Configuring Security Attributes

7.9.2 Configuring Security Attributes

Configure security for all pages in an application on the Security page. Security attributes are divided into the categories: Authentication, Authorization, Session Management, Session State Protection, Browser Security, and Database Session.

See Also:

"Managing Application Security"

Parent topic: Managing Application Attributes

7.9.2.1 Accessing the Security Page

To access the Security page:

On the Workspace home page, click the App Builder icon.
Select an application.
The Application home page appears.
From the Application home page, you can access the Security page in two ways:
- From Shared Components:
  1. Click Shared Components.
  2. Under Security, click Security Attributes.
- Edit Application Properties button:
  1. Click Edit Application Properties to the right of the application name.
  2. Click the Security tab.
The Edit Security Attributes page appears.
Edit the appropriate attributes.
Click Apply Changes to save your changes.

Parent topic: Configuring Security Attributes

7.9.2.2 Security Page

Use the Security page to set application-wide security settings. Edit application components directly to manage more granular settings.

Note:

Required values are marked with a red asterisk (*).

Parent topic: Configuring Security Attributes

7.9.2.2.1 Authentication

Authentication is the process of establishing users' identities before they can access an application. Although you can define multiple authentication schemes for your application, only one scheme can be current at a time.

Table 7-8 Authentication Attributes

Attribute Descriptions To Learn More

Attribute	Descriptions	To Learn More
Public User	Identifies the Oracle schema (or user) used to connect to the database through the Database Access Descriptor (DAD). Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string `APP_USER`. When `APP_USER` equals this value, the Application Express engine considers the current session to be a "public user" sessionsession. The Application Express engine supports the following built-in display conditions: `USER_IS_PUBLIC_USER` `USER_IS_NOT_PUBLIC_USER` If the current application user (`APP_USER`) equals the value of this attribute, then the user is logged on as a public user. Some applications have public (not logged in) and private (logged in) modes. By determining if the user is the public user, you can conditionally display or hide information. For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using `APEX_APPLICATION.G_PUBLIC_USER`.	See "HOME_LINK" and "Understanding Conditional Rendering and Processing"
Authentication Scheme	identifies the current authentication method used by this application. The purpose of authentication is to determine the application users identity.To create an authentication scheme, click Define Authentication Schemes.	See "How Authentication Works" and "Creating an Authentication Scheme"

Public User

Identifies the Oracle schema (or user) used to connect to the database through the Database Access Descriptor (DAD). Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string APP_USER.

When APP_USER equals this value, the Application Express engine considers the current session to be a "public user" sessionsession. The Application Express engine supports the following built-in display conditions:

USER_IS_PUBLIC_USER
USER_IS_NOT_PUBLIC_USER

If the current application user (APP_USER) equals the value of this attribute, then the user is logged on as a public user. Some applications have public (not logged in) and private (logged in) modes. By determining if the user is the public user, you can conditionally display or hide information.

For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using APEX_APPLICATION.G_PUBLIC_USER.

See "HOME_LINK" and "Understanding Conditional Rendering and Processing"

Authentication Scheme

identifies the current authentication method used by this application. The purpose of authentication is to determine the application users identity.To create an authentication scheme, click Define Authentication Schemes.

See "How Authentication Works" and "Creating an Authentication Scheme"

Parent topic: Security Page

7.9.2.2.2 Authorization

Application authorization schemes control access to all pages within an application. Unauthorized access to the application, regardless of which page is requested, causes an error page to display.

Table 7-9 Authorization Attributes

Attribute	Descriptions
Define Authorization Schemes	Click the Define Authorization Schemesbutton to create an authorization scheme.
Authorization Scheme	Specify an authorization scheme for your application. Application authorization schemes are defined for an application for the purpose of controlling access. Setting a required authorization scheme here at the application level will require all pages of the application to pass the defined authorization check.
Run on Public Pages	Controls whether the application-level authorization scheme is checked on public pages (that is, pages that do not require authorization). Options include: On - If you select On and the page is public, the application authorization is checked. Off - If you select Off and the page is public, the application authorization is ignored. Note: This attribute is ignored if you select Must Not Be Public User as Authorization Scheme.
Source for Role or Group Schemes	Define what Application Express should use as the source for authorization schemes of type Is In Role or Group. The available values are: Access Control User Role Assignments - Enable the user's assigned roles (under Shared Components / Application Access Control). Authentication Scheme - If the application's authentication scheme is Application Express Accounts, enable the workspace user's assigned groups. If the application's authentication scheme is Database Accounts, database roles are checked when the authorization scheme is enabled. If the authentication scheme uses Real Application Security, enable RAS Dynamic Roles. Custom Code - Call the procedure apex_authentication.enable_dynamic_groups in a Post-Authentication process, to populate dynamic groups.

