5.8.2 Configuring Security Attributes

Use the Security page to set application-wide security settings.

Tip:

Edit application components directly to manage more granular settings. To learn more about security best practices, see Managing Application Security.

5.8.2.1 Accessing the Security Page

Access the Security page page from the Application home page.

To access the Security page:

  1. On the Workspace home page, click the App Builder icon.
  2. Select an application.
    The Application home page appears.
  3. From the Application home page, you can access the Security page in two ways:
    • Edit Application Definition button:
      1. Click Edit Application Definition to the right of the application name.

      2. Click the Security tab.

    • From Shared Components:
      1. Click Shared Components.

      2. Under Security, click Security Attributes.

    The Edit Security Attributes page appears.

  4. Edit the appropriate attributes.
  5. Click Apply Changes to save your changes.

5.8.2.2 Security Page

The Security page is divided into the following sections: Authentication, Authorization, Session Management, Session State Protection, Browser Security, and Database Session.

Use the Security page to set application-wide security settings. Edit application components directly to manage more granular settings.

Note:

Required values are marked with a red asterisk (*).

5.8.2.2.1 Authentication

Authentication is the process of establishing users' identities before they can access an application. Although you can define multiple authentication schemes for your application, only one scheme can be current at a time.

Table 5-8 Authentication Attributes

Attribute Descriptions To Learn More
Public User

Identifies the Oracle schema  (or user) used to connect to the database through the Database Access Descriptor (DAD). Once a user has been identified, the Oracle APEX engine keeps track of each user by setting the value of the built-in substitution string APP_USER.

When APP_USER equals this value, the APEX engine considers the current session to be a "public user" session. The APEX engine supports the following built-in display conditions:

  • USER_IS_PUBLIC_USER
  • USER_IS_NOT_PUBLIC_USER

If the current application user (APP_USER) equals the value of this attribute, then the user is logged on as a public user. Some applications have public (not logged in) and private (logged in) modes. By determining if the user is the public user, you can conditionally display or hide information.

For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using APEX_APPLICATION.G_PUBLIC_USER.

See HOME_LINK and Understanding Conditional Rendering and Processing
Authentication Scheme

identifies the current authentication method used by this application. The purpose of authentication is to determine the application users identity. To create an authentication scheme, click Define Authentication Schemes.

See How Authentication Works and Creating an Authentication Scheme

5.8.2.2.2 Authorization

Application authorization schemes control access to all pages within an application. Unauthorized access to the application, regardless of which page is requested, causes an error page to display.

Table 5-9 Authorization Attributes

Attribute Descriptions
Define Authorization Schemes Click the Define Authorization Schemesbutton to create an authorization scheme.
Authorization Scheme Specify an authorization scheme for your application. Application authorization schemes are defined for an application for the purpose of controlling access. Setting a required authorization scheme here at the application level will require all pages of the application to pass the defined authorization check.
Run on Public Pages

Controls whether the application-level authorization scheme is checked on public pages (that is, pages that do not require authorization). Options include:

  • On - If you select On and the page is public, the application authorization is checked.
  • Off - If you select Off and the page is public, the application authorization is ignored.

Note: This attribute is ignored if you select Must Not Be Public User as Authorization Scheme.

Source for Role or Group Schemes

Define what APEX should use as the source for authorization schemes of type Is In Role or Group. The available values are:

  • Access Control User Role Assignments - Enable the user's assigned roles (under Shared Components / Application Access Control).
  • Authentication Scheme - If the application's authentication scheme is APEX Accounts, enable the workspace user's assigned groups. If the application's authentication scheme is Database Accounts, database roles are checked when the authorization scheme is enabled. If the authentication scheme uses Real Application Security, enable RAS Dynamic Roles.
  • Custom Code - Call the procedure apex_authentication.enable_dynamic_groups in a Post-Authentication process, to populate dynamic groups.

5.8.2.2.3 Session Management

Use Session Management attributes to reduce exposure at the application-level for abandoned computers with an open web browser.

Table 5-10 Session Management

Attribute Descriptions
Rejoin Sessions

Use this attribute to control at the application-level whether URLs in this application contain session IDs. When Rejoin Sessions is enabled, APEX attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.

