Previous
Previous
 
Next
Next

Configuring Security Attributes

You can provide security for your application by configuring attributes on the Edit Security Attributes page. The Security Attributes you choose apply to all pages within an application.

Topics:

Accessing the Edit Security Attributes Page

To access the Edit Security Attributes page:

  1. On the Workspace home page, click the Application Builder icon.

  2. Select an application.

  3. Click Shared Components.

    The Shared Components page appears.

  4. Under Security, click Edit Security Attributes.

The Edit Security Attributes page appears.

About Navigation Alternatives

The Edit Security Attributes page is divided into the following sections: Authentication, Authorization, Database Schema, Session State Protection, and Virtual Private Database. You can access these sections by scrolling down the page, or by clicking a navigation button at the top of the page.

Description of sec_attribute_tabs.gif follows
Description of the illustration sec_attribute_tabs.gif

When you select a button at the top of the page, the selected section appears and all other sections are temporarily hidden. To view all sections of the page, click Show All.

About the Security Attributes Page

The following sections describe the attributes available on the Edit Security Attributes page.

Topics:

Authentication

Authentication is the process of establishing users' identities before they can access an application. Although you define multiple authentication schemes for your application, only one scheme can be current at a time. Table: Authentication Attributes describes the attributes available under Authentication.

Authentication Attributes

Attribute Descriptions

Home Link

Specifies a URL or procedure that should be run when you run the application.

For example, Home Link could contain the relative URL used to locate the application home page. For example, f?p=6000:600 would specify application 6000 with a home page number of 600. In this example, the value you enter in Home Link replaces the #HOME_LINK# substitution string in application templates.

You can also use this attribute to name a procedure. For example, you could create a procedure such as personal_calendar which renders an HTML page to serve as the application home.

Note: Do not use the Home Link attribute to determine the page that displays after authentication. The page that displays after authentication is determined by other components within the application's authentication scheme.

See Also: "HOME_LINK"

Login URL

Replaces the substitution strings &LOGIN_URL. in HTML or #LOGIN_URL# in templates.

See Also: "LOGIN_URL" and "Creating an Authentication Scheme"

Public User

Identifies the Oracle schema used to connect to the database through the database access descriptor (DAD). The default value is ANONYMOUS in environments where the database server version is Oracle Database Express Edition and it is APEX_PUBLIC_USER for all other versions of the database server.

Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string APP_USER.

Note: Previous versions of Oracle Application Express used the built-in substitution string HTMLDB_PUBLIC_USER.

When APP_USER equals this value, the Application Express engine considers the current session to be a public user session. The Application Express engine supports the following built-in display conditions:

  • USER_IS_PUBLIC_USER

  • USER_IS_NOT_PUBLIC_USER

If the current application user (APP_USER) equals the value of this attribute, then the user is logged on as a public user. Some applications have public (not logged in) and a private (logged in) modes. By determining if the user is the public user, you can conditionally display or hide information.

For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using APEX_APPLICATION.G_PUBLIC_USER. The Application Express engine also has built in condition types USER_IS_PUBLIC_USER and USER_IS_NOT_PUBLIC.

See Also: "HOME_LINK" and "Understanding Conditional Rendering and Processing"

Define Authentication Scheme

Click this button to define an authentication scheme.

See Also: "Understanding How Authentication Works" and "Creating an Authentication Scheme"


Authorization

Authorization controls user access to specific controls or components based on user privileges. You can specify an authorization scheme for your application, by making a selection from the Authorization Scheme list. You can assign only one authorization to an entire application. However, you can assign an authorization scheme to individual pages, page controls (such as a region, a button, or an item), or a shared component (such as a menu, a list, or a tab).

To create a authorization scheme, click Define Authorization Schemes.

An authorization scheme is a binary operation that either succeeds (equals true) or fails (equals false). If it succeeds, then the component or control can be viewed. If it fails, then the component or control cannot be viewed or processed. When you attach an authorization scheme to a page and it fails, an error message displays instead of the page. However, when you attach an authorization scheme to a page control (for example, a region, a button, or an item) and it fails, no error page displays. Instead, the control either does not display or is not processed or executed.

Database Schema

Use Parsing Schema to specify the database scheme for the current application. Once defined, all SQL and PL/SQL commands issued by the application will be performed with the rights and privileges of the defined database schema.

Session Timeout

Use the following attributes to reduce exposure to abandoned computers with an open Web browser by application:

  • Maximum Session Length in Seconds - Enter a positive integer representing how many seconds a session used by this application will exist. Leave the value NULL for the session to exist indefinitely. This session duration may be superseded by the operation of the job that runs every eight hours which deletes sessions older than 24 hours.

  • Session Timeout URL - Enter an optional URL to be redirected to when the Maximum Session Length in Seconds has been exceeded. If implemented in Oracle Application Express, the target page in this URL should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If no URL is supplied, the user is redirected to the application home page.

  • Maximum Session Idle Time in Seconds - Enter a positive integer representing how many seconds of inactivity or idle time a session used by this application should permit. The idle time is the time between one page request and the next one. Leave the value NULL to prevent session idle time checks from being performed.

  • Idle Timeout URL - Enter an optional URL to be redirected to when the Maximum Session Idle Time in Seconds has been exceeded. If implemented in Oracle Application Express, the target page in this URL should be a public page. A common use for this page would be to inform the user of the session is redirected to the application home page. If no URL is supplied, the user is redirected to the application home page.

Session State Protection

Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.

To enable or disable Session State Protection for your application, make a selection from the Session State Protection list. Setting Session State Protection to Enabled turns on session state protection controls defined at the page and item level.

To configure Session State Protection, click Manage Session State Protection.

Virtual Private Database (VPD)

Use this attribute to enter a PL/SQL block that sets a Virtual Private Database (VPD) context for the current database session associated with the current "show page" or "accept page" request. The block you enter here is executed at a very early point during the page request, immediately after the APP_USER value is established. The value of APP_USER (using :APP_USER or v('APP_USER')) may be used within the block. Values of other items in session state may be referenced as well, but any such items must have been established in session state before the initiation of the current page request. Consider the following example:

dbms_session.set_context('CTX_USER_QRY','USERPRIV',my_package.my_function(:APP_USER));

The previous example sets the value of USERPRIV in the context named CTX_USER_QRY to the value returned by the function my_function in package my_package. The function is passed the current value of APP_USER as an input argument. Presumably, the named context would be used in a VPD policy ( created within the application's parsing schema) to effect the generation of predicates appropriate to the authenticated user.

Virtual Private Database, also know as Fine-Grained Access Control or FGAC, is an Oracle database feature that provides an application programming interface (API) that enables developers to assign security policies to database tables and views. Using PL/SQL, developers can create security policies with stored procedures and bind the procedures to a table or view by means of a call to an RDBMS package. Such policies are based on the content of application data stored within the database, or based on context variables provided by Oracle database. In this way, VPD permits access security mechanisms to be removed from applications, and to be situated closer to particular schemas.

The code entered in this section need not pertain to VPD/FGAC; in fact, it may not be related to security at all. Any code that needs to be executed at the earliest point in a page request can be placed here. For example, to set the database session time zone for every page request:

BEGIN
  EXECUTE IMMEDIATE 'alter session set time_zone = ''Australia/Sydney'' ';
END;