2.5.2 Configuring Security

Instance administrators can configure instance security, including service-level security, configuring support for Real Application Security, configuring session time out, preventing browser attacks by isolating workspaces, excluding domains from regions and Web services, configuring authentication controls, creating strong password policies, restricting access by Database Access Descriptor (DAD), and managing authorized URLs.

Parent topic: Managing Instance Settings

2.5.2.1 Configuring Service-level Security Settings

Instance administrators can configure service-level security in Manage Instance, Security, Security Settings, Security.

Service-level security includes configuring login controls, controlling file upload capability, restricting access by IP address, configuring a proxy server for an instance, controlling support for URLs containing session IDs, and controlling how Oracle Application Express displays the results of unhandled errors.

Parent topic: Configuring Security

2.5.2.1.1 Controling If Cookies Populate the Login Form

Control if a convenience cookie is sent to a user's computer whenever a developer or administrator logs in to a workspace from the Application Express Login page.

If Set Workspace Cookie option is set to Yes, Oracle Application Express sends a persistent cookie that:

  • Combines the last used workspace name and user name

  • Has a lifetime of six months

  • Is read to populate the Application Express Workspace Login form (but not the Oracle Application Express Administration Services Login form)

To control if cookies populate the login form:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. For Set Workspace Cookie, select No.

    • Yes - Enables the Application Express workspace login page to send a persistent cookie containing the last used workspace name and username combination.

      This cookie has a lifetime of six months and is used to populate the Workspace and Username fields of the Application Express workspace login form (not the Service Administration login form).

    • No - Prevents this cookie from being sent.
  6. Click Apply Changes.

Note:

If your system has received this cookie, you can physically remove it from its persistent location on disk using browser tools or system utilities. The cookie is named ORA_WWV_REMEMBER_UN. In older releases of Oracle Application Express, this cookie was named ORACLE_PLATFORM_REMEMBER_UN. It may exist for each Oracle Application Express service accessed having distinct hostname and path components.

Parent topic: Configuring Service-level Security Settings

2.5.2.1.2 Disabling Access to Oracle Application Express Administration Services

Prevent a user from logging in to Oracle Application Express Administration Services.

Instance administrators can prevent a user from logging in to Oracle Application Express Administration Services. Disabling administrator login in production environments prevents unauthorized users from accessing Application Express Administration Services and possibly compromising other user login credentials.

To disable user access to Oracle Application Express Administration Services:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. For Disable Administrator Login, select Yes.

    Note:

    Selecting Yes and signing out prevents anyone from accessing Oracle Application Express Administration Services.

  6. Click Apply Changes.

See Also:

"Enabling Access to Oracle Application Express Administration Services"

Parent topic: Configuring Service-level Security Settings

2.5.2.1.3 Enabling Access to Oracle Application Express Administration Services

If access to Oracle Application Express Administration Services has been disabled, an Instance administrator can re-enable again by running the following SQL statements.

To enable user access to Oracle Application Express Administration Services if it has been disabled:

  1. Connect in SQL*Plus and connect to the database where Oracle Application Express is installed as SYS, for example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password

    • On UNIX and Linux:

      $ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password
  2. Run the following statement: 
    ALTER SESSION SET CURRENT_SCHEMA = APEX_180200;
  3. Run the following statement: 
    BEGIN
  APEX_INSTANCE_ADMIN.SET_PARAMETER('DISABLE_ADMIN_LOGIN', 'N');
  commit;
END;
/

Parent topic: Configuring Service-level Security Settings

2.5.2.1.4 Disabling Workspace Login Access

Restrict user access to Application Express by disabling workspace login. Disabling workspace login in production environments prevents users from running Application Express applications such as App Builder, SQL Workshop, Team Development, and Workspace Administration.

To disable user access to the Internal workspace:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Disable Workspace Login, select Yes.

    Selecting Yes effectively sets a Runtime-Only environment while still allowing Instance administrators to sign in to Instance Administration. Selecting Yes in production environments prevents developers from changing applications or data.

  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

2.5.2.1.5 Controlling Public File Upload

Use the Allow Public File Upload attribute to control whether unauthenticated users can upload files in applications that provide file upload controls.

To control file upload:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Allow Public File Upload, select one of the following:

    • Yes - Enables unauthenticated users to upload files in applications that provide file upload controls.

    • No - Prevents unauthenticated users from uploading files in applications that provide file upload controls.