To use Rejoin Sessions at the applicaion-level, administrators must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings.

Rejoin Sessions options include:

  • Application Default - The application-level setting applies.
  • Disabled - If the URL does not contain a session ID APEX creates a new session.
  • Enabled for Public Sessions - If the URL goes to a public page and does not contain a session ID, APEX attempts to utilize the existing session cookie established for that application. APEX only joins using the cookie when the session is not yet authenticated.
  • Enabled for All Sessions - If the URL does not contain a session ID, APEX attempts to utilize the existing session cookie established for that application, providing the following conditions are met:
    • Session State Protection is enabled for the application and the URL includes a valid checksum. For public bookmarks, the most restrictive item level protection must be either Unrestricted or Checksum Required - Application Level.
    • OR, the URL does not contain payload (a request parameter, clear cache or data value pairs).
    This option requires you set Embed In Frames to Allow from same origin or Deny. This is not tied to a condition about the URL payload, but also applies to session state protected URLs.

Warning: Enabling rejoin sessions may expose your application to possible security breaches, as it can enable attackers to take over existing end user sessions. To learn more, see About Rejoin Sessions.

See Also:

Deep Linking

Enable or prevents deep linking to an application. Options include:

  • Enabled - The URL to a specific page ultimately redirects there, possibly after the user has logged in.
  • Disabled - If the URL does not contain a valid session ID, APEX starts a new session and redirects to the application's home page.

For example, browsers often save the URLs of opened tabs and try to restore the sessions after a restart, causing a deep link. This behavior may be undesirable (for example if a URL points to a page in the middle of a multi-step wizard). By selecting Disable, APEX starts a new session and redirects to the application's home page.

Maximum Session Length in Seconds Defines how long (in seconds) sessions can exist and be used by this application.
  • Enter a positive integer to control how long a session can exist.
  • Enter 0 to have sessions exist indefinitely.
  • Leave the value empty in order to use the session duration defined at the workspace-level or the instance level.
Session Timeout URL

Enter an optional URL to redirect to when the maximum session lifetime has been exceeded. The target page in this URL, if implemented in APEX, should be a public page.

A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter #LOGOUT_URL#, APEX will execute a logout, just like when the user clicked on the application's logout link.

Only three substitution items are supported:

  • &APP_SESSION.
  • &SESSION.
  • &APP_ID.

Because of the particular purpose of this URL. it is not necessary to include either &APP_SESSION. or &SESSION. in the link.

Maximum Session Idle Time in Seconds The Session Idle Time is the time between the last page request and the next page request. Options include:
  • Enter a positive integer to control the idle time for sessions used by this application.
  • Leave the value empty in order to use the idle time defined at the workspace level or the instance level.
Session Idle Timeout URL

Enter an optional URL to be redirected to when the maximum session idle time has been exceeded. The target page in this URL, if implemented in APEX, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter #LOGOUT_URL#, APEX will execute a logout, just like when the user clicked on the application's logout link..

Only three substitution items are supported in this URL:

  • &APP_SESSION.
  • &SESSION.
  • &APP_ID.

Because of the particular purpose of this URL, it is not necessary to include either &APP_SESSION. or &SESSION. in the link.

Session Timeout Warning in Seconds

The session timeout warning time defines (in seconds) how long before a session times out (either maximum session length, or maximum session idle time), to warn the user. For the maximum session idle time warning, the user will have the opportunity to extend the session. For maximum session length warning, the user will be prompted to save any work, to avoid loss of data when the session maximum time is reached.

  • Enter a positive integer to control the session timeout warning time for sessions used by this application.
  • Enter 0 to switch off session timeout warnings for sessions used by this application.
  • Leave the value empty in order to use the warning time defined at the workspace-level or the instance-level.

5.8.2.2.4 Session State Protection

Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy. This table describes the attributes available under Session State Protection.

Table 5-11 Session State Protection

Attribute Descriptions
Expire Bookmarks

Click Expire Bookmarks to reset this hidden application attribute (a checksum salt) salt attribute at any time. Clicking this button causes any bookmarked URLs that contain previously generated checksums to fail when they are subsequently used to access the application.

Tip: You can also click Expire Bookmarks to change the Bookmark Hash Function to switch to a different algorithm for computing checksums.