Parent topic: Security Page

7.9.2.2.3 Session Management

Use Session Management attributes to reduce exposure at the application-level for abandoned computers with an open web browser.

Table 7-10 Session Management

Attribute	Descriptions
Rejoin Sessions	Use this attribute to control at the application-level whether URLs in this application contain session IDs. When Rejoin Sessions is enabled, Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID. To use Rejoin Sessions at the applicaion-level, administrators must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings. Rejoin Sessions options include: Application Default - The application-level setting applies. Disabled - If the URL does not contain a session ID Application Express creates a new session. Enabled for Public Sessions - If the URL goes to a public page and does not contain a session ID, Application Express attempts to utilize the existing session cookie established for that application. Application Express only joins using the cookie when the session is not yet authenticated. Enabled for All Sessions - If the URL does not contain a session ID, Application Express attempts to utilize the existing session cookie established for that application, providing the following conditions are met: Session State Protection is enabled for the application and the URL includes a valid checksum. For public bookmarks, the most restrictive item level protection must be either Unrestricted or Checksum Required - Application Level. OR, the URL does not contain payload (a request parameter, clear cache or data value pairs). This option requires you set Embed In Frames to Allow from same origin or Deny. This is not tied to a condition about the URL payload, but also applies to session state protected URLs. Warning: Enabling rejoin sessions may expose your application to possible security breaches, as it can enable attackers to take over existing end user sessions. To learn more, see "About Rejoin Sessions." See Also: "Session Management" to configure Rejoin Sessions at the application-level. "Configuring Rejoin Sessions for an Instance" in Oracle Application Express Administration Guide
Deep Linking	Enable or prevents deep linking to an application. Options include: Enabled - The URL to a specific page ultimately redirects there, possibly after the user has logged in. Disabled - If the URL does not contain a valid session ID, Application Express starts a new session and redirects to the application's home page. For example, browsers often save the URLs of opened tabs and try to restore the sessions after a restart, causing a deep link. This behavior may be undesirable (for example if a URL points to a page in the middle of a multi-step wizard). By selecting Disable, Application Express starts a new session and redirects to the application's home page.
Maximum Session Length in Seconds	Defines how long (in seconds) sessions can exist and be used by this application. Enter a positive integer to control how long a session can exist. Enter 0 to have sessions exist indefinitely. Leave the value empty in order to use the session duration defined at the workspace-level or the instance level.
Session Timeout URL	Enter an optional URL to redirect to when the maximum session lifetime has been exceeded. The target page in this URL, if implemented in Application Express, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter `#LOGOUT_URL#`, Application Express will execute a logout, just like when the user clicked on the application's logout link. Only three substitution items are supported: `&APP_SESSION.` `&SESSION.` `&APP_ID.` Because of the particular purpose of this URL. it is not necessary to include either `&APP_SESSION.` or `&SESSION.` in the link.
Maximum Session Idle Time in Seconds	The Session Idle Time is the time between the last page request and the next page request. Options include: Enter a positive integer to control the idle time for sessions used by this application. Leave the value empty in order to use the idle time defined at the workspace level or the instance level.
Session Idle Timeout URL	Enter an optional URL to be redirected to when the maximum session idle time has been exceeded. The target page in this URL, if implemented in Application Express, should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If you do not enter a URL, users will see the message "Your session has timed out" and a link to the application home page. If you enter `#LOGOUT_URL#`, Application Express will execute a logout, just like when the user clicked on the application's logout link.. Only three substitution items are supported in this URL: `&APP_SESSION.` `&SESSION.` `&APP_ID.` Because of the particular purpose of this URL, it is not necessary to include either `&APP_SESSION.` or `&SESSION`. in the link.
Session Timeout Warning in Seconds	The session timeout warning time defines (in seconds) how long before a session times out (either maximum session length, or maximum session idle time), to warn the user. For the maximum session idle time warning, the user will have the opportunity to extend the session. For maximum session length warning, the user will be prompted to save any work, to avoid loss of data when the session maximum time is reached. Enter a positive integer to control the session timeout warning time for sessions used by this application. Enter `0` to switch off session timeout warnings for sessions used by this application. Leave the value empty in order to use the warning time defined at the workspace-level or the instance-level.

See Also:

"About Utilizing Session Timeout"
"Configuring Session Timeout for a Workspace" and "Configuring Session Timeout for an Instance" in Oracle Application Express Administration Guide

Parent topic: Security Page

7.9.2.2.4 Session State Protection

Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy. This table describes the attributes available under Session State Protection.

