Introduction to MapViewer 1-43 3. Create a MapViewer data source to the schema, providing the name of the PLSQL package as part of the data source definition. This is considered a secured data source. 4. Create MapViewer themes that are based on the views created in step 2. 5. Establish Web authentication for users accessing your MapViewer application page or pages, so that when a map request reaches the MapViewer servlet, the Web session object should contain an authenticated users identity. 6. Issue map and FOI feature of interest requests that view the themes defined in step 4, either directly or through the use of base maps and Oracle Maps. MapViewer will automatically pass the user identity to the database using the PLSQL package before it executes any query for these themes. Only those rows that are visible to the identified user will be returned from the database and rendered by MapViewer. Section 1.8.1 explains how secure map rendering works and provides implementation details and examples. Section 1.8.3 describes some options for authenticating users and refers to a supplied demo.

1.8.1 How Secure Map Rendering Works

MapViewer, as a J2EE application, can obtain the identity of a web user that has been authenticated to Oracle Fusion Middleware or Oracle Single Sign-On SSO. This user information can then be preserved and propagated to the database, where secure access to map layers and tables can be set up based on the user identity. For example, a database administrator DBA can create a view of a base table that selects only those spatial features visible to a specific user. To pass the Web user identity from Oracle Fusion Middleware or Oracle Single Sign-On SSO to the database, use a secure PLSQL package that sets the user identity in the database. This PLSQL package is created by a DBA or application developer and installed in the data source schema. Such a package can have any number of procedures and functions, but it must contain at least the following two procedures: ■ set_userusername ■ clear_user Whenever a theme is requested from a secured data source, MapViewer invokes the set_user procedure in the associated PLSQL package before it executes any data query for the theme, and it invokes the clear_user procedure when the querying process is complete for the theme. Example 1–3 shows a PLSQL package that you can use for secure map rendering. You can create this package in the example MVDEMO schema. Example 1–3 PLSQL Package for Secure Map Rendering CREATE OR REPLACE PACKAGE web_user_info AS PROCEDURE set_user p_name IN VARCHAR2; PROCEDURE clear_user; FUNCTION get_user RETURN VARCHAR2; END; CREATE OR REPLACE PACKAGE BODY web_user_info AS w_name VARCHAR2 32767; 1-44 Oracle Fusion Middleware Users Guide for Oracle MapViewer PROCEDURE set_user p_name IN VARCHAR2 AS BEGIN w_name := LOWER p_name; END; PROCEDURE clear_user AS BEGIN w_name := null; END; FUNCTION get_user RETURN VARCHAR2 AS BEGIN RETURN w_name; END; END; In Example 1–3 , set_user and clear_user are two required methods, and get_user is a convenience function that can be used in creating views or for other data access control purposes After you create the package which essentially contains the user identity for the current database session, you can set up an elaborate virtual private database that uses this user information see Oracle Database Security Guide for information about using Oracle Virtual Private Database, or VPD. For simplicity, however, this section does not discuss VPD creation, but shows that you can create views that use this user information to enforce data access control. For example, in the example MVDEMO schema you can add a column named ACCOUNT_MGR to the existing CUSTOMERS table, and assign an account manager to each customer stored in this table. You can then create a view that returns only customer rows for a specific account manager, as shown in Example 1–4 . Example 1–4 View for Secure Map Rendering CREATE OR REPLACE VIEW customers_view AS SELECT FROM customers WHERE account_mgr = web_user_info.get_user; You can now define a MapViewer theme based on this view, so that whenever account managers log in and want to view customer data on a map, each will only see his or her own customers. After you have installed the PLSQL package, you can pass the name of this package to MapViewer as part of the definition of a data source by using the plsql_package attribute, as shown in Example 1–5 . Example 1–5 Data Source Definition for Secure Map Rendering map_data_source name=mvdemo jdbc_host=stadb32.us.oracle.com jdbc_sid=mv jdbc_port=15214 jdbc_user=mvdemo jdbc_password=password Introduction to MapViewer 1-45 jdbc_mode=thin number_of_mappers=3 allow_jdbc_theme_based_foi=true plsql_package=web_user_info When you specify a PLSQL package name in a data source definition, MapViewer flags the data source as a secure data source, and it automatically invokes the packages set_user and clear_user procedures whenever performing any theme queries on the data source.

1.8.2 Getting the User Name from a Cookie