  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

2.5.2.1.6 Restricting User Access by IP Address

Restrict user access to an Oracle Application Express instance by specifying a comma-delimited list of allowable IP addresses.

To restrict user access by IP address:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. For Disable Administrator Login, select No.
  6. In Restrict Access by IP Address, enter a comma-delimited list of allowable IP addresses. Use an asterisk (*) to specify a wildcard.

    You can enter IP addresses from one to four levels. For example:

    141, 141.* ...
192.128.23.1 ...

    Note:

    When using wildcards, do not include additional numeric values after wildcard characters. For example, 138.*.41.2.

  7. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

2.5.2.1.7 Configuring a Proxy Server for an Instance

Configure an entire Oracle Application Express instance to use a proxy for all outbound HTTP traffic.

Setting a proxy at the instance-level supersedes any proxies defined at the application-level or in web service references. If a proxy is specified, regions of type URL, Web services, and report printing will use the proxy.

To configure a proxy for an Oracle Application Express instance:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. In Instance Proxy, enter the address of the proxy to be used for the entire instance. In No Proxy Domains, enter a list of domains, for which the proxy server should not be used.
  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

2.5.2.1.8 Selecting a Checksum Hash Function

Select a hash function that Application Express uses to generate one way hash strings for checksums.

The Checksum Hash Function attribute enables you to react to recent developments and switch between algorithms based on new research. Use the Checksum Hash Function attribute to select a hash function that Oracle Application Express uses to generate one way hash strings for checksums. This attribute is also the default value for the Security Bookmark Hash Function attribute in new applications. Applications use the Bookmark Hash Function when defining bookmark URLs.

Tip:

Changing the Checksum Hash Function does not change the Bookmark Hash Function currently defined for existing applications because this would invalidate all existing bookmarks saved by end users. Oracle strongly recommends going into existing applications, expiring existing bookmarks, and then updating the Bookmark Hash Function to the same value defined for Checksum Hash Function.

To select a checksum hash function:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Checksum Hash Function, select a a hash function that Application Express uses to generate one way hash strings for checksums.

    The SHA-2 algorithms are only supported on Oracle Database 12c or later. Most Secure automatically selects the most secure algorithm available. Therefore, Oracle recommends this setting. On Oracle Database 12c or later, this evaluates to SHA-2, 512 bit and on Oracle Database 11g, SHA-1 is the most secure algorithm. Since the MD5 algorithm is deprecated, Oracle does not recommend this setting.

  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

2.5.2.1.9 Configuring Rejoin Sessions for an Instance

Control if Oracle Application Express supports application URLs that do not contain session IDs. 

By configuring the Rejoin Sessions attribute, Instance administrators can control if Oracle Application Express supports URLs that contain session IDs. When rejoin sessions is enabled, Oracle Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.

Warning:

For security reasons, Oracles recommends that administrators disable support for session joining unless they implement workspace isolation by configuring the Allow Hostname attributes. See "Isolating a Workspace to Prevent Browser Attacks" and "Isolating All Workspaces in an Instance."

Note:

Enabling rejoin sessions may expose your application to possible security breaches by enabling attackers to take over existing end user sessions. To learn more, see Oracle Application Express App Builder User’s Guide.

To configure Rejoin Sessions:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Rejoin Sessions, select an option:
    • Disabled - If the URL does not contain a session ID, Oracle Application Express creates a new session.
    • Enabled for Public Sessions - If the URL goes to a public page and does not contain a session ID Application Express attempts to utilize the existing session cookie established for that application. For applications with both public and authenticated pages, a session ID is defined after the end user authenticates. Application Express only joins via the cookie when the session is not yet authenticated.
    • Enabled for All Sessions - If the URL does not contain a session ID, Oracle Application Express attempts to use the existing session cookie established for that application, providing one of the following conditions are met:

      • Session State Protection is enabled for the application and the URL includes a valid checksum. For public bookmarks, the most restrictive item level protection must be either Unrestricted or Checksum Required - Application Level.

      • The URL does not contain payload (a request parameter, clear cache or data value pairs). This setting requires that Embed In Frames is set to Allow from same origin or to Deny for the application.

      Enabled for All Sessions requires that Embed in Frames is set to Allow from same origin or Deny. This is not tied to a condition about the URL payload, but also applies to session state protected URLs.

