnificent collection of modern Web development and Oracle Database programming.  If you haven't seen the actual games and the code behind them, I encourage you to take a look at any one of them.

I truly don't know how these people found the time to work on these games.  It takes time and effort to produce such high quality.  These are people who have day jobs and families and responsibilities and no time.  In an effort to simply acknowledge and offer our praise to these contributors, I'd like to list them all here (sorted by last name descending, just to be different):

Scott Wesley
Maxime Tremblay
Douglas Rofes
Anderson Rodrigues
Pavel
Matt Mulvaney
Jari Laine
Daniel Hochleitner
Marc Hassan
Nihad Hasković
Lev Erusalimskiy
Gabriel Dragoi
Nick Buytaert
Marcelo Burgos

Thanks to each of you for being such a great champion for the global #orclapex community.  You're all proud members of the #LetsWreckThisTogether club!

P.S.  Thanks to ODTUG for sponsoring this event and Vincent Morneau for orchestrating the whole contest.

If You're In Latvia, Estonia, Romania, Slovenia or Croatia, Oracle APEX is Coming to You!

Wed, 2015-09-16 21:04
In the first part of October, my colleague Vlad Uvarov and I are taking the Oracle APEX & Oracle Database Cloud message to a number of user groups who are graciously hosting us.  These are countries for which there is growing interest in Oracle Application Express, and we wish to help support these groups and aid in fostering their growing APEX communities.

The dates and locations are:

  1. Latvian Oracle User Group, October 5, 2015
  2. Oracle User Group Estonia, Oracle Innovation Day in Tallinn, October 7, 2015
  3. Romanian Oracle User Group, October 8, 2015
  4. Oracle Romania (for Oracle employees, at the Floreasca Park office), October 8-9, 2015
  5. Slovenian Oracle User Group, SIOUG 2015, October 12-13, 2015
  6. Croatian Oracle User Group, 20th HrOUG Conference, October 13-16, 2015

You should consider attending one of these user group meetings/conferences if:

  • You're a CIO or manager, and you wish to understand what Oracle Application Express is and if it can help you and your business.
  • You're a PL/SQL developer, and you want to learn how easy or difficult it is to exploit your skills on the Web and in the Cloud.
  • You come from a client/server background and you want to understand what you can do with your skills but in Web development and Cloud development.
  • You're an Oracle DBA, and you want to understand if you can use Oracle Application Express in your daily responsibilities.
  • You know nothing about Oracle Application Express and you want to learn a bit more.

The User Group meetings in Latvia, Estonia and Romania all include 2-hour instructor-led hands on labs.  All you need to bring is a laptop, and we'll supply the rest.  But you won't be merely watching an instructor drive their mouse.  You will be the ones building something real.  I guarantee that people completely new to APEX, as well as seasoned APEX developers, will learn a number of relevant skills and techniques in these labs.

If you have any interest or questions or concerns (or complaints!) about Oracle Application Express, and you are nearby, we would be very honored to meet you in person and assist in any way we can.  We hope you can make it!

ODTUG APEX Gaming Competition 2015

Thu, 2015-08-13 03:11
If you're not aware, there is an APEX Gaming Competition which is already underway, and which is sponsored by the Oracle Development Tools User Group (ODTUG).  For those who don't know what ODTUG is, it is an independent user group and community of professionals, with a primary focus on the tools, products, and frameworks to build solutions and applications with the Oracle technology stack.  Although ODTUG is based in the USA, they have members (thousands of them) around the globe.

The purpose of the APEX Gaming Competition is simply to show off what you can do with APEX, and instead of crafting a business solution or transactional application, the goal here is a bit more whimsical and fun.  The solution can be desktop or mobile or both.  Personally, if I had the time, I'd like to write a blackjack simulator and try and improve upon the basic strategy.  I'm not sure that could be classified as a "game", but it would enable me to go to Las Vegas and clean house!

If you're looking to make a name for yourself in the Oracle community, one way to do it is through ODTUG.  And if you're looking to make a name for yourself in the APEX community, one way to stand out is through the APEX Gaming Competition.  Just ask Robert Schaefer from Köln, Germany.  Robert won the APEX Theming Competition in 2014, and now everyone in the APEX Community knows who Robert is!  I've actually had the good fortune of meeting Robert in person - twice!

