1 / 6

<Insert Picture Here>

<Insert Picture Here>. Oracle Application Express Security. Authentication. Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle Application Server Single-Sign On Open door credentials Application Express accounts Database Account credentials

torgny
Download Presentation

<Insert Picture Here>

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. <Insert Picture Here> Oracle Application ExpressSecurity

  2. Authentication • Out-of-the-Box Pre-Configured Schemes • LDAP Directory credentials • Oracle Application Server Single-Sign On • Open door credentials • Application Express accounts • Database Account credentials • No Authentication (using DAD) • Custom Authentication • Customizable session management logic • Use or modify (session verification function) built-in page sentry • Develop custom sentry (examples provided) • Credentials verification custom PL/SQL • Accepts user name and password; Returns Boolean • Only executed once per session © 2009 Oracle Corporation

  3. Managing User Access • Authorization • Pass / Fail checks – cached to improve performance • Can associate to any component (e.g. Application, page, button, validation, item, etc.) • Various types (e.g. Exists, SQL Query, PL/SQL Function, etc.) • Session State Protection • Prevent URL Tampering • Utilizes MD5 checksum • Agnostically use Database Security Features • Fine Grained Access Control (aka VPD); Transparent Data Encryption; Database Vault; Advanced Security Option; etc. • No APEX development effort required © 2009 Oracle Corporation

  4. Administrator Best Practices • Considerations with Embedded PL/SQL Gateway • Uses XMLDB HTTP Protocol Listener – Part of the Database • Not recommended for internet facing applications • Configuring Oracle HTTP Server with mod_plsql • Configured using Database Access Descriptors (DADs) • Use PlsqlRequestValidationFunction to allow specified procedures • Utilizing Secure Sockets Layer (SSL) • Implemented using the HTTPS protocol – encrypts sent / received packets • Prevents data from being sent over unprotected communication channel • APEX Runtime-Only Environment • Scripts provided to completely remove / re-install Application Builder • Removes Web interface for administration and application development • Setting Password Complexity Rules • Can set multiple complexity rules / re-use rules across instance • Using Session Timeout • Set maximum session length and idle time for APEX developer log-ins © 2009 Oracle Corporation

  5. Developer Best Practices • Understand Items of type Password • Don’t emit entered text to screen • Should not save-state or should use Item encryption if saving to the DB • Reports provided to identify at-risk Password items • Using Zero as Session ID • Critical for PUBLIC applications to ensure no cross-user contamination • Session Id not included in application URL • Cross-Site Scripting Protection • Protect HTML Regions and other static areas • Use &ITEM. notation to reference session state variables • Select best Item types based on protection required • Protect Dynamic Output • Explicitly use escape code when emitting session state {e.g. htp.p(htf.escape_sc(v('SOME_ITEM'))); } • Protect Report Regions • References in headings and messages escaped based on Item type © 2009 Oracle Corporation

  6. Developer Best Practices • Session State Protection • Clear session state of unneeded values using Clear Cache built-ins • Enable Session State Protection to prevent URL tampering • Set appropriate protection for Pages, Items and Application Items using built-ins • Utilize Application Session Time-Outs • Build public page for users to land on when session expired • Set Maximum Session Length and Maximum Session Idle times • Save State before Branching • Use Branch checkbox to save session state values prior to branching • Session state values will not be displayed in the Branch URL • Saving sensitive Item values (e.g. SSN) • Use Item checkbox to store value encrypted in session state • Stores values encrypted in APEX session state table • For storing sensitive data in the database should encrypt the table columns • Encrypting table columns completely independent of APEX © 2009 Oracle Corporation

More Related