  6. Click Apply Changes.

See Also:

Parent topic: Configuring Service-level Security Settings

2.5.2.1.10 Configuring Unhandled Errors

Control how Oracle Application Express displays the results of unhandled errors

When Oracle Application Express encounters an unhandled error during processing, an error page displays to the end user of the application. From a security standpoint, it is often better to not display these messages and error codes to the end user and simply return a HTTP 400 (Bad Request) error code to the client browser.

To configure Unhandled Errors:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Unhandled Errors, select an option:

    • Show Error Page - This is the default behavior. For any error or exception which is not handled by the error processing of an application, an error page displays to the end user with the specific error and the error code.

    • Return HTTP 400 - Returns an HTTP 400 status to the end user's client browser when the Application Express engine encounters an unhandled error.

  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

2.5.2.2 Configuring HTTP Protocol Attributes

Determine HTTPS requirements for an Oracle Application Express instance and all related applications.

Note:

Require HTTPS make Oracle Application Express unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.

  • About SSL
    Secure Socktets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running Oracle Application Express applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.
  • Requiring HTTPS
    Configure both the Oracle Application Express instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes.
  • Reversing Require HTTPS
    If you enable Reverse HTTPS, an Instance administrator can disable it by running the following SQL statements.
  • Reversing Require Outbound HTTPS
    If you enable Require Outbound HTTPS, an Instance administrator can disable it by running the following SQL statements.
  • Configuring Additional Response Headers
    Enter additional HTTP response headers that Oracle Application Express should send on each request, for all applications.

Parent topic: Configuring Security

2.5.2.2.1 About SSL

Secure Socktets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running Oracle Application Express applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.

Parent topic: Configuring HTTP Protocol Attributes

2.5.2.2.2 Requiring HTTPS

Configure both the Oracle Application Express instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes.

Important:

If you enable Require HTTPS makes Oracle Application Express unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.

To require HTTPS in Oracle Application Express:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under HTTP Protocol, configure the following:
    1. Require HTTPS:

      • Always - Enforces HTTPS for all applications (including the Oracle Application Express development and administration applications) to require HTTPS.

        If set to Always, the Strict-Transport-Security Max Age attribute displays. Use this field to specify the time period in seconds during which the browser shall access the server with HTTPS only. To learn more, see field-level Help.

      • Development and Administration - Forces all internal applications within Oracle Application Express (that is, App Builder, SQL Workshop, Instance Administration and so on) to require HTTPS.

      • Application specific - Makes HTTPS dependent on application-level settings.

    2. Require Outbound HTTPS - Select Yes to require all outbound traffic from an Application Express instance to use the HTTPS protocol.
    3. HTTP Response Headers - Enter additional HTTP response headers that Oracle Application Express should send on each request for all applications. Developers can specify additional headers at application-level. Each header has to start on a new line. Note that support for various headers differs between browsers. To learn more, see field-level Help.
  5. Click Apply Changes.

Parent topic: Configuring HTTP Protocol Attributes

2.5.2.2.3 Reversing Require HTTPS

If you enable Reverse HTTPS, an Instance administrator can disable it by running the following SQL statements.

To reverse Require HTTPS:

  1. Connect in SQL*Plus or SQL Developer with the Application Express engine schema as the current schema, for example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password

    • On UNIX and Linux:

      $ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password
  2. Run the following statement: 
    ALTER SESSION SET CURRENT_SCHEMA = APEX_180200;
  3. Run the following statement: 
    BEGIN
    APEX_INSTANCE_ADMIN.SET_PARAMETER('REQUIRE_HTTPS', 'N');
    commit;
end;
/

Parent topic: Configuring HTTP Protocol Attributes

2.5.2.2.4 Reversing Require Outbound HTTPS

If you enable Require Outbound HTTPS, an Instance administrator can disable it by running the following SQL statements.

To reverse Require Outbound HTTPS:

  1. Connect in SQL*Plus or SQL Developer with the Application Express engine schema as the current schema, for example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password

    • On UNIX and Linux:

      $ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password
  2. Run the following statement: 
    ALTER SESSION SET CURRENT_SCHEMA = APEX_180200;
  3. Run the following statement: 
    BEGIN
    APEX_INSTANCE_ADMIN.SET_PARAMETER('REQUIRE_OUT_HTTPS', 'N');
    commit;
end;
/

Parent topic: Configuring HTTP Protocol Attributes

2.5.2.2.5 Configuring Additional Response Headers

Enter additional HTTP response headers that Oracle Application Express should send on each request, for all applications.

