20.1.2 Web Listener Security Considerations
Review security considerations when choosing a Web listener to run with Oracle Application Express.
- About Configuring Oracle REST Data Services with Oracle Application Express
Oracle recommends using Oracle REST Data Services with Oracle Application Express. - About Configuring Oracle HTTP Server with mod_plsql with Oracle Application Express
Becausemod_plsql
is deprecated as of Oracle HTTP Server 12c (12.1.3), Oracle recommends using Oracle REST Data Services. - About Security Considerations When Using the Embedded PL/SQL Gateway
Oracle does not recommend the embedded PL/SQL gateway for applications running on the Internet.
See Also:
Choosing a Web Listener in Oracle Application Express Installation Guide
Parent topic: Understanding Administrator Security Best Practices
20.1.2.1 About Configuring Oracle REST Data Services with Oracle Application Express
Oracle recommends using Oracle REST Data Services with Oracle Application Express.
Oracle REST Data Services (formerly known as Oracle Oracle Application Express Listener) is a J2EE application which communicates with the Oracle Database by mapping browser requests to the Application Express engine database over a SQL*Net connection. Oracle REST Data Services is the strategic direction for Oracle Application Express and Oracle recommends using it in practically all circumstances. In a production environment, you deploy Oracle REST Data Services web archive files to a supported Java EE application server, like Oracle Web Logic Server. Each deployment can be configured individually and serves the same purpose as a mod_plsql
Database Access Descriptor, which is to communicate with an Oracle database.
An Oracle REST Data Services deployment configuration contains several security related parameters. In a configuration for Oracle Application Express, Oracle recommends to set the parameter security.requestValidationFunction
to wwv_flow_epg_include_modules.authorize
. This activates the white list of callable procedures which ships with Oracle Application Express and prohibits calls to other procedures. This can be extended using the validation functions shipped with Oracle Application Express.
See Also:
"Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)" in Oracle Application Express Administration Guide
Parent topic: Web Listener Security Considerations
20.1.2.2 About Configuring Oracle HTTP Server with mod_plsql with Oracle Application Express
Because mod_plsql
is deprecated as of Oracle HTTP Server
12c (12.1.3), Oracle recommends using Oracle REST Data Services.
Tip:
mod_plsql
is deprecated as of Oracle HTTP Server 12c
(12.1.3). For more information about this deprecation, please see My Oracle Support
Note 1576588.1. Oracle recommends using Oracle REST Data Services instead.
Oracle HTTP Server uses the mod_plsql
plug-in to communicate with the
Oracle Application Express engine within the Oracle database. mod_plsql
functions act as a communication broker between the web server and the Oracle
Application Express engine in the Oracle database.
Each mod_plsql
request is associated with a set of
configuration values used to access the database called a Database Access Descriptor
(DAD). mod_plsql
provides a DAD parameter called
PlsqlRequestValidationFunction
which enables you to allow or
disallow further processing of a requested procedure. You can utilize this parameter to
implement tighter security for your PL/SQL application by blocking package and procedure
calls which should not be allowed to run from the DAD. Oracle recommends a DAD
configuration for Oracle Application Express which utilizes the
PlsqlRequestValidationFunction
directive with a value of
wwv_flow_epg_include_modules.authorize
.
The purpose of the PlsqlRequestValidationFunction
parameter
is to control which procedures can be invoked through mod_plsql
. By
default, the only procedures permitted are the public entry points of Oracle Application
Express. This can be extended using the validation functions shipped with Oracle
Application Express.
See Also:
"Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)" in Oracle Application Express Administration Guide
Parent topic: Web Listener Security Considerations
20.1.2.3 About Security Considerations When Using the Embedded PL/SQL Gateway
Oracle does not recommend the embedded PL/SQL gateway for applications running on the Internet.
The embedded PL/SQL gateway runs in the database as part of the Oracle XML DB HTTP
listener. The Oracle XML DB HTTP listener and embedded PL/SQL gateway provides the
equivalent core features of Oracle HTTP Server and mod_plsql
. Because
the HTTP Listener runs in the same database where Oracle Application Express is
installed, it is not possible to separate the HTTP listener from the database. For this
reason, Oracle does not recommend the embedded PL/SQL gateway for applications that run
on the Internet or for production applications. Oracle recommends using Oracle REST Data
Services instead. Additionally, the embedded PL/SQL gateway does not provide the same
flexibility of configuration and detailed logging as Oracle REST Data Services.
Parent topic: Web Listener Security Considerations