Oracle APEX is not unique, in that like any other web technology, applications can be developed with it in either a secure or not-so-secure manner. About This. Expert Oracle Application Express, 2nd Edition is newly updated for APEX and brings deep insight from Expert Oracle Application Express (eBook, PDF) - Gault, Doug; Gielis, . Expert Oracle Application Express Security (eBook, PDF). Oracle Application Express Application Components . 5 . Appropriate functional, security, and performance testing and reviews; .. UI Developer – This is a specialist role with expertise in HTML, CSS, and in UI design principles.
|Language:||English, Spanish, French|
|Genre:||Academic & Education|
|ePub File Size:||17.59 MB|
|PDF File Size:||20.71 MB|
|Distribution:||Free* [*Regsitration Required]|
Application security is on the forefront of everyone's minds these days. It's almost impossible to go more than a couple of days without reading about another. Expert Oracle Application Express Security covers all facets of security related to DRM-free; Included format: PDF; ebooks can be used on all reading devices. Expert. Oracle. Application Express. John Scott, Dietmar Aust, define in the security settings section how many cache entries you wish to.
Like any other server. Much less spectacular. If your applications use this table—as may be the case with older APEX applications that made more use of the shared table—it should be retrofitted so that any uploaded data is stored in the parse-as schema. Different people who live in different parts of the world or on different streets within the same community will come to different conclusions. This three-step wizard will prompt for the workspace name.
Chapters 6 and 7 cover using the application development environment. The typical APEX developer will never need access to the administration console. Developers who log in to the application development environment can create applications. All of these requests need to be approved by an APEX administrator and are done so through the Manage Requests section of the administration console. This embedded feature was It is important to note that this is not a conclusive list of attributes. Quite a few additional attributes are critical for the security of an instance of APEX.
Aside from initially configuring APEX. Summary data is automatically archived by APEX and displayed here as well. All development activity occurs within a workspace. The Manage Workspace section provides a set of tools for creating.
These settings typically impact every workspace and application on the instance. Each workspace is completely segregated and isolated from all others.
This will prevent anyone from signing up for a workspace without approval and require the APEX instance administrator to create all workspaces. Most management of an APEX instance is done at the workspace level. You can find information on how to ensure that workspaces are properly configured and secured in Chapter 5. Monitoring Activity The last component of the administration console is Monitor Activity. Oracle provides this instance free of charge to anyone who wants to try APEX without having to download and install it locally.
APEX was intended to be a multitenant. It also provides a facility for moving a workspace from one instance of APEX to another. In most on-premises environments. Managing Workspaces From its earliest days. Many of these settings have to do directly with the overall security of the instance of APEX. This instance regularly plays host to more than From here. From a security perspective. Chapter 4 is dedicated to configuring an instance of APEX with secure best practices in mind and highlights any instance setting that pertains to security.
Multiple users from completely different organizations would be able to securely share an instance of APEX that would be hosted on the public Internet. The bulk of the remainder of the settings have little direct impact on the overall security of an instance and are there purely for instance management purposes. An APEX workspace contains both developers and applications and is typically associated with one or more database schemas. A combination of reports. Even though there is a link to the Administration section of the workspace.
Users can be one of three types: This concept extends to any system privilege. There are three classifications or types of APEX user: This ability to limit access to modules can even be extended to individual users. These three accounts are seen as completely separate accounts by APEX and contain no integration or association with one another. They will not even see the Application Builder or SQL Workshop when they log in to the application development environment.
Each workspace will have a number of users associated with it. If a single person needs access to three workspaces. This APEX instance administrator can increase this value up to about a year. Their credentials are managed internally by APEX and cannot currently be moved elsewhere. Archived data is stored only as summary data. Workspaces also have at least one schema associated with them that the different modules can interact with or parse as.
End users can access only the Team Development module. The end user is simply a set of credentials that can be used in applications that are developed with APEX. Future releases of APEX may support moving these users to an external authentication repository. Workspaces As previously mentioned. Depending on how the instance administrator configured it. Changing the password on one account does not impact the other two at all. APEX developers can create and build applications.
For instance. Most developers within a workspace should be classified as just that—developers. Developers can also be limited as to which module or modules they have access to. In most organizations. In most workspaces. The workspace administrator can do anything that a developer can as well as manage the workspace. This schema can be an existing one or be created automatically as part of the workspace creation process. Things such as adding or removing a developer.
