| Oracle® Application Server mod_plsql User's Guide 10g Release 2 (10.1.2) Part No. B14010-01 | 
 | 
|  Previous |  Next | 
This chapter describes how to set up the database and PL/SQL, for best security. It covers the following topics:
| See Also:For more information about mod_plsql configuration parameters, refer to the Oracle HTTP Server Administrator's Guide. | 
mod_plsql is a PL/SQL gateway that can be used to access any procedure to which your database account has rights. Since this also includes access to all packages granted to PUBLIC, it is the responsibility of the PL/SQL application to ensure that mod_plsql is not used to access unauthorized packages or procedures. By default, mod_plsql does not allow access to:
Sensitive schemas. For example, SYS.*.
Packages known to be sensitive, but to which PUBLIC has access. For example, OWA_*, DBMS_*, and UTL_* packages.
Procedure names that contain special characters in the URL.
This default model of explicitly denying access to specific packages from being executed directly using mod_plsql is sufficient for most correctly designed PL/SQL applications. If this level of security is not adequate for your PL/SQL application, it is highly recommended that you follow one or more of the following techniques to ensure that your PL/SQL application is secure:
Defining the PlsqlRequestValidationFunction Directive in mod_plsql
Adding More Rules to the PlsqlExclusionList Directive in mod_plsql
mod_plsql provides a DAD parameter directive called PlsqlRequestValidationFunction which enables you to allow or disallow further processing of a requested procedure. This is useful for implementing tight security for your PL/SQL application by blocking package/procedure calls which should not be allowed to run from the DAD.
The function defined by this parameter must have the following prototype:
boolean function_name (procedure_name IN varchar2)
When invoked, the argument 'procedure_name' will contain the name of the procedure that the request is trying to run.
For example, if all the PL/SQL application procedures that can be called from a browser are inside the package "mypkg", then a simple implementation of this function can be as shown in Example 3-1:
Example 3-1 Implementation of Request Validation Function to Block Procedures
boolean my_validation_check (procedure_name varchar2) 
is 
begin 
    if (upper(procedure_name) like upper('myschema.mypkg%')) then 
        return TRUE; 
    else 
        return FALSE; 
    end if; 
end; 
| Tips: 
 | 
mod_plsql provides a DAD configuration parameter called PlsqlExclusionList, which can be used to disallow execution of procedures with specific patterns, directly from a browser URL. The specified pattern is case insensitive and allows a wildcard pattern of "*", which means "zero or more occurrences of any set of characters". The default patterns that are not accessible from a direct URL are sys.*, dbms_*, utl_*, owa_util.*, owa_*, htp.*, and htf.*. Starting from Oracle Application Server 10g Release 2 (10.1.2), the default built-in exclusion list remains in effect even if the user has configured additional rules using PlsqlExclusionList. In previous versions, if the PlsqlExclusionList directive was overridden in the DAD configuration, the default settings no longer applied.
In addition to the patterns that are specified with this directive, mod_plsql also disallows any URLs that contain special characters such as tabs, new lines, carriage returns, single quotation marks ('), reverse slash (\), and so on.
For details on the PlsqlExclusionList parameter, refer to the "mod_plsql" section in the Oracle HTTP Server Administrator's Guide.
| Caution:Setting the PlsqlExclusionList directive to #NONE# disables all protection, and should not be used for an active Web site. | 
You can set the PlsqlExclusionList directive in the mod_plsql configuration file called dads.conf. This configuration file is located in the following directories:
(UNIX) ORACLE_HOME/Apache/modplsql/conf/
(Windows) ORACLE_HOME\Apache\modplsql\conf
Where ORACLE_HOME is the location of your Oracle HTTP Server installation.
To ensure the best security for user-defined PL/SQL procedures that are granted to PUBLIC, specify the user settings with the PlsqlExclusionList directive in the dads.conf file as shown in Example 3-2.
Applications using Custom Authentication can choose to deny access to restricted packages or procedures in their implementation of the AUTHORIZE procedure.
It can be useful to separate the schema containing your application objects (tables and procedures) from the schema against which you will run mod_plsql. This way, the user that mod_plsql connects as can be prevented from any direct access to your tables and other database objects, except through APIs that are granted to that user. Synonyms can be used to make the procedures executable without schema prefixes.
mod_plsql provides different levels of authentication in addition to those provided by the Oracle HTTP Server. The Oracle HTTP Server protects documents, virtual paths and so forth, while mod_plsql protects users logging into the database or running a PL/SQL Web application.
