Use the Security page to set application-wide security settings.
Tip:Edit application components directly to manage more granular settings. To learn more about security best practices, see Managing Application Security.
22.214.171.124 Accessing the Security Page
Access the Security page page from the Application home page.
To access the Security page:
- On the Workspace home page, click the App Builder icon.
- Select an application.The Application home page appears.
- From the Application home page, you can access the Security page in two
- Edit Application Definition
Click Edit Application Definition to the right of the application name.
Click the Security tab.
- From Shared Components:
Click Shared Components.
Under Security, click Security Attributes.
The Edit Security Attributes page appears.
- Edit Application Definition button:
- Edit the appropriate attributes.
- Click Apply Changes to save your changes.
126.96.36.199 Security Page
The Security page is divided into the following sections: Authentication, Authorization, Session Management, Session State Protection, Browser Security, and Database Session.
Use the Security page to set application-wide security settings. Edit application components directly to manage more granular settings.
Required values are marked with a red asterisk (*).
Authentication is the process of establishing users' identities before they can access an application. Although you can define multiple authentication schemes for your application, only one scheme can be current at a time.
Table 5-8 Authentication Attributes
|Attribute||Descriptions||To Learn More|
Identifies the Oracle schema (or user) used to connect to the database through the Database Access Descriptor (DAD). Once a user has been identified, the Oracle APEX engine keeps track of each user by setting the value of the built-in substitution string
If the current application user (
For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using
|See HOME_LINK and Understanding Conditional Rendering and Processing|
Identifies the current authentication method used by this application. The purpose of authentication is to determine the application users identity. To create an authentication scheme, click Define Authentication Schemes.
|See How Authentication Works and Creating an Authentication Scheme|
Application authorization schemes control access to all pages within an application. Unauthorized access to the application, regardless of which page is requested, causes an error page to display.
Table 5-9 Authorization Attributes
188.8.131.52.3 Session Management
Use Session Management attributes to reduce exposure at the application-level for abandoned computers with an open web browser.
Table 5-10 Session Management
Control at the application-level whether URLs in this application contain session IDs. When Rejoin Sessions is enabled, APEX attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.
To use Rejoin Sessions at the applicaion-level, administrators must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings.
Rejoin Sessions options include:
Warning: Enabling rejoin sessions may expose your application to possible security breaches, as it can enable attackers to take over existing end user sessions. To learn more, see About Rejoin Sessions.
Enables or prevents deep linking to an application. Options include:
For example, browsers often save the URLs of opened tabs and try to restore the sessions after a restart, causing a deep link. This behavior may be undesirable (for example if a URL points to a page in the middle of a multi-step wizard). Selecting Disabled, starts a new session and redirects to the application's home page.
|Maximum Session Length in Seconds||Defines how long (in seconds) sessions can exist and be used by this application.
|Session Timeout URL||
Enter an optional URL to redirect to when the maximum session lifetime has been exceeded. The target page in this URL, if implemented in APEX, should be a public page.A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter
Only three substitution items are supported:
Because of the particular purpose of this URL. it is not necessary to include either
|Maximum Session Idle Time in Seconds||The Session Idle Time is the time between the last page request and the next page request. Options include:
|Session Idle Timeout URL||
Enter an optional URL to be redirected to when the maximum session idle time has been exceeded. The target page in this URL, if implemented in APEX, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter
Only three substitution items are supported in this URL:
Because of the particular purpose of this URL, it is not necessary to include either
|Session Timeout Warning in Seconds||
The session timeout warning time defines (in seconds) how long before a session times out (either maximum session length, or maximum session idle time), to warn the user. For the maximum session idle time warning, the user will have the opportunity to extend the session. For maximum session length warning, the user will be prompted to save any work, to avoid loss of data when the session maximum time is reached.
184.108.40.206.4 Session State Protection
Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy. This table describes the attributes available under Session State Protection.
Table 5-11 Session State Protection
220.127.116.11.5 Browser Security
This table describes the attributes available under Browser Security.
Table 5-12 Browser Security
Both Cache and Embed in Frames require modern browsers that support the HTTP header response variable X-Frame-Options.
18.104.22.168.6 Database Session
This table describes the attributes available under Database Session.
Table 5-13 Database Session