An instance or workspace administrator can limit which modules users have access to on a per-workspace or per-user basis. This schema will be used to store all database objects and data used in user-developed applications. While the workspace administrator can manage only their specific workspace. Components The top-level sections of the application development environment consist of four major components: Application Builder. The metadata that APEX creates as developers build applications is not stored in this schema.
The developer can also see any data stored in the schema. The time required to perform these tasks is usually just a few minutes per month. Schema Mappings When a workspace is created. This is a critical factor when considering which developers have access to which workspace. Workspace users and roles are disused in more detail in Chapter 5. Workspace administrators have full access to all modules within a workspace. Figure When a schema is associated with a workspace.
The workspace administrator role should be reserved for either the development manager or a DBA. Regardless of how many schemas are associated to a workspace. It is also possible for a single schema to be associated with multiple workspaces. This way. Limiting which modules an individual user has access to Developers who spend their time building applications and their associated schema objects do not need to be created as workspace administrators.
Application Builder The Application Builder is where developers will spend the bulk of their time when using the tool. The developer must make that determination when creating the application and is free to choose any schema that is associated with the workspace. The SQL Workshop home page This design was done to facilitate security. Application Builder secure development best practices are discussed in detail in Chapters 6 and 7.
Take notice of the URL the next time you log into the application development environment. As mentioned. SQL Scripts.
SQL Commands. The SQL Workshop is further split up into five subsections: Object Browser. It is by no means a replacement for a desktop-based IDE. Applications can also perform any DDL commands that the corresponding schema has access to.
Users with either the developer or the workspace manager privilege can access the Application Builder. The schema assignment can be changed at any time. Object Reports: The Object Reports section is broken down into five subsections. They will be able to run any SQL statement they want. This flexibility works well for nondevelopers such as project managers because they can be created as an end-user account and only be able to use Team Development. Each of these reports displays information from the corresponding data dictionary views.
Websheets are a feature of APEX aimed at the common business user. The Methods on Tables Wizard is used as part of this approach. Methods on Tables: It functions like any other APEX application and may or may not have potential security vulnerabilities. More of an online spreadsheet feature than full-blown application development environment.
A development team can use Team Development to plan their milestones.
Role Privileges. This fact should not discourage the use of Team Development. While this data is not unique to APEX and can be obtained a number of ways. The theory behind this approach is that if the parse-as schema that an application is associated with has little to no system privileges. Any type of user—workspace administrator.
The approach works well in some scenarios. Of particular interest here is the Security Reports subsection. Chapter 13 discusses an approach that use a limited privilege schema and table APIs to mitigate a number of threats.
Using this wizard to create what are called table APIs creates a single entry point into inserting. Team Development is. Column Privileges. If this level is access is not appropriate for a developer. Despite there being little control as to what a developer can access within the SQL Workshop. There are four security reports: Object Grants.
This entry point can be augmented with any number of business rules and additional security checks to ensure that only valid transactions occur. Websheets do not have traditional developers.
Since there is no way to restrict which schema a specific developer has access to aside from the SQL Workshop. Subscriptions allow developers to create master copies of some components and then subscribe to those components across different applications—as long as those applications are in the same workspace. Using this mechanism. APEX subscriptions work only within a single workspace. This is often a decision made by necessity. All pages and their associated content will need to be re-created.
Details of this approach are discussed in Chapter 8. This centralization increases the manageability of an application greatly because changes need to happen in only a single location vs. A single workspace could be associated with as many schemas as needed. One of the questions to arise when starting with APEX is this: While the subscription feature will not work using this approach.
Configuring an application to behave this way is as simple as setting the cookie name in the authentication scheme to the same value across multiple applications. While these two benefits may seem compelling.
There are a couple of technical benefits of using a single workspace. It is possible to develop applications in multiple workspaces and then deploy them to a single workspace on the production instance. Data will also need to be migrated to traditional Oracle tables. While there is no single correct number of workspaces for an organization.
Websheets applications will lose some functionality when migrated to a traditional database application. Often times with just a little more work. While APEX is also constrained by the number of options that are defined for a given component. You can find a list of all APEX views on the application utilities page. When a page is rendered.