You can enable different authentication modes, as described in Table 3-1.
Table 3-1 Authentication Modes Used with mod_plsql
| Authentication Mode | Approach | 
|---|---|
| Basic | Authentication is performed using basic HTTP authentication. Most applications use basic authentication. | 
| Global OWA | Authentication is performed using the owa_custom.authorize procedure in the schema containing the PL/SQL Web Toolkit packages. | 
| Custom OWA | Authentication is performed using packages and procedures in the user's schema (owa_customize.authorize), or if not found, in the schema containing the PL/SQL Web Toolkit packages. | 
| PerPackage | Authentication is performed using packages and procedures in the user's schema (packageName.authorize). | 
| Single Sign-on | Authentication is performed using Oracle Application Server Single Sign-On. Use this mode only if your application works with OracleAS Single Sign-On. | 
The module, mod_plsql, supports authentication at the database level. It uses HTTP basic authentication but authenticates credentials by using them to attempt to log on to the database. Authentication is verified against a user database account, using user names and passwords that are either:
stored in the DAD. The end user is not required to log in. This method is useful for Web pages that provide public information.
provided by the users by means of the browser's Basic HTTP Authentication dialog box. The user must provide a user name and password in the dialog box.
Oracle HTTP Server has a different mechanism for the basic authentication mode. The user name and password must be stored in the DAD. Oracle HTTP Server uses HTTP basic authentication where the credentials are stored in a password file on the file system. Authentication is verified against the users listed in that file.
Basic Authentication Mode
mod_plsql supports basic authentication. Oracle HTTP Server authenticates users' credentials against a password file on the file system. This functionality is provided by a module called mod_auth. 
Custom authentication enables applications to authenticate users within the application itself, not at the database level. Authorization is performed by invoking a user-written authorization function.
Custom authentication is done using OWA_CUSTOM and cannot be combined with dynamic username/password authentication. Custom authentication needs to have a static username/password stored in the DAD configuration file. mod_plsql uses this DAD username/password to login to the database. Once mod_plsql is logged in, authentication control is passed back to the application, by calling an application-level PL/SQL hook. This callback function is implemented by the application developers. The value returned by the callback function determines the success or failure of authentication. The value TRUE means success and FALSE means failure.
Depending on the kind of custom authentication needed, you can place the authentication function in different locations:
Global OWA enables you to invoke the same authentication function for all users and procedures.
Custom OWA enables you to invoke a different authentication function for each user and for all procedures.
Per Package authentication enables you to invoke the authentication function for all users, but only for procedures in a specific package or for anonymous procedures.
For example, when using Custom OWA, an authorization function might verify that a user has logged in as user guest with password welcome, or it might check the user's IP address to determine access.
Table 3-2 summarizes the parameter values.
Table 3-2 Custom Authentication Modes and Callback Functions
| Mode | Access Control Scope | Callback Function | 
|---|---|---|
| Global OWA | All packages | owa_custom.authorizein the OWA package schema. | 
| Custom OWA | All packages | owa_custom.authorizein the user's schema, or, if not found, in the OWA package schema. | 
| Per package | Specified package | packageName.authorizein the user's schema, oranonymous.authorizeis called. | 
For DADs using dynamic authentication (no username/password in the DAD), mod_plsql allows users to log off (clear HTTP authentication information) programmatically through a PL/SQL procedure without having to exit all browser instances. This feature is supported on Netscape 3.0 or higher and on Microsoft Internet Explorer. On other browsers, the user may have to exit the browser to deauthenticate.
Deauthentication can be done programatically by creating your own logout procedure, which simulates a logout and redirects the user to a sign-off page.
Create or replace procedure MyLogOffProc as follows:
BEGIN
   -- Open the HTTP header
   owa_util.mime_header('text/html', FALSE, NULL);
   -- Send a cookie to logout
   owa_cookie.send('WDB_GATEWAY_LOGOUT', 'YES', path=>'/');
   -- Close the HTTP header
   owa_util.http_header_close;
   -- Generate the page
   htp.p('You have been logged off from the WEBSITE');
   htp.anchor( 'http://www.abc.com', 'click here');
   htp.p('<BR>bye');
END;
Another method of deauthentication is to add /logmeoff after the DAD in the URL. For example:
http://www.abc.com:2000/pls/myDAD/logmeoff