Making Sense of Apex
Security
Christoph Ruepprich
Enkitec
Who Am I?
l  Dad & Husband
l  Consultant @ Enkitec
l  DBA/Developer
l  Fitness
l  Bass player
l  Board gamer
rueppri...
Things to Cover
l  Authentication
l  Login / Logout Processing
l  Authorization
l  Security Settings and Reports
Authentication
l  Who gets in:
l  Username
l  Password
Authentication Types
l  Apex Authentication
l  LDAP
l  Database Account
l  Open Door
l  SSO
l  HTTP Header Variable
...
Apex Authentication – The Good
l  Built In
l  Users defined in Apex workspace
l  Quick & easy setup
l  User & group ma...
Apex Authentication – The Bad
l  Users tied to a workspace
l  Not scalable
LDAP Authentication
l  Authenticate against existing LDAP
l  Great for enterprise applications
l  Requires ACL setup (1...
Database Account – The Good
l  Existing Database Accounts
l  Handy when migrating from Oracle Forms
l  No privileges ne...
Database Account – The Bad
l  Not a good long term solution
l  Accounts should be moved to an LDAP or
Custom Authenticat...
Open Door Credentials
l  Only username required
l  Not secure
l  Useful for testing
Oracle App. Svr. Single Sign On (OASSO)
l  For use with Oracle Application Server
l  Authenticate once and have access t...
No Authentication
l  No username or password required
l  Good for public pages
HTTP Header Variable
l  Used in conjunction with a single sign-on server
l  Uses value from header variable
l  Header v...
Authentication
l  Apex tracks user throughout the session
●  :APP_USER
●  &APP_USER.
●  V(‘APP_USER’)
l  Unauthenticated...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication (not when quitting browser)
●  Sessi...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication (not when quitting browser)
●  Inval...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication (not when quitting browser)
●  Inval...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication
●  Invalid Session
●  Cookies
•  Fir...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication (not when quitting browser)
●  Sessi...
Session Cookie
l  Cross application authentication
l  Specify same cookie name in multiple apps
l  Include session id i...
Authentication
Authentication
l  All Apex needs is a TRUE or FALSE from an
authentication process
l  Apex knows what to do in either ca...
Browsing to a page
Authentication Flow
l  Each page uses a sentry function to determine
whether the session is valid (session ID +
cookie)
l...
Logging In
Login Page Processing
1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE
2.  If exists, populate P101_USERNAME
3.  Pass...
Login Page Processing
1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE
2.  If exists, populate P101_USERNAME
3.  Pass...
Logout Processing
l  Logout can happen at various events
●  Logout link is clicked
●  Session duration exceeded
●  User e...
Logout Cleanup
l  When logout link is clicked, session is
terminated and stored session values get
deleted.
l  Any other...
Application Level Authentication
l  Set for entire application
Page Level Authentication
l  Pages are either authenticated or public
Edit Page -> Security
Custom Authentication
l  Complete Control
l  Table Based
l  Can be either very simple or complex
Custom Authentication
l  User Table
l  Group Table
l  Function to verify credentials
Custom Authentication
l  User Table Example
●  ID
●  USERNAME
●  PASSWORD
●  FIRST_NAME
●  LAST_NAME
●  EMAIL_ADDRESS
Custom Authentication
l  Authentication function
●  Arguments: username, password
●  Return TRUE if authenticated
Custom Authentication
apex_auth.authenticate_fn
Check
Password
against table
Match?
Return TRUE.
No Match?
Return FALSE.
F...
Custom Authentication
l  If function returns TRUE
Redirect to Home URL
Edit Application Properties -> User Interfaces -> ...
Password Security
l  Store encrypted password in user table.
l  dbms_crypto.hash(
utl_raw.cast_to_raw(p_str),2
);
l  In...
Additional Processing Points
l  Pre-Authentication
Before credentials are verified.
l  Post-Authentication
Only after cr...
Session Verify Function
l  Prevent logins on Sundays
Is today
Sunday?
No?
Return True.
Yes?
Return FALSE.
FUNCTION sessio...
Session Cookie
Kermit
Piggy
Fozzy
f?p=PIGGY:PAGE:&SESSION.
Session Cookie
Kermit
Piggy
Fozzy
f?p=SHOW:101
Logout URL
f?p=SHOW:101
f?p=SHOW:101
Authorization
Authorization
l  After authentication
l  Control access to
●  Applications*
●  Pages
●  Page items
●  Etc.
l  Depends o...
Authorization – Application Level
Who gets into the
application.
You may have 1000s
of users, but only a
small group shoul...
Authorization – Application Level
l  Application Properties -> Security
Authorization – Page Level
l  Edit Page -> Security
Authorization – Item Level
l  Edit Item -> Security
Authorization – Bulk Edit
l  Application -> Utilities -> Cross Page Utilities ->
Grid Edit all Pages
Group Management
l  Apex Authorization
●  Authorization Scheme
apex_util.get_groups_user_belongs_to(:APP_USER);
l  LDAP
...
Apex Group
declare
l_groups varchar2(1000);
l_arr_groups apex_application_global.vc_arr2;
l_authorized boolean := false;
l...
LDAP Group
Custom Group
FUNCTION belongs_to_admins (p_username VARCHAR2)
RETURN boolean;
IS
l_yesno VARCHAR2(3);
BEGIN
SELECT NVL(MAX...
Authorization - Utilization
l  Shared Components -> Authorization Schemes
-> Utilization
Pages With Authorization Schemes
Pages Without Authorization Schemes
Example: Apex Authentication
Apex User Attributes
l  Admin/Developer attributes
l  Groups
Apex Account Privileges
SELECT 1
FROM APEX_WORKSPACE_APEX_USERS
WHERE user_name = :APP_USER
AND is_admin = 'Yes';
Get Acco...
Apex Group Assignment
Apex Groups
Authentication Scheme
l  Check for group membership
Authentication Subscription
l  Subscribe to existing scheme
l  Changes get passed on
Authorization Subscription
l  Changes are not automatically passed on
l  Push changes
Authentication Subscription
l  Pull changes individually
Invalid Session Detail
l  Fires after page sentry
l  Specify URL to go when invalid session is
detected.
f?p=KSCOPE13:10...
Account Login Control
l  Works on end user accounts of Apex user
management.
Apex Instance Controls
l  Session Timeout
Apex Instance Controls
l  General Login Control
Password Policy
l  For Apex accounts
Password Policy
Continued:
Reports
l  Login Attempts
l  Login Attempts by Authentication Result
l  Developer Login Summary
Administration -> Monit...
Session State Protection
Making Sense of APEX Security by Christoph Ruepprich
Upcoming SlideShare
Loading in …5
×