Yesterday I listened to the APEX Talkshow podcast with Jürgen Schuster and Shakeeb Rahman (Jürgen is a luminary in the APEX community and Shakeeb is on the Oracle APEX development team, he is the creator of the Universal Theme).  And in this podcast, I was reminded how Shakeeb's first introduction to Oracle was...by winning a competition, when he was a student!  You simply never know what the future holds.  So - whether you're a student or a professional, whether you're in Ireland or the Ivory Coast, this is an opportunity for you to shine in front of this wonderful global APEX Community.  Submissions close in 2 months, so hurry!  Go to http://competition.odtug.com

What is the APEX Open Mic Night at Kscope15?

Wed, 2015-05-20 21:32
At the upcoming ODTUG Kscope15 conference, on Monday night, June 22, there will be the Monday Community Events.  The Community Event for the Oracle Application Express track at Kscope15 is the ever-popular Open Mic Night.  Without a doubt, this is one of my favorite events at the Kscope conference.

An Oracle employee sent me an email today, inquiring about the Open Mic Night.  This employee, who is a user of Oracle Application Express at Oracle, will be attending the Kscope conference for the very first time.  As I replied to him in email:

Open Mic night will be on Monday evening, from 8:00P - 10:00P.  You would think that most people would call it a day (after a long day), but it's usually a packed room.

Open Mic night is the attendee's night to shine in front of their fellow attendees.  People are given roughly 5 - 10 minutes to show off what they've done with APEX - it's timed.  No PPT.  If you show a PowerPoint, you will be booed.  You're on stage, you plugin your laptop to a projector, and you present on a big screen.  It's just a great way for people in the #orclapex community to proudly show what they've accomplished.  I've seen some extraordinarily creative and professional solutions from our customers.

The time goes by fast, so you have to come prepared.  And the Oracle APEX team usually sponsors the beer for this event, so it can get a bit rowdy. ;)

If you're at Kscope15 for the APEX track, or even half-curious about APEX, it's a "must attend" event.

Here's a shot from last year's Open Mic Night:



Oracle Application Express 5 - The Unofficial Announcement

Wed, 2015-04-15 14:35
What started on a whiteboard in New York City more than 2 years ago is now finally realized.  I and the other members of the Oracle Application Express team proudly announce the release of Oracle Application Express 5.

The official blog posting and announcement is HERE.  But this is my personal blog, and the thoughts and words are my own, so I can be a bit more free.

Firstly, I don't ever want to see a release of Oracle Application Express take 2.5 years again, ever.  It's not good for Oracle, not good for Oracle Application Express, and certainly not good for the vast Oracle Application Express community.  We're going to strive, going forward, for a cadence of annual release cycles.  But with this said, I'm not about to apologize for the duration of the APEX 5 release cycle either.  It's broader and more ambitious than anything we've ever approached, and it happened the way it was supposed to happen.  Rather than say "redesigned", I'd prefer to use Shakeeb's words of "reimagined", because that's really what has transpired.  Not only has every one of the 1,945 pages that make up "internal APEX" (like the Application Builder) been visited, redesigned, and modernized, but the Page Designer is a radically different yet productive way to build and maintain your applications.  It takes time to iterate to this high level of quality.

At the end of the day, what matters most for developers is what they can produce with Oracle Application Express.  They'd gladly suffer through the non-Page Designer world and click the mouse all day, as long as what they produced and delivered made them a hero.  And I believe we have delivered on this goal of focusing on high-quality results in the applications you create.  I've seen my share of bad-looking APEX applications over the years, and with prior releases of APEX, we've essentially enabled the creation of these rather poor examples of APEX.  Not everyone is a Shakeeb or Marc.  I'm not.  But we've harnessed the talents of some of the brightest minds in the UI world, who also happen to be on the APEX development team, and delivered a framework that makes it easy for ordinary people like me to deliver beautiful, responsive and accessible applications, out-of-the-box.

What I'm most happy about is what this does for the Oracle Database.  I believe APEX 5 will make superheroes out of our Oracle Database and Oracle Database Cloud customers.  There is a massive wealth of functionality for application developers and data architects and citizen developers and everyone in-between, in the Oracle Database.  And all of it is a simple SQL or PL/SQL call away!  The Oracle Database is extraordinarily good at managing large amounts of data and helping people turn data into information.  And now, for customers to be able to easily create elegant UI and be able to beautifully visualize this information using Oracle Application Express 5, well...it's just an awesome combination.

