Oracle APEX Security Tutorial

Learn how to harden your Oracle APEX applications! Prevent cross site scripting, SQL injection and more.

Oracle Application Express (APEX) has many security related features that help developers create applications that are guarded from today’s web based threats. But if developers are unaware of these features, how they work and what they guard against, then it is likely they will create applications with at least a few security holes. In this tutorial you will see demos of certain exploits, including Cross Site Scripting and SQL injection, and subsequently learn how to protect against them using the correct feature(s) in APEX or Oracle in general.

Want more? April 10 INTERMEDIATE APEX Training with Expert Tyson Jouglet!

This free training is segmented into several separate lessons:

  1. Overview (1:21)
  2. Is APEX Secure (1:13)
  3. Controlling Access (0:57)
  4. Authentication Schemes (3:08) (click on video below)
  5. Conditions vs Authorization (12:45)
  6. Protect the Ends (12:45)
  7. Propagate the WHERE (3:47)
  8. Session State Protection (8:44)
  9. Other Session State Protection (3:24)
  10. SQL Injection (5:16)
  11. Cross Site Scripting (9:05)

Date: Sep 27, 2012

Want more? April 10 INTERMEDIATE APEX Training with Expert Tyson Jouglet!

NOTE: Some corporate firewalls will not allow videos hosted by YouTube.


Authentication Schemes

4. Securing Oracle APEX – Authentication Schemes


>> Dan:  We’re going to start by looking at authentication schemes. These are your means to identify end users. 


Typically, in web based apps this is going to be done via some sort of username and password challenge although it’s gotten a little bit more complicated these days. You have some folks going the route of a single sign on servers. You have other folks going the route of no password authentication. So might get an email and click a link to log in to an app. Lots of different ways. From security cards to retinal scans, you can ID users a variety of ways. 


APEX comes with a number of preconfigured schemes available ready to go out of the box. Some of the more common ones include LDAP. So if you have active directory server you can integrate with that. There’s an HTTP header function or scheme which was added in 4.1, so if you have a custom single sign on solution that adds a HTTP header variable then you can leverage this very easily now. You might have had written a custom all scheme in the past, that’s no longer the case. 




And then of course, there’s custom. Custom is as flexible as you can get and there’s really nothing you can’t do with that one. 




One thing I do want to find out is that there’s an open door scheme which not a lot of folks know about, but if you want to test your applications as though you are other users such as the president of your organization, you can leverage the open door credentials very easily. It only requires then a username and we’ll pass you right on through without a password. Of course, you only want to use that in depth. 




The next thing we’re going to look at are authorization schemes. The authorization schemes are how we lock down who can do what within an application. Typically, this is going to be done via group membership of some sort. 


Today I’m going to demo group membership in the APEX environment, but most often you’re going to leverage something like active directory, OID, some other sort of LDAP server. To create your users, authenticate via username and password, and then control authorization via creating groups and assigning users to those groups. 




Of course, you can only do authorization after you’ve done authentication. You need to know who somebody is before you can determine what they can or cannot do within a system. 




The authorization schemes in APEX are really flexible. You can configure them however you like. Typically, they’re going to be role-based, so you’re going to create one authorization scheme for each role that will be in your system. But they can also be based on functionality such as delete user. You may create an auth scheme called delete user and filter your roles up into that scheme. 




You’ll use these to lock down all the necessary components including pages and [02:58 inaudible] starting with the app level all the way down to the most granular components in APEX.


Copyright 2017

Free Online Registration Required

The tutorial session you want to view requires your registering with us.

It’s fast and easy, and totally FREE.

And best of all, once you are registered, you’ll also have access to all the other 100’s of FREE Video Tutorials we offer!