These views provide a view into all of the metadata that makes up everything within an APEX environment—from the workspace itself all the way down to a column in a report.
It provides a set of rich-UI client-side components. If only a finite number of options can be defined. As far as languages go. Because a good portion of APEX is metadata-based. APEX is a metadata-based environment. This level of extensibility provides the developer with a limitless palette of options when designing applications.
At its core. APEX is a database application and thus makes extensive use of database objects such as tables. APEX consists of two languages: Starting in version 4. This role should be granted with care because any schema it is granted to essentially becomes the equivalent of an instance administrator. These schemas are created and populated upon the installation of APEX.
The APEX views report. The portion of the schema name represents the version of APEX. Schemas Not counting any parse-as schema associated with a workspace. And lastly. They can be accessed from any tools that can connect directly to the database. When created.
APEX itself consists of three schemas: There is no reason for any developer to access these schemas directly. Given that two of these schemas are locked. It is recommended that the passwords of all three schemas immediately be set to a more secure password and that all three schemas use a different password.
The System. This schema itself is extremely limited as to what it has access to. These passwords should be changed regularly and also adhere to any organizational password policies.
For an authenticated APEX session. It also does not own any objects. Once this switch occurs. It is also not locked by default. This schema ships as locked and should remain that way.
Since APEX makes heavy reuse of database sessions.
The name of this schema will vary slightly based on the version of APEX. The password for this schema is also set upon installation and is the same password used for the other two schemas. For that type of activity.
APP Many developers coming from an Oracle Forms environment have come to rely on database roles and may be perplexed as to why they will not work anymore in APEX. This was merely a cosmetic change that reflected the original name for APEX.
Developers do not need direct access to this schema. In APEX 4. Listing shows an example of this. Oracle Flows. Because of this commonality. In earlier releases of APEX. A single database session may and almost always maps to a number of different APEX applications across different workspaces.
The origin of this prefix is twofold. The prefix has survived numerous product name changes and. If any attempt is made to execute them from outside of a valid session. Listing shows a full listing of its objects. Nothing is ever supposed to connect to this schema. Listing shows the specific objects these five privileges are granted on.
This schema exists for the sole purpose of providing an initial repository to upload files. That leaves the remaining five privileges: When any file is uploaded via an APEX application. Under the covers. As a developer. Transactions One of the benefits of a metadata-based environment is that all transactions consist of the same components.
This approach is highly recommended for a number of reasons. In the Application Builder. APEX has its own nomenclature for each of these methods: The view from which this table is accessed in the application development environment is augmented with security to segregate data based on the underlying workspace. Whether it stays there permanently is. The underlying infrastructure functions the same.
On a high level. Almost every facet of the tool itself can be traced back to either a page-rendering or page-processing event. Like every other web application. Shared components. Oracle Text can also easily index it in when it is moved to the parse-as schema. If the file is uploaded from the application development environment. The TZ parameter is used to set the corresponding time zone for a user. As soon as the user submits the page by clicking a button or other item that causes the page to be submitted.
Some of the additional parameters that can be passed to the f procedure may be recognizable. When run. When navigating from page to page via the URL. APEX typically uses a procedure called f and passes a colon-delimited string to a parameter called p. Once decomposed and after performing some basic security and globalization checks. This process is repeated for each APEX page that is rendered or asynchronous process that is executed.
The f procedure actually has a number of additional parameters. Some components. The f procedure will then take that string and decompose it into its discrete values. All modern browsers support this capability. These items store values for the application.
Both items that are visible and hidden are passed back to the APEX engine. In addition to that. A better alternative is to use a free add-on called Web Developer. Web Developer. The downside to this function is that the HTML document may be quite large and difficult to sift through to locate a specific element. One way to see all the items on the page is to view the HTML source. After installing Web Developer.
An APEX form. The remaining 40 parameters are used to specify other options such as application. For each item on the page.
Of these. It actually refers to the primary key of the item that immediately precedes it in the form. In the HTML. When this form is submitted to the APEX engine. After logging into Application Session state protection is an APEX feature that detects when the value of a specific item or items have been altered and prevents the resulting page submission from executing.
