60 likes | 259 Views
<Insert Picture Here>. Oracle Application Express Security. Authentication. Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle Application Server Single-Sign On Open door credentials Application Express accounts Database Account credentials
E N D
<Insert Picture Here> Oracle Application ExpressSecurity
Authentication • Out-of-the-Box Pre-Configured Schemes • LDAP Directory credentials • Oracle Application Server Single-Sign On • Open door credentials • Application Express accounts • Database Account credentials • No Authentication (using DAD) • Custom Authentication • Customizable session management logic • Use or modify (session verification function) built-in page sentry • Develop custom sentry (examples provided) • Credentials verification custom PL/SQL • Accepts user name and password; Returns Boolean • Only executed once per session © 2009 Oracle Corporation
Managing User Access • Authorization • Pass / Fail checks – cached to improve performance • Can associate to any component (e.g. Application, page, button, validation, item, etc.) • Various types (e.g. Exists, SQL Query, PL/SQL Function, etc.) • Session State Protection • Prevent URL Tampering • Utilizes MD5 checksum • Agnostically use Database Security Features • Fine Grained Access Control (aka VPD); Transparent Data Encryption; Database Vault; Advanced Security Option; etc. • No APEX development effort required © 2009 Oracle Corporation
Administrator Best Practices • Considerations with Embedded PL/SQL Gateway • Uses XMLDB HTTP Protocol Listener – Part of the Database • Not recommended for internet facing applications • Configuring Oracle HTTP Server with mod_plsql • Configured using Database Access Descriptors (DADs) • Use PlsqlRequestValidationFunction to allow specified procedures • Utilizing Secure Sockets Layer (SSL) • Implemented using the HTTPS protocol – encrypts sent / received packets • Prevents data from being sent over unprotected communication channel • APEX Runtime-Only Environment • Scripts provided to completely remove / re-install Application Builder • Removes Web interface for administration and application development • Setting Password Complexity Rules • Can set multiple complexity rules / re-use rules across instance • Using Session Timeout • Set maximum session length and idle time for APEX developer log-ins © 2009 Oracle Corporation
Developer Best Practices • Understand Items of type Password • Don’t emit entered text to screen • Should not save-state or should use Item encryption if saving to the DB • Reports provided to identify at-risk Password items • Using Zero as Session ID • Critical for PUBLIC applications to ensure no cross-user contamination • Session Id not included in application URL • Cross-Site Scripting Protection • Protect HTML Regions and other static areas • Use &ITEM. notation to reference session state variables • Select best Item types based on protection required • Protect Dynamic Output • Explicitly use escape code when emitting session state {e.g. htp.p(htf.escape_sc(v('SOME_ITEM'))); } • Protect Report Regions • References in headings and messages escaped based on Item type © 2009 Oracle Corporation
Developer Best Practices • Session State Protection • Clear session state of unneeded values using Clear Cache built-ins • Enable Session State Protection to prevent URL tampering • Set appropriate protection for Pages, Items and Application Items using built-ins • Utilize Application Session Time-Outs • Build public page for users to land on when session expired • Set Maximum Session Length and Maximum Session Idle times • Save State before Branching • Use Branch checkbox to save session state values prior to branching • Session state values will not be displayed in the Branch URL • Saving sensitive Item values (e.g. SSN) • Use Item checkbox to store value encrypted in session state • Stores values encrypted in APEX session state table • For storing sensitive data in the database should encrypt the table columns • Encrypting table columns completely independent of APEX © 2009 Oracle Corporation