Table 7-11 Session State Protection

Attribute	Descriptions
Expire Bookmarks	Click Expire Bookmarks to reset this hidden application attribute (a checksum salt) salt attribute at any time. Clicking this button causes any bookmarked URLs that contain previously generated checksums to fail when they are subsequently used to access the application. Tip: You can also click Expire Bookmarks to change the Bookmark Hash Function to switch to a different algorithm for computing checksums.
Manage Session State Protection	Click Manage Session State Protection to configure Session State Protection.
Session State Protection	Make a selection from the Session State Protection list, to enable or disable Session State Protection for your application. Selecting Enabled turns on session state protection controls defined at the page and item-level. To learn more, see field-level Help.
Allows URLS Created After	Lists the date and time after which bookmarked links are usable to access pages in this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application. Bookmarks created before this date and time are not usable to access this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application. Bookmarks that do not contain checksums or bookmarks that contain checksums that are unnecessary are not affected by this attribute. Their usability is determined using other criteria. A hidden application attribute (a checksum salt) is used during the computation and later verification of checksums included in f?p= URLs generated during page rendering. Checksums are included when Session State Protection is enabled for the application. You can reset this checksum salt attribute at any time by clicking the Expire Bookmarks button.
Bookmark Hash Function	Used to create checksums for application-level and user-level checksums in bookmarkable URLs.

See Also:

"Preventing URL Tampering"

Parent topic: Security Page

7.9.2.2.5 Browser Security

This table describes the attributes available under Browser Security.

Table 7-12 Browser Security

Attribute	Descriptions
Cache	Use Cache to enable or disable browser caching of application page contents. If enabled, the browser saves the contents of pages for this application in its cache, both in memory and on disk. Typically when caching is enabled and the browser back button is clicked, the page is loaded from the cache instead of from the server. If disabled, the browser is instructed not to save application page contents and requests the latest page content from the server whenever the URL changes. To avoid the possibility of saving sensitive data, Oracle recommends that this attribute be disabled. Otherwise, it is possible to go back in the browser history after a logout and see cached content from a previous session. Disabling the browser cache also prevents issues with pages that use partial page refreshes, such as is the case with interactive reports. If this attribute is set to Disabled, Application Express sends the HTTP header `cache-control: no-store` which instructs the browser to not cache the page contents on disk or in memory. Note that this feature requires modern browsers that support the HTTP header response variable cache-control.
Embed in Frames	Controls if a browser may display your application's pages within a frame. Available options include: Deny - The page cannot be displayed in a frame, regardless of the site attempting to do so. Allow from same origin - The page can only be displayed in a frame on the same origin as the page itself. Allow - The page can be displayed in any frame. Displaying pages within frames can be misused with "clickjacking" attacks. In a “clickjacking” attack, the attacker uses multiple layers to trick a user into clicking a button or link on another page when they were intending to click the top level page. Thus, the attacker is hijacking clicks (or keystrokes) meant for their page and routing them to another page. To learn more, see field-level Help.
HTML Escaping Mode	Defines how Oracle Application Express escapes special characters. Options include: Basic: Escape `&`, `"`, `<` and `>` Extended: Escape `&`, `"`, `<`, `>`, `'`, `/` and non-ASCII characters if the database character set is not `AL32UTF8`
HTTP Response Headers	Enter additional application specific HTTP headers that Oracle Application Express should send on each response and that it does not support in another way (for example, `X-Frame-Options` using the Embed in Frames attribute). Example: `X-XSS-Protection: 1; mode=block` `X-Content-Type-Options: nosniff`

Tip:

Both Cache and Embed in Frames require modern browsers that support the HTTP header response variable X-Frame-Options.

Parent topic: Security Page

7.9.2.2.6 Database Session

This table describes the attributes available under Database Session.

Table 7-13 Database Session

Attribute	Descriptions
Parsing Schema	Specifies the schema that all SQL and PL/SQL in the application will be parsed as. You may use `#OWNER#` to reference this value in SQL queries and PL/SQL (for example, in a region or a process).
Initialization PL/SQL Code	Use this attribute to enter a PL/SQL block that sets a context for the database session associated with the current "show page" or "accept page" request. The block you enter here is executed at a very early point during the page request, immediately after the `APP_USER` value is established. The value of `APP_USER` (using :`APP_USER` or `v`('`APP_USER`')) may be used within the block. Values of other items in session state may be referenced as well, but any such items must have been established in session state before the initiation of the current page request. To view examples, see field-level Help.
Cleanup PL/SQL Code	Use this attribute to enter a PL/SQL block that runs at the end of page processing. It can be used to free or clean up resources that were used, like VPD contexts or database links. To view examples, see field-level Help.
Runtime API Usage	Control how this application can access Oracle Application Express APIs that modify applications and workspace data, while it is running. Options include: Modify This Application: The application can modify itself. Modify Other Applications: The application can change other applications in the workspace. Modify Workspace Repository: The application can change workspace users and groups.

Parent topic: Security Page