Using the Web Developer toolbar. Once that association is made. A fixed number of connections can be established and maintained. Once that limit is reached or exceeded. Based on the fact that they have the same value. An APEX session is more similar to a text message than a phone call. Tools like Web Developer are invaluable assets that make web development a lot easier and faster.
Since HTTP is a stateless protocol and does not maintain a persistent connection to the server. That cookie contains a value that. APEX contains its own robust session state management infrastructure. While both parties still need to dedicate resources for this exchange to occur. The APEX engine will then begin to map array values with parameters by looping through all of them.
In both scenarios. The first array value——will be used to look up the corresponding page item. In this example. Rather than establishing a dedicated connection to the database server. You can find more information on how session state protection works and how to implement it in Chapters 6 and 7.
When a user accesses an APEX site. It functions the same. For that connection to be maintained. The value of the cookie contains a string that corresponds to a hash of the session ID.
APEX will not only allow that user to hijack another session but also immediately expire the current session. This is good for a number of reasons. Each application also has a session duration and session idle time attribute. If either of these values is exceeded. The name of the cookie contains both the workspace ID and the application ID. The APEX session cookie. Closing just the browser tab.
Session state values will always be stored in the database and never in a cookie on the client PC. If there is a match and the corresponding session ID has not been otherwise invalidated or expired. The lifetime of an APEX session will vary and can be terminated by one of a number of events.
If a user completely closes all windows of the browser. This job runs every eight hours unless altered to run more or less frequently. Once a valid session has been established. That recommendation should be extended to any production system for the same reasoning. While the details on how to implement and secure the different web servers that work with APEX is out of scope for this book.
It does. To disable it. To verify that it has been disabled. Cascading Style Sheets files. APEX is. If not used. There are currently three supported options that work with APEX: Oracle recommends not using the EPG when deploying applications on the Internet.
All of the supporting files required for APEX—images. Currently in its second major release. If a hacker is successful in breaching the most outward-facing Apache server.
It is a fully supported product that is compatible with most other Apache modules. Firewalls can also be added between each and any of the tiers to restrict network traffic.
Oracle Glassfish. Introduced around the same time as APEX 4. Oracle will provide support only for the following three: Yet its sophistication allows for a number of different configurations.
A deeper level of understanding provides developers with a more robust view of the technology. The most recent release added the ability for a single listener to service multiple database. An APEX implementation can start small with as few as a server or two and expand as the organization requirements do. Its simplicity makes it easier to understand. But after just a few days or even hours with the car.
But for the most part. Chapter 4 Instance Settings Think about when you purchase a new or used car. Keep in mind that individual requirements can and will be different from organization to organization. If these gauges report no issues. The time required to actually secure an instance of APEX is not too significant.
While application security is also a critical component to consider. Most of the settings covered in this chapter come with recommendations for production instances.
It will start by describing some best practices for instance configuration. The only ongoing task that a car owner needs to dedicate constant attention to is monitoring the gauges on the dashboard. At first glance. This chapter will cover how to configure and manage an instance of APEX with security in mind. Up front. It can be done in a matter of hours. These gauges will indicate when the car is low on gas or oil or when there are other issues that need to be investigated.
It will then cover all security-related aspects of the instance administration console. But once everything is configured optimally. Configuring an instance of APEX is very similar to learning the ins and outs of the features of a new car. Depending on the instance type—development.
These days. But if time is not spent on reviewing all of the settings and ensuring that they are configured properly. Once the script is either downloaded or located. To prove this. As soon as it runs. Be warned: If this file is no longer available.
Executing the apxdevrm. Converting an instance to runtime mode is relatively simple and should take only a few minutes. When converted to runtime mode. The script required to convert an instance to runtime mode is called apxdevrm. The actual speed at which the script runs is. The theory here is that if the development and administration environments do not exist.
All other developed applications should function as normal from their original URLs. Most of the rest of this chapter discusses how to configure an instance of APEX so that it is as secure as it can be. Should a setting need to be changed to an instance in runtime mode. If choosing runtime mode. The Instance Administration API An instance converted to runtime mode is by definition more secure than one not converted.
The time it takes to complete this script is also dependent on the specifications and speed of the server. Even if the proper credentials are known. But while runtime mode offers an enhanced level of security and assurance. It can be executed from the SYS. It should take just a few minutes to run.