To configure additional response headers:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate HTTP Protocol.
  5. In HTTP Response Headers, enter additional HTTP response headers that Oracle Application Express should send on each request for all applications.

    Developers can specify additional headers at application-level. Each header has to start on a new line. Support for various headers differs between browsers.

    One important security related header is Content-Security-Policy. Sending this header can significantly reduce the risk of cross site scripting (XSS) and related attacks. To learn more, see field-level Help.

  6. Click Apply Changes.

Parent topic: Configuring HTTP Protocol Attributes

2.5.2.3 Enabling Real Application Security

Enable Oracle Real Application Security.

To enable Real Application Security:

If you are running Oracle Database 12c Release 1 (12.1.0.2) or later, you can enable Oracle Real Application Security. Oracle Real Application Security (RAS) is a database authorization framework that enables application developers and administrators to define, provision, and enforce application-level security policies at the database layer.

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate Real Application Security.
  5. For Allow Real Application Security.
    • Yes - Enables Oracle Database Real Application Security support for applications. If Real Application Security is configured in an application's authentication scheme, Oracle Application Express creates a Real Application Security session for a new Oracle Application Express session and automatically attaches to it.
    • No - Disables Oracle Database Real Application Security.
  6. Click Apply Changes.

Parent topic: Configuring Security

2.5.2.4 Configuring Session Timeout

Use the Session Timeout attributes to reduce exposure at the application-level for abandoned computers with an open web browser.

To configure session timeout for an instance:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under Session Timeout For Application Express, specify the following:
    • Maximum Session Length in Seconds - Defines how long (in seconds) sessions can exist and be used by applications in this Oracle Application Express instance. This setting is superseded by the corresponding workspace level setting and application level setting.

      • Enter a positive integer to control how long a session can exist.

      • Enter 0 to have the session exist indefinitely.

      • Leave the value empty in order to revert to the default value of 8 hours (28800 seconds).

    • Maximum Session Idle Time in Seconds - Session Idle Time is the time between the last page request and the next page request. This setting is superseded by the corresponding workspace level setting and application level setting.

      • Enter a positive integer to control the default idle time for sessions used by applications in this Application Express instance.

      • Leave the value empty in order to revert to the default value of 1 hour (3600 seconds).

  5. Click Apply Changes.

See Also:

"Session Management" in Oracle Application Express App Builder User’s Guide

Parent topic: Configuring Security

2.5.2.5 Isolating All Workspaces in an Instance

Instance administrators can prevent browser attacks by isolating a workspace.

Parent topic: Configuring Security

2.5.2.5.1 About Isolating Workspaces to Prevent Browser Attacks

Isolating workspaces is an effective approach to preventing browser attacks.

The only way to truly isolate a workspace is to enforce different domains in the URL by configuring the Allow Hostnames attribute. When the URLs of the attacker and the victim have different domains and hostnames, the browser's same-origin policy prevents attacks.

See Also:

"Isolating a Workspace to Prevent Browser Attacks" and Oracle Application Express App Builder User’s Guide

Parent topic: Isolating All Workspaces in an Instance

2.5.2.5.2 Configuring Instance-Level Workspace Isolation Attributes

Configure isolation and resource limitation default values for all workspaces. Workspace administrators can override these default values at the workspace-level.

To configure instance-level Workspace Isolation attributes:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under Workspace Isolation, configure the following attributes:

    Tip:

    To learn more about an attribute, see field-level Help.

    Table 2-3 Workspace Isolation Attributes

    Attribute Description

    Allow Hostnames

    Enter a comma separated list of hostnames that can be used to access this instance. This attribute can be used to specify which DNS aliases of the web server can be used with applications. You can configure specific values that override this one at workspace level. If you enter one or more hostnames, the incoming HTTP request URL's hostname part must match one of the listed hostnames.

    Resource Consumer Group

    Specify the Database Resource Manager consumer group to be used for all page events on the instance. You can configure specific values that override this one at the workspace-level. At the beginning of every request, the Application Express engine switches the current consumer group of the current database session to the consumer group that is defined at workspace or instance level. This applies to both executing applications and any of the applications used within the Application Express development environment.

    The privilege to switch to this consumer group must be granted to either PUBLIC or the Application Express schema. This privilege is typically granted using the procedure DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SWITCH_CONSUMER_GROUP.

