<Insert Picture Here>

Oracle Application ExpressSecurity

© 2009 Oracle Corporation

Authentication

• Out-of-the-Box Pre-Configured Schemes• LDAP Directory credentials• Oracle Application Server Single-Sign On• Open door credentials• Application Express accounts• Database Account credentials• No Authentication (using DAD)

• Custom Authentication• Customizable session management logic

• Use or modify (session verification function) built-in page sentry

• Develop custom sentry (examples provided)

• Credentials verification custom PL/SQL • Accepts user name and password; Returns Boolean

• Only executed once per session

© 2009 Oracle Corporation

Managing User Access

• Authorization• Pass / Fail checks – cached to improve performance• Can associate to any component (e.g. Application, page, button,

validation, item, etc.)• Various types (e.g. Exists, SQL Query, PL/SQL Function, etc.)

• Session State Protection• Prevent URL Tampering• Utilizes MD5 checksum

• Agnostically use Database Security Features• Fine Grained Access Control (aka VPD); Transparent Data

Encryption; Database Vault; Advanced Security Option; etc.• No APEX development effort required

© 2009 Oracle Corporation

Administrator Best Practices• Considerations with Embedded PL/SQL Gateway

• Uses XMLDB HTTP Protocol Listener – Part of the Database

• Not recommended for internet facing applications

• Configuring Oracle HTTP Server with mod_plsql

• Configured using Database Access Descriptors (DADs)

• Use PlsqlRequestValidationFunction to allow specified procedures

• Utilizing Secure Sockets Layer (SSL)

• Implemented using the HTTPS protocol – encrypts sent / received packets

• Prevents data from being sent over unprotected communication channel

• APEX Runtime-Only Environment

• Scripts provided to completely remove / re-install Application Builder

• Removes Web interface for administration and application development

• Setting Password Complexity Rules

• Can set multiple complexity rules / re-use rules across instance

• Using Session Timeout

• Set maximum session length and idle time for APEX developer log-ins

© 2009 Oracle Corporation

Developer Best Practices• Understand Items of type Password

• Don’t emit entered text to screen

• Should not save-state or should use Item encryption if saving to the DB

• Reports provided to identify at-risk Password items

• Using Zero as Session ID

• Critical for PUBLIC applications to ensure no cross-user contamination

• Session Id not included in application URL

• Cross-Site Scripting Protection

• Protect HTML Regions and other static areas• Use &ITEM. notation to reference session state variables• Select best Item types based on protection required

• Protect Dynamic Output• Explicitly use escape code when emitting session state

{e.g. htp.p(htf.escape_sc(v('SOME_ITEM'))); }• Protect Report Regions

• References in headings and messages escaped based on Item type

© 2009 Oracle Corporation

Developer Best Practices• Session State Protection

• Clear session state of unneeded values using Clear Cache built-ins• Enable Session State Protection to prevent URL tampering• Set appropriate protection for Pages, Items and Application Items using built-ins

• Utilize Application Session Time-Outs• Build public page for users to land on when session expired• Set Maximum Session Length and Maximum Session Idle times

• Save State before Branching

• Use Branch checkbox to save session state values prior to branching

• Session state values will not be displayed in the Branch URL

• Saving sensitive Item values (e.g. SSN)

• Use Item checkbox to store value encrypted in session state

• Stores values encrypted in APEX session state table

• For storing sensitive data in the database should encrypt the table columns

• Encrypting table columns completely independent of APEX