This script can be found in the same directory as apxdevrm. Attempt to access the workspace login page in a runtime environment Should the development environment ever need to be restored. It is almost never a full-time role but rather a commitment of just a few hours a month. There are a number of reasons why an APEX administrator would not want to set their instance of APEX to runtime mode—some which are valid and others of which are less so.
Many organizations give this role to a DBA. To access the instance administration console.
If an instance of APEX is set to runtime mode. Many of these settings have something to do with security. If access is needed. Other non-security-focused settings are in many cases important but are not covered in the scope of this book. While definitely the least convenient approach. This will prevent anyone from attempting to log in to any workspace at all by throwing an error message when the user attempts to load the workspace login page. If the instance is converted to runtime mode.
The instance administration console is what the instance administrator will use to manage an instance of APEX. This extra step requires that at least two people be involved in making changes to a production environment. Having said all of this. While this does not make it any less safe. Once authenticated. Once a user successfully logs into the workspace. Configuration and Management The instance administrator can configure a number of instancewide settings.
The next section will pay closer attention to those that could impact the security of your instance of APEX. Access to the instance administration console should be given only to trusted users. While not every subsection of the Manage Instance section has to do with security.
The main page of the instance administration console This screen will show some high-level metrics about the settings of the instance. Manage Instance Settings Most instancewide settings can be found in this section of the instance administration console. Manage Workspaces. Manage Requests. Manage Instance. Instance Configuration Settings. These settings can be configured only by an APEX instance administrator and. Configuring these settings correctly should be done prior to enabling access to any applications in your production instance of APEX.
Instance Settings is further divided into four sections: Feature Configuration. The bulk of the remainder of this section covers any setting that has to do with the security of the instance of APEX and how to properly configure it for the most secure environment.
All of these sections. If configured incorrectly. If it is not required.
The default login page for the sample application denotes that it is. If it is enabled. When disabled at the instance level. Setting this to No on a development or QA instance should not pose a problem. By creating a demonstration application in each workspace. In a properly secured environment—where all APEX developers are either disabled or removed—this presents no risk.
All three of these settings apply only when a developer installs any one of the packaged applications. By default. A malicious user could easily create a script that seeks out active Websheets by manipulating the URL. All of the settings in Feature Configuration apply to all workspaces and.
When this feature is enabled at the instance level. Packaged Application Install Options This section contains three settings: The default setting of all three of these settings is No and. This feature should be set to Always at all times. Security As the name implies. If developers need access to this feature on a development environment.
Enable Service Requests APEX workspace administrators have the ability to request additional schemas or storage or terminate their workspaces entirely. When needed. Elements captured include the user name. This setting determines when and how the log is used. It can also be set to never log any activity or always log all activity. Since all requests made by a workspace administrator are subject to approval from the APEX instance administrator.
There is no harm in enabling this feature. About Database and Database Monitoring. This will ensure that all APEX application page views are in fact logged. Settings managed here include cookies.
For tracing to work. If either of these setting are set to No. Upon returning to that instance of APEX. Set Workspace Cookie Enabling the Set Workspace Cookie option will place a cookie on your local workstation that will remember the last workspace and user name you used to sign into APEX with. If an instance of APEX is not converted to runtime mode. The API will have to be called from a privileged schema. Once this option is disabled. There may be multiple instances of this cookie.
If necessary. Applications that were developed in workspaces are not impacted at all. The Security Settings section contains the bulk of the parameters that can be configured. More details about this API can be found later in this chapter. If this option was enabled and developers already have workspace cookies stored locally. While this information is not enough for a malicious user to log into your workspace. The added inconvenience of having to enter the workspace. The current session will not be impacted until either exceeding its session time limit terminates it or the user explicitly logs out.
This cookie will persist on your client workstation for six months. Instance Proxy While not an essential setting for security. While this is a quick and easy way to expose a dataset via web service. This setting should always be enabled for any instance of APEX.
Should this setting be accidentally enabled. If specified at the instance level. One if its features is built-in integration with an Internet Content Access Protocol ICAP virus-scanning site to ensure that uploaded files are virus-free.
This setting should also be enabled because sensitive data is just as likely to be outbound as inbound. This includes calls made to web services from APEX applications. Individual IP addresses can be entered separated by commas.