    Maximum Concurrent Workspace Requests

    Enter the maximum number of concurrent page events that Oracle Application Express supports for all applications. You can configure a specific value at the workspace-level. Instead of processing a page event, Oracle Application Express shows an error message when the limit is already reached.

    Oracle Application Express keeps track of workspace requests by querying the CLIENT_INFO column of GV$SESSION. This tracking will not work if developers overwrite CLIENT_INFO, for example, with a call to DBMS_APPLICATION_INFO.SET_CLIENT_INFO.

    Maximum Concurrent Session Requests

    Enter the maximum number of concurrent page events that Oracle Application Express supports for each session for applications in this instance. You can configure a specific value at the workspace-level. Instead of processing a new page event, Oracle Application Express shows an error message when the limit is already reached. Alternatively, you can use the Concurrent Session Requests Kill Timeout attribute to kill an active database session, to process the new page event.

    Oracle Application Express keeps track of session requests by querying the CLIENT_IDENTIFIER column of GV$SESSION. This tracking will not work if developers overwrite CLIENT_IDENTIFIER, for example, with a call to DBMS_SESSION.SET_IDENTIFIER.

    Concurrent Session Requests Kill Timeout

    If a new page event comes in that is outside the limits of Maximum Concurrent Session Requests, Oracle Application Express can execute alter system kill session on the oldest active database session which processes another page event for this Application Express session. The Concurrent Session Requests Kill Timeout attribute specifies the number of seconds a database process has to be active, before it can be killed. If you leave this attribute empty, Application Express will not kill any database sessions.

    Warning: Killing sessions can cause problems with the application server's database session pool.

    Maximum Size of Files in Workspace

    Enter the total size (in bytes) of all files that can be uploaded to a workspace. You can configure a specific value at the workspace-level.

    Maximum Web Service Requests

    Enter the maximum number of web service requests that Application Express supports for each workspace in this instance. You can configure a more specific value at the workspace-level.
  5. Click Apply Changes.

Parent topic: Isolating All Workspaces in an Instance

2.5.2.6 Defining Excluded Domains for Regions and Web Services

Define a list of restricted domains for regions of type URL and Web services. If a Web service or region of type URL contains an excluded domain, an error displays informing the user that it is restricted.

To define a list of excluded domain from regions of type URL and Web services:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under Domain Must Not Contain, enter a colon-delimited list of excluded domains, for example: 
    mycompany.com:yourcompany.com:abccompany.com
  5. Click Apply Changes.

Parent topic: Configuring Security

2.5.2.7 Configuring Authentication Controls for an Instance

Configure authentication controls for an entire Oracle Application Express instance.

See Also:

"Creating Account Login Controls for a Workspace"

Parent topic: Configuring Security

2.5.2.7.1 About Authentication Controls

Administrators can configure authentication controls for an entire instance or for each individual workspace.

For example, if an instance administrator configures authentication controls in Oracle Application Express Administration Services that configuration applies to all Application Express accounts in all workspaces across an entire development instance.

If the instance administrator does not enable authentication controls across an entire instance, then each Workspace administrator can enable the following controls on a workspace-by-workspace basis:

  • User account expiration and locking

  • A maximum number of failed login attempts for user accounts

  • Account password lifetime (or number of days an end-user account password can be used before it expires for end-user accounts)

Tip:

This feature applies only to accounts created using the Application Express user creation and management. It provides additional authentication security for applications. See "Managing Users in a Workspace."

See Also:

"Creating Account Login Controls for a Workspace," "Configuring Security for Developer and End User Login," and "Configuring Security Settings for Workspace Administrator and Developer Accounts"

Parent topic: Configuring Authentication Controls for an Instance

2.5.2.7.2 Configuring Security for Developer and End User Login

Configure developer and end user login security settings.

To configure security settings for developer and end user login:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under General Settings, configure the following attributes:
    1. Delay after failed login attempts in Seconds - After failed logins, Oracle Application Express displays a countdown of this number times the number of failed login attempts, before it accepts new login attempts with the same username. Enter 0 to disable the countdown and allow immediate access.
    2. Method for computing the Delay - Select a method for computing the delay for failed log ins. The computation methods are based on recent data in the Login Access Log.
      See item help for further details.
    3. Inbound Proxy Servers - Enter a comma-separated list of IP addresses for well known proxy servers, through which requests come in. Oracle Application Express uses this list to compute the actual client address from the HTTP Headers X-Forwarded-For and REMOTE_ADDR.
    4. Single Sign-On Logout URL - Enter the URL Application Express redirects to trigger a logout from the Single Sign-On server. Application Express automatically appends ?p_done_url=...login url....
  5. Click Apply Changes.