Manage Session State Protection

Click Manage Session State Protection to configure Session State Protection.

Session State Protection Make a selection from the Session State Protection list, to enable or disable Session State Protection for your application. Selecting Enabled turns on session state protection controls defined at the page and item-level. To learn more, see field-level Help.
Allows URLS Created After

Lists the date and time after which bookmarked links are usable to access pages in this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application.

Bookmarks created before this date and time are not usable to access this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application. Bookmarks that do not contain checksums or bookmarks that contain checksums that are unnecessary are not affected by this attribute. Their usability is determined using other criteria. A hidden application attribute (a checksum salt) is used during the computation and later verification of checksums included in f?p= URLs generated during page rendering. Checksums are included when Session State Protection is enabled for the application. You can reset this checksum salt attribute at any time by clicking the Expire Bookmarks button.

Bookmark Hash Function Used to create checksums for application-level and user-level checksums in bookmarkable URLs.

5.8.2.2.5 Browser Security

This table describes the attributes available under Browser Security.

Table 5-12 Browser Security

Attribute Descriptions
Cache

Use Cache to enable or disable browser caching of application page contents. If enabled, the browser saves the contents of pages for this application in its cache, both in memory and on disk. Typically when caching is enabled and the browser back button is clicked, the page is loaded from the cache instead of from the server. If disabled, the browser is instructed not to save application page contents and requests the latest page content from the server whenever the URL changes.

To avoid the possibility of saving sensitive data, Oracle recommends that this attribute be disabled. Otherwise, it is possible to go back in the browser history after a logout and see cached content from a previous session. Disabling the browser cache also prevents issues with pages that use partial page refreshes, such as is the case with interactive reports.

If this attribute is set to Disabled, APEX sends the HTTP header cache-control: no-store which instructs the browser to not cache the page contents on disk or in memory. Note that this feature requires modern browsers that support the HTTP header response variable cache-control.

Embed in Frames

Controls if a browser may display your application's pages within a frame. Available options include:

  • Deny - The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • Allow from same origin - The page can only be displayed in a frame on the same origin as the page itself.
  • Allow - The page can be displayed in any frame.

Displaying pages within frames can be misused with "clickjacking" attacks. In a “clickjacking” attack, the attacker uses multiple layers to trick a user into clicking a button or link on another page when they were intending to click the top level page. Thus, the attacker is hijacking clicks (or keystrokes) meant for their page and routing them to another page.

To learn more, see field-level Help.

HTML Escaping Mode

Defines how APEX escapes special characters. Options include:

  • Basic: Escape &, ", < and >
  • Extended: Escape &, ", <, >, ', / and non-ASCII characters if the database character set is not AL32UTF8
HTTP Response Headers

Enter additional application specific HTTP headers that APEX should send on each response and that it does not support in another way (for example, X-Frame-Options using the Embed in Frames attribute).

Example:

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Tip:

Both Cache and Embed in Frames require modern browsers that support the HTTP header response variable X-Frame-Options.

5.8.2.2.6 Database Session

This table describes the attributes available under Database Session.

Table 5-13 Database Session

Attribute Descriptions
Parsing Schema Specifies the schema that all SQL and PL/SQL in the application will be parsed as. You may use #OWNER# to reference this value in SQL queries and PL/SQL (for example, in a region or a process).
Initialization PL/SQL Code Use this attribute to enter a PL/SQL block that sets a context for the database session associated with the current "show page" or "accept page" request. The block you enter here is executed at a very early point during the page request, immediately after the APP_USER value is established. The value of APP_USER (using :APP_USER or v('APP_USER')) may be used within the block. Values of other items in session state may be referenced as well, but any such items must have been established in session state before the initiation of the current page request. To view examples, see field-level Help.
Cleanup PL/SQL Code Use this attribute to enter a PL/SQL block that runs at the end of page processing. It can be used to free or clean up resources that were used, like VPD contexts or database links. To view examples, see field-level Help.
Runtime API Usage Control how this application can access APEX APIs that modify applications and workspace data while it is running. Options include:
  • Modify This Application: The application can modify itself.
  • Modify Other Applications: The application can change other applications in the workspace.
  • Modify Workspace Repository: The application can change workspace users and groups.