1. Administration Guide
  2. Oracle Application Express Administration Services
  3. Managing Instance Settings
  4. Configuring Security
  5. Configuring Service-level Security Settings

3.3.2.1 Configuring Service-level Security Settings

Instance administrators can configure service-level security in Manage Instance, Security, Security Settings, Security.

Note:

To ensure the security and performance of your development environment, this functionality is not available in Application Express instances running in Oracle Cloud.

Service-level security includes configuring login controls, controlling file upload capability, restricting access by IP address, configuring a proxy server for an instance, controlling support for URLs containing session IDs, and controlling how Oracle Application Express displays the results of unhandled errors.

Parent topic: Configuring Security

3.3.2.1.1 Controlling Workspace Cookies

Determine if Application Express saves persistent cookies in the browser

Application Express uses the following persistent cookies:

  • ORA_WWV_REMEMBER_UN - The development environment login page stores the Workspace and Username data in this cookie. It is used to populate these attributes with default values, when you log in again.

  • LOGIN_USERNAME_COOKIE - Customer application login pages use this cookie to store the Username. It is used to populate the attribute with a default value, when customers log in again.

  • ORA_WWV_REMEMBER_LANG - When using language selection in the development environment and Websheets, Application Express stores the language and territory in this cookie. It is used to automatically show the application in the selected language when the application is used next time.

If your system has received cookies, you can physically remove it from its persistent location on disk using browser tools or system utilities.

To configure if Application Express to saves persistent cookies:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. For Set Workspace Cookie, select one of the following:

    • Yes - Enables Application Express to save persistent cookies in the browser.

    • No - Prevents persistent cookies from being sent.
  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

3.3.2.1.2 Disabling Access to Oracle Application Express Administration Services

Prevent a user from logging in to Oracle Application Express Administration Services.

Instance administrators can prevent a user from logging in to Oracle Application Express Administration Services. Disabling administrator login in production environments prevents unauthorized users from accessing Application Express Administration Services and possibly compromising other user login credentials.

To disable user access to Oracle Application Express Administration Services:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. For Disable Administrator Login, select Yes.

    Note:

    Selecting Yes and signing out prevents anyone from accessing Oracle Application Express Administration Services.

  6. Click Apply Changes.

See Also:

"Enabling Access to Oracle Application Express Administration Services"

Parent topic: Configuring Service-level Security Settings

3.3.2.1.3 Enabling Access to Oracle Application Express Administration Services

If access to Oracle Application Express Administration Services has been disabled, an Instance administrator can re-enable again by running the following SQL statements.

To enable user access to Oracle Application Express Administration Services if it has been disabled:

  1. Connect in SQL*Plus and connect to the database where Oracle Application Express is installed as SYS, for example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password

    • On UNIX and Linux:

      $ sqlplus /nolog
SQL> CONNECT SYS as SYSDBA
Enter password: SYS_password
  2. Run the following statement:
    ALTER SESSION SET CURRENT_SCHEMA = APEX_200200;
  3. Run the following statement:
    BEGIN
  APEX_INSTANCE_ADMIN.SET_PARAMETER('DISABLE_ADMIN_LOGIN', 'N');
  commit;
END;
/

Parent topic: Configuring Service-level Security Settings

3.3.2.1.4 Disabling Workspace Login Access

Restrict user access to Application Express by disabling workspace login. Disabling workspace login in production environments prevents users from running Application Express applications such as App Builder.

To disable user access to the Internal workspace:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Disable Workspace Login, select Yes.

    Selecting Yes effectively sets a Runtime-Only environment while still allowing Instance administrators to sign in to Administration Services. Selecting Yes in production environments prevents developers from changing applications or data.

  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

3.3.2.1.5 Controlling Public File Upload

Use the Allow Public File Upload attribute to control whether unauthenticated users can upload files in applications that provide file upload controls.

To control file upload:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Allow Public File Upload, select one of the following:

    • Yes - Enables unauthenticated users to upload files in applications that provide file upload controls.

    • No - Prevents unauthenticated users from uploading files in applications that provide file upload controls.

  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

3.3.2.1.6 Restricting User Access by IP Address

Restrict user access to an Oracle Application Express instance by specifying a comma-delimited list of allowable IP addresses.

To restrict user access by IP address:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. For Disable Administrator Login, select No.
  6. In Restrict Access by IP Address, enter a comma-delimited list of allowable IP addresses. Use an asterisk (*) to specify a wildcard.

    You can enter IP addresses from one to four levels. For example:

    141, 141.* ...
192.128.23.1 ...

    Note:

    When using wildcards, do not include additional numeric values after wildcard characters. For example, 138.*.41.2.