Parent topic: Configuring Authentication Controls for an Instance

2.5.2.7.3 Configuring Security Settings for Workspace Administrator and Developer Accounts

Manage security settings for workspace administrator and workspace developer accounts.

To configure security controls for workspace administrator and workspace developer accounts accounts:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under Development Environment Settings,, configure the following attributes:
    1. Username Validation Expression - Enter a regular expression to validate the usernames of developers and administrators. Enter * to bypass the validation. The following example validates that the username is an email address:

      ^[[:alnum:]._%-]+@[[:alnum:].-]+\.[[:alpha:]]{2,4}$

    2. Require User Account Expiration and Locking - Applies to end user accounts created using the Oracle Application Express account management interface. Select Yes to enable Application Express user account expiration and locking features across all workspaces. This selection prevents the same feature from being disabled at the workspace-level. Select No to relinquish control to each Workspace administrator. 
    3. Maximum Login Failures Allowed - Enter a integer for the maximum number of consecutive unsuccessful authentication attempts allowed before a developer or administrator account is locked. If you do not specify a value in this field, the default value is 4.

      This setting applies to administrator and developer accounts. It does not apply to end user accounts. The value you enter is used as the default for the workspace-level Maximum Login Failures Allowed preference if the Workspace administrator does not specify a value. That preference is used for end-user accounts within the respective workspace.

    4. Account Password Lifetime (days) - Enter a number for the maximum number of days a developer or administrator account password may be used before the account expires. If you do not specify a value in this field, a default value is 45 days.

      This setting applies to accounts used to access the Application Express administration and development environment only. It does not apply to end user accounts. The value you enter is used as the default workspace-level End User Account Lifetime preference which workspace administrators can change. The workspace-level preference applies to the accounts within that workspace.

  5. Click Apply Changes.

Parent topic: Configuring Authentication Controls for an Instance

2.5.2.7.4 Editing Development Environment Authentication Scheme

Manage development environment authentication schemes.

To edit development environment authentication schemes:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Scroll down to Development Environment Authentication Schemes.
  5. Click the Edit icon adjacent to the authentication scheme you wish to edit.
  6. Edit the appropriate attributes. To make the selected authentication scheme current, click Make Current Scheme.

    To learn more about an attribute, see field-level Help.

  7. To save you changes, click Apply Changes.

Tip:

You can also change the authentication scheme using the APEX_BUILDER_AUTHENTICATION parameter in APEX_INSTANCE_ADMIN package. See "Available Parameter Values" in Oracle Application Express API Reference.

Parent topic: Configuring Authentication Controls for an Instance

2.5.2.8 Creating Strong Password Policies

Instance administrators can create strong password policies for an Oracle Application Express instance.

  • About Strong Password Policies
    Manage password policy for Application Express users (workspace administrators, developers, and end users) in all workspaces.
  • Configuring Password Policies
    Manage password policy for Application Express users (workspace administrators, developers, and end users) in all workspaces.

Parent topic: Configuring Security

2.5.2.8.1 About Strong Password Policies

Manage password policy for Application Express users (workspace administrators, developers, and end users) in all workspaces.

Password policies can:

  • Apply to all users (including, Workspace administrators, developers, and end users) in an Oracle Application Express instance.

  • Include restrictions on characters, password length, specific words, and differences in consecutive passwords.

  • Apply to users signing in to Oracle Application Express Administration Services.

The Application Express instance administrator can select the password policy for service administrators. Options include:

  • Use policy specified in Workspace Password Policy - Applies the password rules specified the in Workspace Password Policy.

  • Use default strong password policy - Adds another layer of security to prevent hackers from determining an administrator's password. This password policy requires that service administrator passwords meet these restrictions:

    • Consist of at least six characters.

    • Contain at least one lowercase alphabetic character, one uppercase alphabetic character, one numeric digit, and one punctuation character.

    • Cannot include the username.

    • Cannot include the word Internal.

    • Cannot contain any words shown in the Must Not Contain Workspace Name field in this section.

    Password policies add another layer of security to prevent hackers from determining an administrator's password.

