5.10.2 Configuring Security Attributes
Use the Security page to set application-wide security settings.
Tip:
Edit application components directly to manage more granular settings. To learn more about security best practices, see Managing Application Security.- Accessing the Security Page
Access the Security page page from the Application home page. - Security Page
The Security page is divided into the following sections: Authentication, Authorization, Session Management, Session State Protection, Browser Security, Database Session,and Advanced.
Parent topic: Managing Application Attributes
5.10.2.1 Accessing the Security Page
Access the Security page page from the Application home page.
To access the Security page:
Parent topic: Configuring Security Attributes
5.10.2.2 Security Page
The Security page is divided into the following sections: Authentication, Authorization, Session Management, Session State Protection, Browser Security, Database Session,and Advanced.
Use the Security page to set application-wide security settings. Edit application components directly to manage more granular settings.
Note:
Required values are marked with a red asterisk (*).
- Authentication
- Authorization
- Session Management
- Session State Protection
- Browser Security
- Database Session
- Advanced
Parent topic: Configuring Security Attributes
5.10.2.2.1 Authentication
Authentication is the process of establishing users' identities before they can access an application. Although you can define multiple authentication schemes for your application, only one scheme can be current at a time.
Attribute | Descriptions | To Learn More |
---|---|---|
Public User |
Identifies the Oracle schema (or user) used to connect to the database through the Database Access Descriptor (DAD). Once a user has been identified, the Oracle APEX engine keeps track of each user by setting the value of the built-in substitution string When
If the current application user ( For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using |
See HOME_LINK and Understanding Conditional Rendering and Processing |
Authentication Scheme |
Identifies the current authentication method used by this application. The purpose of authentication is to determine the application users identity. To create an authentication scheme, click Define Authentication Schemes. |
See How Authentication Works and Creating an Authentication Scheme |
Configuration Procedure |
Enter the name of a procedure which configures authentication at runtime. |
See Using a Procedure to Configure Authentication at Runtime to view an example. |
Parent topic: Security Page
5.10.2.2.2 Authorization
Application authorization schemes control access to all pages within an application. Unauthorized access to the application, regardless of which page is requested, causes an error page to display.
Parent topic: Security Page
5.10.2.2.3 Session Management
Use Session Management attributes to reduce exposure at the application-level for abandoned computers with an open web browser.
Attribute | Descriptions |
---|---|
Rejoin Sessions |
Control at the application-level whether URLs in this application contain session IDs. When Rejoin Sessions is enabled, APEX attempts to use the session cookie to join an existing session, when a URL does not contain a session ID. To use Rejoin Sessions at the applicaion-level, administrators must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings. Rejoin Sessions options include:
Warning: Enabling rejoin sessions may expose your application to possible security breaches, as it can enable attackers to take over existing end user sessions. To learn more, see About Rejoin Sessions. See Also:
|
Deep Linking |
Enables or prevents deep linking to an application. Options include:
For example, browsers often save the URLs of opened tabs and try to restore the sessions after a restart, causing a deep link. This behavior may be undesirable (for example if a URL points to a page in the middle of a multi-step wizard). Selecting Disabled, starts a new session and redirects to the application's home page. |
Session State Commits |
Oracle APEX maintains session state both in PL/SQL global variables for quick access and in database tables. Use this attribute to configure when session state gets written and committed to the database. Options include:
In this context, session state includes item values and attributes of the session itself (for example, the idle timeout). While collections are also part of session state, they are not affected by the Session State Commits attribute. |
Maximum Session Length in Seconds | Defines how long (in seconds) sessions can exist and be used by this application.
|
Session Timeout URL |
Enter an optional URL to redirect to when the maximum session lifetime has been exceeded. The target page in this URL, if implemented in APEX, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter#LOGOUT_URL# , APEX will execute a logout, just like when the user clicked on the application's logout link.
Only three substitution items are supported:
Because of the particular purpose of this URL. it is not necessary to include either |
Maximum Session Idle Time in Seconds | The Session Idle Time is the time between the last page request and the next page request. Options include:
|
Session Idle Timeout URL |
Enter an optional URL to be redirected to when the maximum session idle time has been exceeded. The target page in this URL, if implemented in APEX, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter Only three substitution items are supported in this URL:
Because of the particular purpose of this URL, it is not necessary to include either |
Session Timeout Warning in Seconds |
The session timeout warning time defines (in seconds) how long before a session times out (either maximum session length, or maximum session idle time), to warn the user. For the maximum session idle time warning, the user will have the opportunity to extend the session. For maximum session length warning, the user will be prompted to save any work, to avoid loss of data when the session maximum time is reached.
|
See Also:
- About Utilizing Session Timeout
- Configuring Session Timeout for a Workspace and Configuring Session Timeout for an Instance in Oracle APEX Administration Guide
Parent topic: Security Page
5.10.2.2.4 Session State Protection
Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy. This table describes the attributes available under Session State Protection.
See Also:
Parent topic: Security Page
5.10.2.2.5 Browser Security
This table describes the attributes available under Browser Security.
Tip:
Both Cache and Embed in Frames require modern browsers that support the HTTP header response variable X-Frame-Options.
Parent topic: Security Page
5.10.2.2.6 Database Session
This table describes the attributes available under Database Session.
Parent topic: Security Page
5.10.2.2.7 Advanced
Attribute | Descriptions |
---|---|
Runtime API Usage |
Control how this application can access Oracle APEX APIs that modify applications and workspace data, while it is running. Available Runtime API Usage options include:
|
Pass ECID |
Enable the Pass ECID attribute
to pass the Execution Context ID (with a request header named
When Pass ECID is enabled:
Tip: You can overwrite the Pass
ECID by either configuring a specific REST Data
Source in an application under Shared Components, REST Data
Sources, YourDataSource, Advanced, Pass ECID, or by
calling the
See Also:
|
Parent topic: Security Page