Configure security for all pages in an application on the Security page. Security attributes are divided into the categories: Authentication, Authorization, Session Management, Session State Protection, Browser Security, and Database Session.
22.214.171.124 Accessing the Security Page
To access the Security page:
- On the Workspace home page, click the App Builder icon.
- Select an application.The Application home page appears.
- From the Application home page, you can access the Security page in two
- From Shared Components:
Click Shared Components.
Under Security, click Security Attributes.
- Edit Application Properties
Click Edit Application Properties to the right of the application name.
Click the Security tab.
The Edit Security Attributes page appears.
- From Shared Components:
- Edit the appropriate attributes.
- Click Apply Changes to save your changes.
126.96.36.199 Security Page
Use the Security page to set application-wide security settings. Edit application components directly to manage more granular settings.
Required values are marked with a red asterisk (*).
Authentication is the process of establishing users' identities before they can access an application. Although you can define multiple authentication schemes for your application, only one scheme can be current at a time.
Table 5-8 Authentication Attributes
|To Learn More
Identifies the Oracle schema (or user) used to connect to the database through the Database Access Descriptor (DAD). Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string
If the current application user (
For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using
identifies the current authentication method used by this application. The purpose of authentication is to determine the application users identity.To create an authentication scheme, click Define Authentication Schemes.
Application authorization schemes control access to all pages within an application. Unauthorized access to the application, regardless of which page is requested, causes an error page to display.
Table 5-9 Authorization Attributes
188.8.131.52.3 Session Management
Use Session Management attributes to reduce exposure at the application-level for abandoned computers with an open web browser.
Table 5-10 Session Management
Use this attribute to control at the application-level whether URLs in this application contain session IDs. When Rejoin Sessions is enabled, Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.
To use Rejoin Sessions at the applicaion-level, administrators must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings.
Rejoin Sessions options include:
Warning: Enabling rejoin sessions may expose your application to possible security breaches, as it can enable attackers to take over existing end user sessions. To learn more, see "About Rejoin Sessions."
Enable or prevents deep linking to an application. Options include:
For example, browsers often save the URLs of opened tabs and try to restore the sessions after a restart, causing a deep link. This behavior may be undesirable (for example if a URL points to a page in the middle of a multi-step wizard). By selecting Disable, Application Express starts a new session and redirects to the application's home page.
Maximum Session Length in Seconds
Defines how long (in seconds) sessions can exist and be used by this application.
Session Timeout URL
Enter an optional URL to redirect to when the maximum session lifetime has been exceeded. The target page in this URL, if implemented in Application Express, should be a public page.A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter
#LOGOUT_URL#, Application Express will execute a
logout, just like when the user clicked on the application's logout
Only three substitution items are supported:
Because of the particular purpose of this URL. it
is not necessary to include either
Maximum Session Idle Time in Seconds
The Session Idle Time is the time between the last page request and the next page request. Options include:
Session Idle Timeout URL
Enter an optional URL to be redirected to when the maximum session idle time has been exceeded. The target page in this URL, if implemented in Application Express, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter
Only three substitution items are supported in this URL:
Because of the particular purpose of this URL, it is not necessary to include either
Session Timeout Warning in Seconds
The session timeout warning time defines (in seconds) how long before a session times out (either maximum session length, or maximum session idle time), to warn the user. For the maximum session idle time warning, the user will have the opportunity to extend the session. For maximum session length warning, the user will be prompted to save any work, to avoid loss of data when the session maximum time is reached.
184.108.40.206.4 Session State Protection
Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy. This table describes the attributes available under Session State Protection.
Table 5-11 Session State Protection
220.127.116.11.5 Browser Security
This table describes the attributes available under Browser Security.
Table 5-12 Browser Security
Both Cache and Embed in Frames require modern browsers that support the HTTP header response variable X-Frame-Options.
18.104.22.168.6 Database Session
This table describes the attributes available under Database Session.
Table 5-13 Database Session