Parent topic: Creating Strong Password Policies

2.5.2.8.2 Configuring Password Policies

Manage password policy for Application Express users (workspace administrators, developers, and end users) in all workspaces.

To configure password policies:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under Password Policy and specify the following attributes:

    Table 2-4 Workspace Password Policy Attributes

    Attribute Description

    Password Hash Function

    Select a hash function that Application Express uses to generate one way hash strings for workspace user passwords. To learn, see field-level Help.

    Minimum Password Length

    Enter a number to set a minimum character length for passwords for workspace administrator, developer, and end user accounts.

    Minimum Password Differences

    Enter the number of differences required between old and new passwords. The passwords are compared character by character, and each difference that occurs in any position counts toward the required minimum difference.

    This setting applies to accounts for workspace administrators, developers, and end users.

    Must Contain At Least One Alphabetic Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one alphabetic character as specified in the Alphabetic Characters field.

    Must Contain At Least One Numeric Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one Arabic numeric character (for example, 0,1,2,3,4,5,6,7,8,9).

    Must Contain At Least One Punctuation Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one punctuation character as specified in the Punctuation Characters field.

    Must Contain At Least One Upper Case Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one uppercase alphabetic character.

    Must Contain At Least One Lower Case Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one lowercase alphabetic character.

    Must Not Contain Username

    Select Yes to prevent workspace administrator, developer, and end user account passwords from containing the username.

    Must Not Contain Workspace Name

    Select Yes to prevent workspace administrator, developer, and end user account passwords from containing the workspace name, regardless of case.

    Must Not Contain

    Enter words, separated by colons, that workspace administrator, developer, and end user account passwords must not contain. These words may not appear in the password in any combination of uppercase or lowercase.

    This feature improves security by preventing the creation of simple, easy-to-guess passwords based on words like hello, guest, welcome, and so on.

    Alphabetic Characters

    Enter new or edit the existing alphabetic characters. This is the set of characters used in password validations involving alphabetic characters.

    Punctuation Characters

    Enter new or edit existing punctuation characters. This set of characters must be used in password validations involving punctuation characters.
  5. For Service Administrator Password Policy, select an option:
    • Use policy specified in Workspace Password Policy - Applies the password rules specified above in Workspace Password Policy to service administrator passwords.
    • Use default strong password policy - Requires that service administrator passwords meet these restrictions:

      • Consist of at least six characters

      • Contain at least one lowercase alphabetic character, one uppercase alphabetic character, one numeric digit, and one punctuation character

      • Cannot include the username

      • Cannot include the word Internal

      • Cannot contain any words shown in the Must Not Contain field specified above in Workspace Password P

  6. Click Apply Changes.

Parent topic: Creating Strong Password Policies

2.5.2.9 Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)

Restrict access to Oracle Application Express by Database Access Descriptor (DAD).

Tip:

The PL/SQL Request Validation Function directive is only available in Oracle Application Server 10g and Oracle HTTP Server 11g or later, and the embedded PL/SQL gateway in Oracle Database 11g or later. This directive is not available in Oracle HTTP Server Release 9.0.3.

Parent topic: Configuring Security

2.5.2.9.1 About Enforcing Access Restrictions Per DAD

You can restrict access to Oracle Application Express by DAD by creating a request validation function directive when you create the DAD.

mod_plsql and the embedded PL/SQL gateway support a directive which enables you to name a PL/SQL function which is called for each HTTP request. You can use this functionality to restrict the procedures that can be called through the embedded PL/SQL gateway or mod_plsql. The function returns TRUE if the named procedure in the current request is allowed and FALSE if it is not allowed. You can also use this function to enforce access restrictions for Oracle Application Express on a per-Database Access Descriptor (DAD) basis.

During installation, the installer also creates a PL/SQL function in the Oracle Application Express product schema (APEX_180200). To restrict access, you can change and recompile this function. The source code for this function is not wrapped and can be found in the Oracle Application Express product core directory in the file named wwv_flow_epg_include_local.sql.

Oracle Application Express ships with a request validation function named wwv_flow_epg_include_modules.authorize. This function specifies access restrictions appropriate for the standard DAD configured for Oracle Application Express.

The wwv_flow_epg_include_mod_local function is called by Oracle Application Express's request validation function which itself is called by the embedded PL/SQL gateway or mod_plsql. The Oracle Application Express function first evaluates the request and based on the procedure name, approves it, rejects it, or passes it to the local function, wwv_flow_epg_include_mod_local, which can evaluate the request using its own rules.