Making Sense of APEX Security by Christoph Ruepprich

3,294 views

Published on

Published in: Technology
  • Be the first to comment

Making Sense of APEX Security by Christoph Ruepprich

  1. 1. Making Sense of Apex Security Christoph Ruepprich Enkitec
  2. 2. Who Am I? l  Dad & Husband l  Consultant @ Enkitec l  DBA/Developer l  Fitness l  Bass player l  Board gamer ruepprich.wordpress.com @CRuepprich cruepprich cruepprich@enkitec.com
  3. 3. Things to Cover l  Authentication l  Login / Logout Processing l  Authorization l  Security Settings and Reports
  4. 4. Authentication l  Who gets in: l  Username l  Password
  5. 5. Authentication Types l  Apex Authentication l  LDAP l  Database Account l  Open Door l  SSO l  HTTP Header Variable l  No Authentication
  6. 6. Apex Authentication – The Good l  Built In l  Users defined in Apex workspace l  Quick & easy setup l  User & group management l  Access to all applications in workspace
  7. 7. Apex Authentication – The Bad l  Users tied to a workspace l  Not scalable
  8. 8. LDAP Authentication l  Authenticate against existing LDAP l  Great for enterprise applications l  Requires ACL setup (11g)
  9. 9. Database Account – The Good l  Existing Database Accounts l  Handy when migrating from Oracle Forms l  No privileges needed l  Does not create a database session
  10. 10. Database Account – The Bad l  Not a good long term solution l  Accounts should be moved to an LDAP or Custom Authentication Scheme
  11. 11. Open Door Credentials l  Only username required l  Not secure l  Useful for testing
  12. 12. Oracle App. Svr. Single Sign On (OASSO) l  For use with Oracle Application Server l  Authenticate once and have access to many other applications. l  Register Apex as a OASSO partner application l  Uses OASSO Login Page
  13. 13. No Authentication l  No username or password required l  Good for public pages
  14. 14. HTTP Header Variable l  Used in conjunction with a single sign-on server l  Uses value from header variable l  Header variables can be viewed with owa_util.print_cgi_env;.
  15. 15. Authentication l  Apex tracks user throughout the session ●  :APP_USER ●  &APP_USER. ●  V(‘APP_USER’) l  Unauthenticated users show up as nobody
  16. 16. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Session Not Valid ●  Cookies
  17. 17. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Invalid Session ●  Cookies •  Replaces the built-in Apex sentry function •  Called before every page view and asynchronous transaction. •  Returns boolean. •  Ensures session is still valid. •  When FALSE, session is killed and invalid session procedure is called.
  18. 18. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Invalid Session ●  Cookies •  Fires before authentication function. •  Does not fire with outside authentication (SSO), or no authentication.
  19. 19. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication ●  Invalid Session ●  Cookies •  Fires after user is authenticated, session is registered and cookie is set. •  Good for logging. •  Does not fire with no authentication, or when browser is closed.
  20. 20. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Session Not Valid ●  Cookies•  Fires when sentry returns FALSE •  Good for enforcing business rules. (Can’t log in on Sundays) •  Specifies where user will be re-directed to
  21. 21. Session Cookie l  Cross application authentication l  Specify same cookie name in multiple apps l  Include session id in URL
  22. 22. Authentication
  23. 23. Authentication l  All Apex needs is a TRUE or FALSE from an authentication process l  Apex knows what to do in either case l  Same for all authentication types