I am blessed to work with some of the brightest, most focused, professional, talented, and yet humble people on the planet.  As my wife likes to say, they're all "quality people".  It truly takes an array of people who are deep in very different technologies to pull this off - Oracle Database design, data modeling, PL/SQL programming, database security, performance tuning, JavaScript programming, accessibility, Web security, HTML 5 design, CSS layout, graphic artistry, globalization, integration, documentation, testing, and on and on.  Both the breadth and depth of the talent to pull this off is staggering.

You might think that we get to take a breath now.  In fact, the fun only begins now and plenty of hard work is ahead for all of us.  But we look forward to the great successes of our many Oracle customers.  The #orclapex community is unrivaled.  And we are committed to making heroes out of every one of them.  That's the least we could do for the #orclapex community, such an amazingly passionate and vibrant collection of professionals and enthusiasts.

When anyone asks about the "watershed event" for Oracle Application Express, you can tell them that the day was April 15, 2015 - when Oracle Application Express 5 was released.

Joel

P.S.  #letswreckthistogether

The Ideal APEX Application (When & Where You Write Code)

Fri, 2015-03-06 01:23
The real title of this post should be "What I Really Meant to Say Was....".

Bob Rhubart of the Oracle Technology Network OTNArchBeat fame was kind enough to give me an opportunity to shoot a 2-minute Tech Tip.  I love Bob's goals for a 2-minute Tech Tip - has to be technical, can't be marketing fluff, and you have to deliver it in 120 seconds - no more, no less.  So I took some notes, practiced it out loud a couple times, and then I was ready.  But because I didn't want to sound like I was merely reading my notes, I ad-libbed a little and...crumbled under the clock.  I don't think I could have been more confusing and off the mark.  Oh...did I forget to mention that Bob doesn't like to do more than one take?



So if I could distill what I wished to convey into a few easily consumable points:
  1. Use the declarative features of APEX as much as possible, don't write code.  If you have to choose between writing something in a report region with a new template, or hammer out the same result with a lovingly hand-crafted PL/SQL region, opt for the former.  If you have a choice between a declarative condition (e.g., Item Not Null) or the equivalent PL/SQL expression, choose the declarative condition.  It will be faster at execution time, it will be easier to manage and report upon, it will be easier to maintain, it will be less pressure on your database with less parsing of PL/SQL.
  2. When you need to venture outside the declarative features of APEX and you need to write code in PL/SQL, be smart about it.  Define as much PL/SQL in statically compiled units (procedures, functions, packages) in the database and simply invoke them from your APEX application.  It will be easier to maintain (because it will simply be files that correspond to your PL/SQL procedures/functions/packages), it will be easier to version control, it will be easier to diff and promote, you can choose which PL/SQL optimization level you wish, you can natively compile, and it will be much more efficient on your database.
  3. Avoid huge sections of JavaScript and use Dynamic Actions wherever possible.  If you have the need for a lot of custom JavaScript, put it into a library and into a file, served by your Web Server (or, at a minimum, as a shared static file of your application).
  4. APEX is just a thin veneer over your database - architect your APEX applications as such.  Let the Oracle Database do the heavy lifting.  Your APEX application definition should have very little code. It should be primarily comprised of SQL queries and simple invocations of your underlying PL/SQL programs.

My rule of thumb - when you're editing code in a text area/code editor in the Application Builder of APEX and you see the scroll bar, it's time to consider putting it into a PL/SQL package.  And of course, if you catch yourself writing the same PL/SQL logic a second time, you should also consider putting it into a PL/SQL package.

There's more to come from the Oracle APEX team on @OTNArchBeat.

Some changes to be aware of, as Oracle Application Express 5 nears...

Tue, 2015-02-10 06:25
As the release of Oracle Application Express 5 gets closer, I thought it's worth pointing out some changes that customers should be aware of, and how an upgrade to Oracle Application Express 5 could impact their existing applications.