When you create new DADs for use with Oracle Application Express, the request validation function directive should be specified. Specifically, the function wwv_flow_epg_include_modules.authorize should be named in the directive PlsqlRequestValidationFunction in the Database Access Descriptor entry in dads.conf.

If you have no additional restrictions beyond those implemented in the wwv_flow_epg_include_modules.authorize function, there is no need to take any action with respect to the source code for the wwv_flow_epg_include_mod_local function.

Parent topic: Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)

2.5.2.9.2 About Changing and Recompiling wwv_flow_epg_include_local

You can change and recompile the wwv_flow_epg_include_local function to restrict access.

The source code for the wwv_flow_epg_include_local function is not wrapped and can be found in the Oracle Application Express product core directory in the file named wwv_flow_epg_include_local.sql. The source code is as follows:

CREATE OR REPLACE FUNCTION
wwv_flow_epg_include_mod_local(
    PROCEDURE_NAME IN VARCHAR2)
RETURN BOOLEAN
IS  
BEGIN  
    RETURN FALSE; -- remove this statement when  
you add procedure names to the "IN" list
    IF UPPER(procedure_name) IN (
          '') THEN  
        RETURN TRUE;  
    ELSE  
        RETURN FALSE;  
    END IF;  
END wwv_flow_epg_include_mod_local;
/

Parent topic: Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)

2.5.2.9.3 Specifying Allowed Named Procedures

You can restrict access by specifying the names of procedures that should be allowed in wwv_flow_epg_include_local.

To specify names of procedures that should be allowed, edit wwv_flow_epg_include_localas follows:

  1. Remove or comment out the RETURN FALSE statement that immediately follows the BEGIN statement: 
    ...
BEGIN  
    RETURN FALSE; -- remove this statement when 
you add procedure names to the "IN" list
...
  2. Add names to the clause representing procedure names that should be allowed to be invoked in HTTP requests. For example to allow procedures PROC1 and PROC2 the IN list you would write IN ('PROC1', 'PROC2').

    After changing the source code of this function, alter the Oracle Application Express product schema (APEX_180200) and compile the function in that schema.

Parent topic: Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)

2.5.2.9.4 Altering the Product Schema

You can restrict access by altering the product schema.

To alter the product schema, APEX_180200

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password

    • On UNIX and Linux:

      $ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password
  2. Alter the product schema (APEX_180200) by entering the following command: 
    ALTER SESSION SET CURRENT_SCHEMA APEX_180200;
  3. Compile the function wwv_flow_epg_include_local.sql.

Parent topic: Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)

2.5.2.10 Managing Authorized URLs

Create and manage a list of authorized URLs.

Authorized URLs identify the list of URLs that can be used as parameter values of certain Oracle Application Express procedures. This includes the APEX_UTIL.COUNT_CLICK procedure, which has an input parameter named P_NEXT_URL

If the parameter value to P_NEXT_URL is not a relative URL and not to the current host name, then it must be contained in this list of Authorized URLs.

Parent topic: Configuring Security

2.5.2.10.1 Defining a List of Authorized URLs

Define a list of authorized URLs.

To define a list of Authorized URLs:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Click the Authorized URLs tab.
  5. Click Create Authorized URL.
  6. In Authorized URL, identify an authorized URL that can be used as the parameter value to certain Application Express procedures, including APEX_UTIL.COUNT_CLICK

    The entire Authorized URL value will be compared with the URL parameter value in these procedures. If there is an exact match up to and including the entire length of the Authorized URL value, then the URL parameter value will be permitted.

  7. Enter Create Authorized URL.

Parent topic: Managing Authorized URLs

2.5.2.10.2 Editing a Defined Authorized URL

Edit a URL included in the list of authorized URLs.

To edit an existing URL:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Click the Authorized URLs tab.
  5. Click the Edit icon adjacent to the URL.
  6. Edit the Authorized URL and Description fields.
  7. Click Apply Changes.

Parent topic: Managing Authorized URLs

2.5.2.10.3 Deleting Defined Authorized URL

Delete a URL included in the list of authorized URLs.

To delete a URL included in the list of authorized URLs:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Click the Authorized URLs tab.
  5. Click the Edit icon adjacent to the URL.
  6. Click Delete.
  7. Click OK to confirm your selection.

Parent topic: Managing Authorized URLs