Skip to main content

Securing Oracle APEX Applications

 

Overview

Oracle APEX is Oracle low-code development platform that enables developers to build secure, scalable, and data-driven web applications on top of the Oracle Database.

Security is a critical aspect of any enterprise application.Oracle APEX provides many security features to help protect applications.

Why Security is Important

Oracle APEX applications are accessible through web browsers and contain sensitive business data. As a result, they can become targets for unauthorized access, if proper security measures are not implemented. Therefore, it is essential to utilize Oracle APEX security features to protect application data, control user access and reduce security risks.

 In this article, we will explore the key security features available in Oracle APEX and how they can be used to enhance application security.

Navigating to Security Settings

To access security settings in Oracle APEX:

1.        Log in to Oracle APEX.

2.        Open App Builder.

3.        Select your application.

4.        Click Shared Components.

Security Options

Security Components

Security Attributes

Authentication Schemes

Authorization Schemes

Application Access Control

Session State Protection

 

Figure-1

Understanding Security Attributes

Security Attributes contains application-wide security settings. When you open Security Attributes, Oracle APEX displays the following categories:

          Authentication

          Authorization

          Session Management

          Session State Protection

          Browser Security

          Database Session

          Advanced

 

Figure-2

These settings control the security behavior of the application.

  a)    Authentication

Authentication Schemes define how users log in to the application. Oracle APEX supports multiple authentication methods.

 b) Authorization

Authorization Schemes define what authenticated users can access within the application. Authorization can be applied to pages, regions, buttons, items, navigation menus, and processes.

 c) Session Management

Session Management controls user session behavior, including rejoin rules, deep linking, and session length and idle timeouts.

Session Management protects applications by controlling user sessions and inactivity timeouts.

Navigate:

Security Attributes: Session Management

The Available Settings

Rejoin Sessions — controls whether a user can resume an existing session using a session ID in the URL (rather than starting a brand-new session each time):

  • Disabled – Rejoin is not allowed; if the session ID doesn't match an active session tied to that login, the user is forced to start a new session.
  • Enabled for Public Sessions – Only unauthenticated (public) sessions can be rejoined via the URL's session ID.
  • Enabled for All Sessions – Both public and authenticated sessions can be rejoined.

 

Figure-3

Deep Linking

Controls whether a URL can take a user straight to a specific page (bypassing the standard login and navigation process):

  • Enabled – Users can jump directly to a shared page URL; if not authenticated, APEX will authenticate them first and then redirect to that page.
  • Disabled – Direct page URLs are not honored; users are redirected to the application's home page instead, regardless of which page link they used.

Figure-4
Maximum Session Length in Seconds

Defines the total lifetime of a session regardless of activity.

Figure-5
Maximum Session Idle Time in Seconds

Defines how long a session can remain inactive before expiration.

Figure-6
The recommended timeout may vary depending on organizational security policies. such as a user is automatically logged out after 60 minutes (3600 seconds) of inactivity.

 Advantage

          Reduces risk of unauthorized access.

          Protects unattended sessions.

 d) Session State Protection

Session State Protection (SSP) helps prevent URL tampering and unauthorized manipulation of page item values by using checksums and validation mechanisms.

Figure-7

f) Browser Security

Oracle APEX provides Browser Security settings under Security Attributes. These settings help protect applications against common web-based attacks

       Cache — controls whether the browser is allowed to cache (store locally)    pages from the application.

  • Disabled (shown) – Browser caching is turned off, so every page request goes back to the server. This prevents sensitive data from lingering in browser cache/history, especially important on shared or public computers.

Embed in Frames — controls whether the application can be loaded inside an <iframe> on another site.

  • Deny (shown) – The application cannot be embedded in a frame at all. This protects against clickjacking attacks, where an attacker overlays your app inside an invisible frame on a malicious page to trick users into clicking something unintended.

Referrer Policy — controls how much information the browser sends in the Referer header when users navigate away from your app to another site.

  • strict-origin (shown) – Only the origin (scheme + domain, e.g., https://abcapp.com  is sent, and only when both sites use HTTPS; no path or query string details are leaked. This avoids exposing sensitive URL contents (like session tokens or query parameters) to external sites.

HTML Escaping Mode — controls how aggressively APEX escapes (encodes) special characters before displaying user-supplied data on a page.

  • Extended (shown) – Applies more thorough escaping than the basic mode, which provides stronger protection against Cross-Site Scripting (XSS) attacks where an attacker tries to inject malicious HTML/JavaScript through input fields.

Figure-8

These protections improve application security when accessed through modern web browsers.

 Web application security vulnerabilities

Oracle APEX helps protect against it through bind variables, Session State Protection, and secure PL/SQL coding practices.

 Secure Query

SELECT *

FROM employees

WHERE emp_id = :P1_EMP_ID;

Insecure Query

SELECT *

FROM employees

WHERE emp_id = '' || :P1_EMP_ID;

 We Suggest:

          Always use bind variables.

          Avoid SQL concatenation with user input.

          Enable Session State Protection.

 g) Database Session Security

The Database Session section in Oracle APEX allows developers to configure settings that are applied when a database session is established for the application. These settings can be used to control session behavior and initialize security-related context.

·          Parsing Schema – Defines the database schema used by the application to parse and execute SQL and PL/SQL statements. In this application, the parsing schema is ML_APEX.

·          Initialization PL/SQL Code – Executes automatically when a database session is created.

·           Cleanup PL/SQL Code – Executes when the database session ends, enabling cleanup of session-specific settings or contexts.