  1. As Trent Schafer (@trentschafer) noted in his latest blog post, "Reset an Interactive Report (IR)", there have been numerous customer discussions and blog posts which show how to directly use the gReport JavaScript object to manipulate an Interactive Report.  The problem?  With the massive rewrite to support multiple Interactive Reports in Oracle Application Express 5, gReport no longer exists.  And as Trent astutely points out, gReport isn't documented.  And that's the cautionary tale here - if it's not documented, it's not considered supported or available for use and is subject to change, effectively without notice.  While I appreciate the inventiveness of others to do amazing things in their applications, and share that knowledge with the Oracle APEX community, you must be cautious in what you adopt.
  2. In the rewrite of Interactive Reports, the IR component was completely revamped from top to bottom.  The markup used for IRs in APEX 5 is dramatically improved:  less tables, much smaller and more efficient markup, better accessibility, etc.  However, if you've also followed this blog post from Shakeeb Rahman (@shakeeb) from 2010, and directly overrode the CSS classes used in Interactive Reports, that will no longer work in IRs in APEX 5.  Your custom styling by using these classes will not have any effect.
  3. As the Oracle Application Express 5 Beta documentation enumerates, there is a modest list of deprecated features and a very small list of features which are no longer supported.  "Deprecated" means "will still work in APEX 5, but will go away in a future release of APEX, most likely the next major release of APEX".  In some cases, like the deprecated page attributes for example, if you have existing applications that use these attributes, they will still function as in earlier releases of APEX, but you won't have the ability to set it for new pages.  Personally, I'm most eager to get rid of all uses of APEX_PLSQL_JOB - customers should use SYS.DBMS_SCHEDULER - it's far richer in functionality.
Please understand that we have carefully considered all of these decisions - even labored for days, in some cases.  And while some of these changes could be disruptive for existing customers, especially if you've used something that is internal and not documented, we would rather have the APEX Community be made aware of these changes up front, rather than be silent about it and hope for the best.

From Zero to Hero....In About 2 Hours

Wed, 2014-12-03 11:23


This is an example of a real-world problem, an opportunistic one, being solved via a mobile application created with Oracle Application Express.

First, a brief bit of background.  Our son is 9 years old and is in the Cub Scouts.  Cub Scouts in the United States is an organization that is associated with Boy Scouts of America.  It's essentially a club that is geared towards younger boys, and teaches them many valuable skills - hiking, camping out, shooting a bow and arrow, tying different knots, nutrition, etc.  This club has a single fundraiser every year, where the boys go door-to-door selling popcorn, and the proceeds of the popcorn sale fund the activities of the Cub Scouts local group for the next year.  There is a leader who organizes the sale of this popcorn for the local Cub Scout group, and this leader gets the unenvious title of "Popcorn Kernel".  For the past 2 years, I've been the "Popcorn Kernel" for our Cub Scout Pack (60 Scouts).

I was recently at the DOAG Konferenz in Nürnberg, Germany and it wasn't until my flight home that I began to think about how I was going to distribute the 1,000 items to 60 different Scouts.  My flight home from Germany was on a Sunday and I had pre-scheduled the distribution of all of this popcorn to all 60 families on that next day, Monday afternoon.  Jet lag would not be my friend.

The previous year, I had meticulously laid out 60 different orders across a large meeting room and let the parents and Scouts pick it up.  This year, I actually had 4 volunteer helpers, but I had no time.  All I had in my possession was an Excel spreadsheet which was used to tally the orders across all 60 Cub Scouts.   But I knew I could do better than 60 pieces of paper, which was the "solution" last year.

On my flight home, on my iPad, I sketched out the simple 4-page user interface to locate and manage the orders.  As well, I wrote the DDL on my iPad for a single table.  Normally, I would use SQL Developer Data Modeler as my starting point, but this application and design needed to be quick and simple, so a single denormalized table was more than sufficient.



Bright and early on Monday morning, I logged into an existing workspace on apex.oracle.com.  I created my single table using the Object Browser in SQL Commands, created a trigger on this table, uploaded the spreadsheet data into this table, and then massaged the data using some DML statements in SQL Commands.  Now that my table and data were complete, it was now time for my mobile application!

I created a simple Mobile User Interface application with navigation links on the home page.  There are multiple "dens" that make up each group in a Cub Scout Pack, and these were navigation aids as people would come and pick up their popcorn ("Johnny is in the Wolf Den").  These ultimately went to the same report page but with different filters.



Once a list view report was accessed, I showed the Scout's name, the total item count for them, and then via a click, drill down to the actual number of items to be delivered to the Scout.  Once the items were handed over and verified, the user of this application had to click a button to complete the order.  This was the only DML update operation in the entire application.



I also added a couple charts to the starting page, so we could keep track of how many orders for each den had already been delivered and how many were remaining.



I also added a chart page to show how many of each item was remaining, at least according to our records. This enabled us to do a quick "spot check" at any given point in time, and assess if the current inventory we had remaining was also accurately reflected in our system.  It was invaluable!  And remember - this entire application was all on a single table in the Oracle Database.  At one point in time, 8 people were all actively using this system - 5 to do updates and fulfill orders, and the rest to simply view and monitor the progress from their homes.  Concurrency was never even a consideration.  I didn't have to worry about it.



