5.8.2 Configuring Security Attributes
Use the Security page to set application-wide security settings.
Tip:
Edit application components directly to manage more granular settings. To learn more about security best practices, see Managing Application Security.- Accessing the Security Page
Access the Security page page from the Application home page. - Security Page
The Security page is divided into the following sections: Authentication, Authorization, Session Management, Session State Protection, Browser Security, and Database Session.
Parent topic: Managing Application Attributes
5.8.2.1 Accessing the Security Page
Access the Security page page from the Application home page.
To access the Security page:
Parent topic: Configuring Security Attributes
5.8.2.2 Security Page
The Security page is divided into the following sections: Authentication, Authorization, Session Management, Session State Protection, Browser Security, and Database Session.
Use the Security page to set application-wide security settings. Edit application components directly to manage more granular settings.
Note:
Required values are marked with a red asterisk (*).
- Authentication
- Authorization
- Session Management
- Session State Protection
- Browser Security
- Database Session
Parent topic: Configuring Security Attributes
5.8.2.2.1 Authentication
Authentication is the process of establishing users' identities before they can access an application. Although you can define multiple authentication schemes for your application, only one scheme can be current at a time.
Table 5-8 Authentication Attributes
Attribute | Descriptions | To Learn More |
---|---|---|
Public User |
Identifies the Oracle schema (or user) used to connect to the database through the Database Access Descriptor (DAD). Once a user has been identified, the Oracle APEX engine keeps track of each user by setting the value of the built-in substitution string When
If the current application user ( For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using |
See HOME_LINK and Understanding Conditional Rendering and Processing |
Authentication Scheme |
identifies the current authentication method used by this application. The purpose of authentication is to determine the application users identity. To create an authentication scheme, click Define Authentication Schemes. |
See How Authentication Works and Creating an Authentication Scheme |
Parent topic: Security Page
5.8.2.2.2 Authorization
Application authorization schemes control access to all pages within an application. Unauthorized access to the application, regardless of which page is requested, causes an error page to display.
Table 5-9 Authorization Attributes
Parent topic: Security Page
5.8.2.2.3 Session Management
Use Session Management attributes to reduce exposure at the application-level for abandoned computers with an open web browser.
Table 5-10 Session Management
Attribute | Descriptions |
---|---|
Rejoin Sessions |
Use this attribute to control at the application-level whether URLs in this application contain session IDs. When Rejoin Sessions is enabled, APEX attempts to use the session cookie to join an existing session, when a URL does not contain a session ID. To use Rejoin Sessions at the applicaion-level, administrators must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings. Rejoin Sessions options include:
Warning: Enabling rejoin sessions may expose your application to possible security breaches, as it can enable attackers to take over existing end user sessions. To learn more, see About Rejoin Sessions. See Also:
|
Deep Linking |
Enable or prevents deep linking to an application. Options include:
For example, browsers often save the URLs of opened tabs and try to restore the sessions after a restart, causing a deep link. This behavior may be undesirable (for example if a URL points to a page in the middle of a multi-step wizard). By selecting Disable, APEX starts a new session and redirects to the application's home page. |
Maximum Session Length in Seconds | Defines how long (in seconds) sessions can exist and be used by this application.
|
Session Timeout URL |
Enter an optional URL to redirect to when the maximum session lifetime has been exceeded. The target page in this URL, if implemented in APEX, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter#LOGOUT_URL# , APEX will execute a logout, just like when the user clicked on the application's logout link.
Only three substitution items are supported:
Because of the particular purpose of this URL. it is not necessary to include either |
Maximum Session Idle Time in Seconds | The Session Idle Time is the time between the last page request and the next page request. Options include:
|
Session Idle Timeout URL |
Enter an optional URL to be redirected to when the maximum session idle time has been exceeded. The target page in this URL, if implemented in APEX, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter Only three substitution items are supported in this URL:
Because of the particular purpose of this URL, it is not necessary to include either |
Session Timeout Warning in Seconds |
The session timeout warning time defines (in seconds) how long before a session times out (either maximum session length, or maximum session idle time), to warn the user. For the maximum session idle time warning, the user will have the opportunity to extend the session. For maximum session length warning, the user will be prompted to save any work, to avoid loss of data when the session maximum time is reached.
|
See Also:
- About Utilizing Session Timeout
- Configuring Session Timeout for a Workspace and Configuring Session Timeout for an Instance in Oracle APEX Administration Guide
Parent topic: Security Page
5.8.2.2.4 Session State Protection
Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy. This table describes the attributes available under Session State Protection.
Table 5-11 Session State Protection
See Also:
Parent topic: Security Page
5.8.2.2.5 Browser Security
This table describes the attributes available under Browser Security.
Table 5-12 Browser Security
Tip:
Both Cache and Embed in Frames require modern browsers that support the HTTP header response variable X-Frame-Options.
Parent topic: Security Page
5.8.2.2.6 Database Session
This table describes the attributes available under Database Session.
Table 5-13 Database Session
Parent topic: Security Page