Figure-9
This ensures database sessions are configured consistently and securely.

 f) Advanced

The Advanced section contains additional application-level security settings, such as error handling behavior and other advanced application-level security settings that fall outside the other security categories.

Figure-10
 Security Options

1-Authentication Schemes

Authentication determines who can access the application. Users must provide valid credentials before accessing the application dashboard.

 Oracle APEX supports multiple authentication methods:

          Custom

          Database Accounts

          LDAP

          Oracle APEX Accounts

          Social Sign-In etc.

Steps to Create an Authentication Scheme

1.        Navigate to Shared Components --- Authentication Schemes.

2.        Click Create.

3.        Enter a Name.

4.        Select an authentication method.

5.        Configure the required settings.

Figure-11

6.        Click Create Authentication Scheme.

Figure-12

7.        Click Make Current Scheme.

 8.        Navigate to Security Attributes --- Authentication to verify the active scheme.

Figure-13

9.        Run the application and test login functionality.
Figure-14

Feature

          Ensures only authorized users can access the application.

 2) Authorization Schemes

Authorization determines what authenticated users can access after login.

Administrators can manage users.

Employees can only view their own records.

 Implementing an Authorization Scheme

a.         Navigate to Shared Components ---- Authorization Schemes.

b.        Click Create.

c.         Enter a Name.

Figure-15

d.        Select an authorization Scheme.

Figure-16

e.         Configure the evaluation criteria and authorization logic

Figure-17

f.         Navigate to Security Attributes --- Authorization to apply application-level settings.

g.         Test using different user roles.

  Advantage

          Restricts access based on user roles.

          Improves application security.

 Schemes vs. Security Attributes

It is important to understand why these concepts appear in two places in APEX.

 Authorization (Security Attributes)

The Authorization section in Security Attributes contains application-level settings that define how authorization is handled across the application.

 Authorization Schemes

Authorization Schemes are reusable security rules that determine whether a user can access specific application components such as pages, regions, buttons, items, and processes.

Summary

Security Attributes: Authorization controls the overall authorization configuration

 Authorization Schemes: Define the actual access rules applied throughout the application.

Schemes are where you create security definitions. Security Attributes is where you activate and configure them for your application.

 3) Session State Protection

Session State Protection (SSP) prevents users from manipulating page item values through URL tampering.

Navigation: Security Attributes --- Session State Protection

Default: Enabled

Figure-18
Scenario:

A user attempts to modify a URL parameter to access another employee’s record. SSP prevents the request from being processed if the checksum validation fails.

 Benefits

          Prevents unauthorized data manipulation.

          Protects application integrity.

          Enhances overall application security.

 Conclusion

Oracle APEX provides a set of built-in security features that help to create secure enterprise applications with minimal effort.

By properly implementing Oracle APEX security features such as Authentication, Authorization, Session Management, Session State Protection, Browser Security, and Database Session Security, organizations can significantly reduce security risks and protect sensitive business data.

Comments

Popular posts from this blog

Oracle EBS R12 General Ledger (GL) Module – Practical SQL Queries

Introduction Oracle E-Business Suite (EBS) R12 General Ledger (GL) is the core Financial module in Oracle EBS R12. It is used to manage journal entries, accounting periods, balances, and financial reporting. The GL module integrates with Payables (AP), Receivables (AR), Fixed Assets (FA), Purchasing (PO), and Inventory (INV). The main purpose of a general ledger system is to record financial activity of a company and to produce financial and management reports to help the organization make decisions. Below are real-world SQL queries commonly used.   1) View configured Ledgers      Purpose: Fetch Ledger Configuration Details SELECT       ledger_id,      name  AS   ledger_name ,    short_name ,   currency_code FROM     gl_ledgers ORDER BY     ledger_id ;   2) Ledger Information Query Purpose: Fetch Ledger Configuration Details SELECT     gl.name   ...

Oracle ERP R12 Purchasing Module – Useful SQL Queries Every Developer Should Know

Oracle Purchasing (PO Module) in Oracle ERP R12 has a significant role by managing requisitions and purchase orders . It integrates with key modules such as Inventory, Payables, and General Ledger to ensure smooth business operations. Below are real-world SQL queries commonly used. Note: Replace :ORG_ID with your Operating Unit ID (e.g., 89)  and :PO with the required PO number (e.g., 'PO-10045')   1) Purchase Order Header Details Purpose: Get basic PO information for specific Org SELECT     pha.segment1 AS po_number,     pha.type_lookup_code AS po_type,     pha.authorization_status,     pha.creation_date,     pv.vendor_name,     pv.vendor_id FROM     po_headers_all pha,     po_vendors pv WHERE     pha.vendor_id = pv.vendor_id     AND pha.org_id = :ORG_ID;     2) Purchase Order Line De...

Exploring AI in Oracle APEX 26.1

Artificial Intelligence (AI) is transforming the way organizations and developers work. Businesses and professionals are increasingly adopting AI tools to improve productivity, automate processes, and build smarter applications. Oracle APEX introduces a significant evolution in application development by integrating governed Generative AI capabilities directly into the low-code platform. This enables developers to build intelligent, conversational applications while maintaining enterprise-grade security and control. In this article we explore AI capabilities in Oracle APEX 26.1 What is AI Agents AI Agents can be created to reason over user requests and take actions through approved AI Tools. Each tool exposes a specific application capability the agent is allowed to invoke, such as retrieving data, running server-side PL/SQL, or executing client-side JavaScript. APEX manages the execution flow by preparing context, dispatching tool calls, executing tools, handling results, and...