While this feature may seem like a reliable way to protect an instance of APEX. If no proxy server is used. Attempts to access either over HTTP will result in a redirection error. Once these three conditions are met. Domain names should be colon delimited and should not include any ports. To prevent any session from expiring. Setting either to null will also revert to their default settings.
Individual applications can be set depending on their individual security needs. For best results. Any setting at the application level will override this setting. In addition to being used as the default for applications that do not specify this setting. If there is a need for a report or reports to be exposed as RESTful web services. Domain Must Not Contain Any domain name entered in this setting will be restricted in two places: The number of valid domains that could offer a nefarious web service are too numerous to even attempt to collect a list.
Method for Computing the Delay If a delay of one second or more is set in the previous setting. It would be more valuable if this setting were a whitelist of valid URLs that could be accessed versus ones that should be restricted. Setting it to 0 will disable this feature. The gist of this feature is that if an end user enters an invalid password.
There are four options for this setting. This list will be used to assist APEX in recording the proper IP address a user came from when a proxy server is used. Known domains that are flagged as dangerous could certainly be entered here. One option is to use the default strong policy. Attention should be paid to the workspace-level setting of this attribute. Attention should be paid to the workspace-level setting of this attribute because that will override anything set at the instance level.
A workspace administrator can override this setting at the workspace level for that specific workspace. The default strong password policy is defined as the following: It has no impact on external repositories used for applications created with APEX. If this value is exceeded. To determine how long it would take to crack each one. In many cases. This applies only to users in the instance administration console and Application Builder and not any external authentication scheme used in deployed APEX applications.
Even the online scenario does not offer much solace. The password that will be tested next. Results of the simple password oracle Notice that the time it would take for an offline attack is insignificant.
Results of the short yet high-entropy password 0raC! Even adding more entropy essentially made no difference in the time it would take to crack the passwords.
With a relatively short password. And as long as at least one mixed-case. The core problem here is simply password length. The recommendation made by this site is that a combination of some entropy and a longer password are the best approach. In line with these recommendations. A link is displayed on the login page enabling users to request workspaces.
And to increase this duration even more. Most of the settings here have something to do with the overall security of an instance of APEX.
Even in the massive offline scenario. Instance Configuration Settings The Instance Settings section contains a variety of settings having to do with provisioning workspaces. There are three possible settings: An administrator manually creates each workspace.
A link is displayed on the login page enabling users to request workspaces and validate via e-mail before creating a workspace. Provisioning Status The Provisioning Status setting. The third setting—Request with Email Verification—should never be selected because it allows anyone with network access to the instance to automatically create workspaces in an instance of APEX. Failure to do so will prevent the request from going through. When Email Provisioning is set to Disabled.
TDE will encrypt all database files that are written to disk. A better name for this setting would be Email Response Processing. Encrypted Tablespaces If this setting is enabled. The purpose of this feature is to eliminate sign-ups by automated services. Message The Message setting works in conjunction with the previous setting.
Setting it to Request could be considered for a nonproduction or sandbox environment that is on an internal network. It is unlikely that this setting will ever need to be changed. If your provisioning status is set to either Request or Request with Email Verification. If no e-mail address is entered.
This is important so that in the case of any questions. This setting will apply regardless of which provisioning mode APEX is set to. If this setting is set to Disabled. In this case. Upon clicking the link. It does not apply if Provisioning Status is set to Manual. Email Provisioning. Files that fit these criteria include the following: Expert Oracle Application Express Security is written with that theme in mind. Scott Spendolini, one of the original creators of the product, offers not only examples of security best practices, but also provides step-by-step instructions on how to implement the recommendations presented.
He has assisted a number of clients from various verticals with their Oracle APEX development and training needs. Prior to co-founding Sumneva, Spendolini founded and ran Sumner Technologies from through , which also focused on Oracle APEX consulting, training, and solutions.
Before that, he was employed by Oracle Corporation for almost 10 years, the last three of which he was a senior product manager for Oracle APEX. He holds a dual bachelor's degree from Syracuse University in management information systems and telecommunications management, and resides in Ashburn, Virginia with his wife and two children.
Buy eBook. Buy Softcover. FAQ Policy. Show all.