Now some would say that this application:
  • isn't pixel perfect
  • doesn't have offline storage
  • isn't natively running on the device
  • can't capitalize on the native features of the phone
  • doesn't have a badge icon
  • isn't offered in a store

And they would be correct.  But guess what?  None of it mattered.  The application was used by 5 different people, all using different devices, and I didn't care what type of devices they were using.  They all thought it was rocket science.  It looked and felt close enough to a native application that none of them noticed nor cared.  The navigation and display were consistent with what they were accustomed to.  More importantly, it was a vast improvement over the alternative - consisting of either a piece of paper or, worse yet, 5 guys huddling around a single computer looking at a spreadsheet.  And this was something that I was able to produce, starting from nothing to completed solution, in about two hours.  If I hadn't been jet lagged, I might have been able to do it in an hour.

You might read this blog post and chuckle to yourself.  How possibly could this trivial application for popcorn distribution to Cub Scouts relate to a "real" mobile enterprise application?  Actually, it's enormously relevant.

  • For this application, I didn't have to know CSS, HTML or mobile user interfaces.
  • I only needed to know SQL.  I wrote no PL/SQL.  I only wrote a handful of SQL queries for the list views, charts, and the one DML statement to update the row.
  • It was immediately accessible to anyone with a Web browser and a smart phone (i.e., everyone).
  • Concurrency and scalability were never a concern.  This application easily could have been used by 1,000 people and I still would not have had any concern.  I let the Oracle Database do the heavy lifting and put an elegant mobile interface on it with Oracle Application Express.

This was a simple example of an opportunistic application.  It didn't necessarily have to start from a spreadsheet to be opportunistic.  And every enterprise on the planet (including Oracle) has a slew of application problems just like this, and which today are going unsolved.  I went from zero to hero to rocket scientist in the span of two hours.  And so can you.

A demo version of this application (with fictitious names) is here.  I left the application as is - imperfect on the report page and the form (I should have used a read-only display).  Try it on your own mobile device.

Is Oracle Application Express supported?

Wed, 2014-10-08 13:38

Time to clear up some confusion.

In the past 60 days, I have encountered the following:
  • Two different customers who said they were told by Oracle Support that "APEX isn't supported."
  • An industry analyst who asked "Is use of Oracle Application Express supported?  There is an argument internally that it cannot be used for production applications."
  • A customer who was told by an external non-Oracle consultant "Oracle Application Express is good for a development environment but we don't see it being used in production."  I'm not even sure what that means.
To address these concerns as a whole, let me offer the following:
  1. Oracle Application Express is considered a feature of the Oracle Database.  It isn't classified as "free", even though there is no separate licensing fee for it.  It is classified as an included feature of the Oracle Database, no differently than XML DB, Oracle Text, Oracle Multimedia, etc.
  2. If you are licensed and supported for your Oracle Database, you are licensed and supported (by Oracle Support) for Oracle Application Express in that database.  Many customers aren't even aware that they are licensed for it.
  3. If you download a later version of Oracle Application Express made available for download from the Oracle Technology Network and install it into your Oracle Database, as long as you are licensed and supported for that Oracle Database, you are licensed and supported (by Oracle Support) for Oracle Application Express in that database.
  4. Oracle Application Express is listed in the Lifetime Support Policy: Oracle Technology Products document.

As far as the customers who believed they were told directly by Oracle Support that Oracle Application Express isn't supported, there was a common misunderstanding.  In their Service Requests to Oracle Support, they were told that Oracle REST Data Services (formerly called Oracle Application Express Listener, the Web front-end to Oracle Application Express) running in stand-alone mode isn't supported.  This is expressed in the Oracle REST Data Services documentation.  However, this does not pertain to the supportability of Oracle Application Express.  Additionally, a customer can run Oracle REST Data Services in a supported fashion in specific versions of Oracle WebLogic Server, Glassfish Server, and Apache Tomcat.  To reiterate - running Oracle REST Data Services in standalone mode is the one method which is not supported in production deployments, as articulated in the documentation - however, you can run it supported in Oracle WebLogic Server, Glassfish Server and Apache Tomcat.

Oracle Application Express has been a supported feature of the Oracle Database since 2004, since it first shipped as Oracle HTML DB 1.5 in Oracle Database 10gR1.  Every subsequent version of Oracle Application Express has been supported by Oracle Support when run in a licensed and supported Oracle Database.  Anyone who says otherwise is...confused.

Pages