20.1.2 Web Listener Security Considerations

Review security considerations when choosing a Web listener to run with Oracle Application Express.

• About Configuring Oracle REST Data Services with Oracle Application Express
  Oracle recommends using Oracle REST Data Services with Oracle Application Express.
• About Configuring Oracle HTTP Server with mod_plsql with Oracle Application Express
  Because mod_plsql is deprecated as of Oracle HTTP Server 12c (12.1.3), Oracle recommends using Oracle REST Data Services.
• About Security Considerations When Using the Embedded PL/SQL Gateway
  Oracle does not recommend the embedded PL/SQL gateway for applications running on the Internet.

See Also:

Choosing a Web Listener in Oracle Application Express Installation Guide

20.1.2.1 About Configuring Oracle REST Data Services with Oracle Application Express

Oracle recommends using Oracle REST Data Services with Oracle Application Express.

Oracle REST Data Services (formerly known as Oracle Oracle Application Express Listener) is a J2EE application which communicates with the Oracle Database by mapping browser requests to the Application Express engine database over a SQL*Net connection. Oracle REST Data Services is the strategic direction for Oracle Application Express and Oracle recommends using it in practically all circumstances. In a production environment, you deploy Oracle REST Data Services web archive files to a supported Java EE application server, like Oracle Web Logic Server. Each deployment can be configured individually and serves the same purpose as a mod_plsql Database Access Descriptor, which is to communicate with an Oracle database.

An Oracle REST Data Services deployment configuration contains several security related parameters. In a configuration for Oracle Application Express, Oracle recommends to set the parameter security.requestValidationFunction to wwv_flow_epg_include_modules.authorize. This activates the white list of callable procedures which ships with Oracle Application Express and prohibits calls to other procedures. This can be extended using the validation functions shipped with Oracle Application Express.

See Also:

"Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)" in Oracle Application Express Administration Guide

20.1.2.2 About Configuring Oracle HTTP Server with mod_plsql with Oracle Application Express

Because mod_plsql is deprecated as of Oracle HTTP Server 12c (12.1.3), Oracle recommends using Oracle REST Data Services.

Tip:

mod_plsql is deprecated as of Oracle HTTP Server 12c (12.1.3). For more information about this deprecation, please see My Oracle Support Note 1576588.1. Oracle recommends using Oracle REST Data Services instead.

Oracle HTTP Server uses the mod_plsql plug-in to communicate with the Oracle Application Express engine within the Oracle database. mod_plsql functions act as a communication broker between the web server and the Oracle Application Express engine in the Oracle database.

Each mod_plsql request is associated with a set of configuration values used to access the database called a Database Access Descriptor (DAD). mod_plsql provides a DAD parameter called PlsqlRequestValidationFunction which enables you to allow or disallow further processing of a requested procedure. You can utilize this parameter to implement tighter security for your PL/SQL application by blocking package and procedure calls which should not be allowed to run from the DAD. Oracle recommends a DAD configuration for Oracle Application Express which utilizes the PlsqlRequestValidationFunction directive with a value of wwv_flow_epg_include_modules.authorize.

The purpose of the PlsqlRequestValidationFunction parameter is to control which procedures can be invoked through mod_plsql. By default, the only procedures permitted are the public entry points of Oracle Application Express. This can be extended using the validation functions shipped with Oracle Application Express.

See Also:

"Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)" in Oracle Application Express Administration Guide

20.1.2.3 About Security Considerations When Using the Embedded PL/SQL Gateway

Oracle does not recommend the embedded PL/SQL gateway for applications running on the Internet.

The embedded PL/SQL gateway runs in the database as part of the Oracle XML DB HTTP listener. The Oracle XML DB HTTP listener and embedded PL/SQL gateway provides the equivalent core features of Oracle HTTP Server and mod_plsql. Because the HTTP Listener runs in the same database where Oracle Application Express is installed, it is not possible to separate the HTTP listener from the database. For this reason, Oracle does not recommend the embedded PL/SQL gateway for applications that run on the Internet or for production applications. Oracle recommends using Oracle REST Data Services instead. Additionally, the embedded PL/SQL gateway does not provide the same flexibility of configuration and detailed logging as Oracle REST Data Services.