Overview
Oracle APEX is Oracle low-code
development platform that enables developers to build secure, scalable, and
data-driven web applications on top of the Oracle Database.
Security is a critical aspect of any enterprise application.Oracle APEX provides many security features to help protect applications.
Why Security is Important
Oracle APEX applications are accessible through web browsers and contain sensitive business data. As a result, they can become targets for unauthorized access, if proper security measures are not implemented. Therefore, it is essential to utilize Oracle APEX security features to protect application data, control user access and reduce security risks.
In this article, we will explore
the key security features available in Oracle APEX and how they can be used to
enhance application security.
Navigating to Security Settings
To access security settings in Oracle
APEX:
1. Log
in to Oracle APEX.
2. Open
App Builder.
3. Select
your application.
4. Click
Shared Components.
Security Options
Security Components
Security Attributes
Authentication Schemes
Authorization Schemes
Application Access Control
Session State Protection
Figure-1
Security Attributes contains
application-wide security settings. When you open Security Attributes, Oracle
APEX displays the following categories:
• Authentication
• Authorization
• Session
Management
• Session
State Protection
• Browser
Security
• Database
Session
• Advanced
Figure-2
These settings control the security behavior of the application.
Authentication Schemes define how
users log in to the application. Oracle APEX supports multiple authentication
methods.
Authorization Schemes define what
authenticated users can access within the application. Authorization can be
applied to pages, regions, buttons, items, navigation menus, and processes.
Session Management controls user
session behavior, including rejoin rules, deep linking, and session length and
idle timeouts.
Session Management protects
applications by controlling user sessions and inactivity timeouts.
Navigate:
Security Attributes: Session
Management
The Available Settings
Rejoin
Sessions — controls
whether a user can resume an existing session using a session ID in the URL
(rather than starting a brand-new session each time):
- Disabled – Rejoin is
not allowed; if the session ID doesn't match an active session tied to
that login, the user is forced to start a new session.
- Enabled for
Public Sessions
– Only unauthenticated (public) sessions can be rejoined via the URL's
session ID.
- Enabled for
All Sessions
– Both public and authenticated sessions can be rejoined.
Figure-3
Deep Linking
Controls whether a URL can take a user straight to a specific page (bypassing the standard login and navigation process):
- Enabled – Users can
jump directly to a shared page URL; if not authenticated, APEX will
authenticate them first and then redirect to that page.
- Disabled – Direct
page URLs are not honored; users are redirected to the application's home
page instead, regardless of which page link they used.
Defines the total lifetime of a session regardless of activity.
Defines how long a session can remain
inactive before expiration.
• Reduces
risk of unauthorized access.
• Protects
unattended sessions.
Session State Protection (SSP) helps
prevent URL tampering and unauthorized manipulation of page item values by
using checksums and validation mechanisms.
Oracle APEX provides Browser Security
settings under Security Attributes. These settings help protect applications
against common web-based attacks
Cache — controls whether the browser is allowed to
cache (store locally) pages from the
application.
- Disabled (shown) –
Browser caching is turned off, so every page request goes back to the
server. This prevents sensitive data from lingering in browser
cache/history, especially important on shared or public computers.
Embed
in Frames — controls
whether the application can be loaded inside an <iframe> on another site.
- Deny (shown) –
The application cannot be embedded in a frame at all. This protects
against clickjacking attacks, where an attacker overlays your app inside
an invisible frame on a malicious page to trick users into clicking
something unintended.
Referrer
Policy — controls how
much information the browser sends in the Referer header when users navigate
away from your app to another site.
- strict-origin (shown) –
Only the origin (scheme + domain, e.g., https://abcapp.com is sent, and only when both sites use
HTTPS; no path or query string details are leaked. This avoids exposing
sensitive URL contents (like session tokens or query parameters) to
external sites.
HTML
Escaping Mode
— controls how aggressively APEX escapes (encodes) special characters before
displaying user-supplied data on a page.
- Extended (shown) –
Applies more thorough escaping than the basic mode, which provides
stronger protection against Cross-Site Scripting (XSS) attacks where an
attacker tries to inject malicious HTML/JavaScript through input fields.
These protections improve application
security when accessed through modern web browsers.
Oracle APEX helps protect against it
through bind variables, Session State Protection, and secure PL/SQL coding
practices.
SELECT *
FROM employees
WHERE emp_id = :P1_EMP_ID;
Insecure Query
SELECT *
FROM employees
WHERE emp_id = '' || :P1_EMP_ID;
• Always
use bind variables.
• Avoid
SQL concatenation with user input.
• Enable
Session State Protection.
The Database Session
section in Oracle APEX allows developers to configure settings that are applied
when a database session is established for the application. These settings can
be used to control session behavior and initialize security-related context.
·
Parsing Schema – Defines the database
schema used by the application to parse and execute SQL and PL/SQL statements.
In this application, the parsing schema is ML_APEX.
·
Initialization PL/SQL Code – Executes
automatically when a database session is created.
·
Cleanup
PL/SQL Code – Executes when the database session ends, enabling cleanup of
session-specific settings or contexts.
The Advanced section contains
additional application-level security settings, such as error handling behavior
and other advanced application-level security settings that fall outside the other security
categories.
1-Authentication Schemes
Authentication determines who can
access the application. Users must provide valid credentials before accessing
the application dashboard.
Oracle APEX supports multiple authentication
methods:
• Custom
• Database
Accounts
• LDAP
• Oracle
APEX Accounts
• Social
Sign-In etc.
Steps to Create an Authentication Scheme
1. Navigate
to Shared Components --- Authentication Schemes.
2. Click
Create.
3. Enter
a Name.
4. Select
an authentication method.
5. Configure
the required settings.
6. Click
Create Authentication Scheme.
7. Click Make Current Scheme.
Feature
• Ensures
only authorized users can access the application.
Authorization determines what
authenticated users can access after login.
Administrators can manage users.
Employees can only view their own
records.
a. Navigate
to Shared Components ---- Authorization Schemes.
b. Click
Create.
c. Enter a Name.
d. Select
an authorization Scheme.
e. Configure
the evaluation criteria and authorization logic
f. Navigate
to Security Attributes --- Authorization to apply application-level settings.
g. Test
using different user roles.
• Restricts
access based on user roles.
• Improves
application security.
It is important to understand why
these concepts appear in two places in APEX.
The Authorization section in Security
Attributes contains application-level settings that define how authorization is
handled across the application.
Authorization Schemes are reusable
security rules that determine whether a user can access specific application
components such as pages, regions, buttons, items, and processes.
|
Summary |
Security Attributes: Authorization controls the overall
authorization configuration
Authorization Schemes: Define the actual access rules applied
throughout the application.
Schemes are where you create security
definitions. Security Attributes is where you activate and configure them for
your application.
Session State Protection (SSP)
prevents users from manipulating page item values through URL tampering.
Navigation:
Security Attributes --- Session
State Protection
Default:
Enabled
A user attempts to modify a URL
parameter to access another employee’s record. SSP prevents the request from
being processed if the checksum validation fails.
• Prevents
unauthorized data manipulation.
• Protects
application integrity.
• Enhances
overall application security.
Oracle APEX provides a set of built-in
security features that help to create secure enterprise applications with
minimal effort.
By properly implementing Oracle APEX
security features such as Authentication, Authorization, Session Management,
Session State Protection, Browser Security, and Database Session Security,
organizations can significantly reduce security risks and protect sensitive
business data.













Comments
Post a Comment