  7. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

3.3.2.1.7 Configuring a Proxy Server for an Instance

Configure an entire Oracle Application Express instance to use a proxy for all outbound HTTP traffic.

Setting a proxy at the instance-level supersedes any proxies defined at the application-level or in web service references. If a proxy is specified, regions of type URL, Web services, and report printing will use the proxy.

To configure a proxy for an Oracle Application Express instance:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. In Instance Proxy, enter the address and port of the proxy to be used for the entire instance. In No Proxy Domains, enter a list of domains, for which the proxy server should not be used.
  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

3.3.2.1.8 Selecting a Checksum Hash Function

Select a hash function that Application Express uses to generate one way hash strings for checksums.

The Checksum Hash Function attribute enables you to react to recent developments and switch between algorithms based on new research. Use the Checksum Hash Function attribute to select a hash function that Oracle Application Express uses to generate one way hash strings for checksums. This attribute is also the default value for the Security Bookmark Hash Function attribute in new applications. Applications use the Bookmark Hash Function when defining bookmark URLs.

Tip:

Changing the Checksum Hash Function does not change the Bookmark Hash Function currently defined for existing applications because this would invalidate all existing bookmarks saved by end users. Oracle strongly recommends going into existing applications, expiring existing bookmarks, and then updating the Bookmark Hash Function to the same value defined for Checksum Hash Function.

To select a checksum hash function:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Checksum Hash Function, select a hash function that Application Express uses to generate one way hash strings for checksums.

    The SHA-2 algorithms are only supported on Oracle Database 12c or later. Most Secure automatically selects the most secure algorithm available. Therefore, Oracle recommends this setting. On Oracle Database 12c or later, this evaluates to SHA-2, 512 bit and on Oracle Database 11g, SHA-1 is the most secure algorithm. Since the MD5 algorithm is deprecated, Oracle does not recommend this setting.

  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings

3.3.2.1.9 Configuring Rejoin Sessions for an Instance

Controls at the application-level if whether URLs in this application contain session IDs.

By configuring the Rejoin Sessions attribute, Instance administrators can control if Oracle Application Express supports URLs that contain session IDs. When Rejoin Sessions is enabled, Oracle Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.

To use Rejoin Sessions at the applicaion or page-level, an administrator must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings.

Warning:

For security reasons, Oracles recommends that administrators disable support for session joining unless they implement workspace isolation by configuring the Allow Hostname attributes. See "Isolating a Workspace to Prevent Browser Attacks" and "Isolating All Workspaces in an Instance."

Note:

Enabling rejoin sessions may expose your application to possible security breaches by enabling attackers to take over existing end user sessions. To learn more, see "About Rejoin Sessions" in Oracle Application Express App Builder User’s Guide.

To configure Rejoin Sessions:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Rejoin Sessions, select an option:
    • Disabled - If the URL does not contain a session ID, Oracle Application Express creates a new session.
    • Enabled for Public Sessions - If the URL goes to a public page and does not contain a session ID Application Express attempts to utilize the existing session cookie established for that application. For applications with both public and authenticated pages, a session ID is defined after the end user authenticates. Application Express only joins via the cookie when the session is not yet authenticated.
    • Enabled for All Sessions - If the URL does not contain a session ID, Oracle Application Express attempts to use the existing session cookie established for that application, providing one of the following conditions are met:

      • Session State Protection is enabled for the application and the URL includes a valid checksum. For public bookmarks, the most restrictive item level protection must be either Unrestricted or Checksum Required - Application Level.

      • The URL does not contain payload (a request parameter, clear cache or data value pairs). This setting requires that Embed In Frames is set to Allow from same origin or to Deny for the application.

      Enabled for All Sessions requires that Embed in Frames is set to Allow from same origin or Deny. This is not tied to a condition about the URL payload, but also applies to session state protected URLs.

  6. Click Apply Changes.

See Also:

Parent topic: Configuring Service-level Security Settings

3.3.2.1.10 Configuring Unhandled Errors

Control how Oracle Application Express displays the results of unhandled errors

When Oracle Application Express encounters an unhandled error during processing, an error page displays to the end user of the application. From a security standpoint, it is often better to not display these messages and error codes to the end user and simply return a HTTP 400 (Bad Request) error code to the client browser.

To configure Unhandled Errors:

  1. Sign in to Oracle Application Express Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Locate the Security section.
  5. From Unhandled Errors, select an option:

    • Show Error Page - This is the default behavior. For any error or exception which is not handled by the error processing of an application, an error page displays to the end user with the specific error and the error code.

    • Return HTTP 400 - Returns an HTTP 400 status to the end user's client browser when the Application Express engine encounters an unhandled error.

  6. Click Apply Changes.

Parent topic: Configuring Service-level Security Settings