20.1.2 Web Server Security Considerations

Review Oracle REST Data Services security considerations.

20.1.2.1 About Configuring Oracle REST Data Services with Oracle APEX

Oracle APEX requires access to the web server, Oracle REST Data Services

Oracle REST Data Services (formerly known as Oracle APEX Listener) is a J2EE application which communicates with the Oracle Database by mapping browser requests to the APEX engine database over a SQL*Net connection. In a production environment, you deploy Oracle REST Data Services web archive files to a supported Java EE application server, like Oracle Web Logic Server. Each deployment can be configured individually and serves the same purpose as a mod_plsql Database Access Descriptor, which is to communicate with an Oracle database.

An Oracle REST Data Services deployment configuration contains several security related parameters. In a configuration for APEX, Oracle recommends to set the parameter security.requestValidationFunction to wwv_flow_epg_include_modules.authorize. This activates the white list of callable procedures which ships with APEX and prohibits calls to other procedures. This can be extended using the validation functions shipped with APEX.