  24. 24. Browsing to a page
  25. 25. Authentication Flow l  Each page uses a sentry function to determine whether the session is valid (session ID + cookie) l  Sentry returns TRUE/FALSE l  Invalid session gets redirected to Login (see Application Properties -> User Interfaces) l  Valid (or public) session sees page
  26. 26. Logging In
  27. 27. Login Page Processing 1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE 2.  If exists, populate P101_USERNAME 3.  Password field does not save state. 4.  When login page is submitted, the APEX_AUTHENTICATION API processes username and password 5.  The API calls the current authentication scheme and returns TRUE or FALSE 6.  When TRUE session info is stored in WWV_FLOW_SESSIONS$ 7.  Finally the page cache for login page is cleared. 8.  Browser is redirected to next page
  28. 28. Login Page Processing 1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE 2.  If exists, populate P101_USERNAME 3.  Password field does not save state. 4.  When page is submitted 1.  The login cookie is set with the username value 2.  The APEX_AUTHENTICATION API processes username and password 3.  When API returns TRUE, session info is stored in WWV_FLOW_SESSIONS$ 4.  A process clears the page cache 5.  Browser is redirected
  29. 29. Logout Processing l  Logout can happen at various events ●  Logout link is clicked ●  Session duration exceeded ●  User exits browser ●  Session cookie is altered ●  Etc. l  These events make session invalid and invoke the Session Not Valid action
  30. 30. Logout Cleanup l  When logout link is clicked, session is terminated and stored session values get deleted. l  Any other termination invalidates session state and a purge job cleans up the stored data later. (ORACLE_APEX_PURGE_SESSIONS)
  31. 31. Application Level Authentication l  Set for entire application
  32. 32. Page Level Authentication l  Pages are either authenticated or public Edit Page -> Security
  33. 33. Custom Authentication l  Complete Control l  Table Based l  Can be either very simple or complex
  34. 34. Custom Authentication l  User Table l  Group Table l  Function to verify credentials
  35. 35. Custom Authentication l  User Table Example ●  ID ●  USERNAME ●  PASSWORD ●  FIRST_NAME ●  LAST_NAME ●  EMAIL_ADDRESS
  36. 36. Custom Authentication l  Authentication function ●  Arguments: username, password ●  Return TRUE if authenticated
  37. 37. Custom Authentication apex_auth.authenticate_fn Check Password against table Match? Return TRUE. No Match? Return FALSE. FUNCTION authenticate_fn (p_username VARCHAR2 , p_password VARCHAR2) RETURN boolean IS BEGIN /* do some verification */ APEX_UTIL.SET_AUTHENTICATION_RESULT(n); RETURN (TRUE|FALSE); END;
  38. 38. Custom Authentication l  If function returns TRUE Redirect to Home URL Edit Application Properties -> User Interfaces -> User Interfaces -> User Interface Details
  39. 39. Password Security l  Store encrypted password in user table. l  dbms_crypto.hash( utl_raw.cast_to_raw(p_str),2 ); l  In authenticaton function: compare encrypted password to user_table.password.
  40. 40. Additional Processing Points l  Pre-Authentication Before credentials are verified. l  Post-Authentication Only after credentials are verified. l  Session Verify Function Additional business rules. No login throttle
  41. 41. Session Verify Function l  Prevent logins on Sundays Is today Sunday? No? Return True. Yes? Return FALSE. FUNCTION session_is_valid RETURN boolean IS BEGIN IF <today is Sunday> THEN RETURN FALSE; ELSE RETURN TRUE; END IF; END;
  42. 42. Session Cookie Kermit Piggy Fozzy f?p=PIGGY:PAGE:&SESSION.
  43. 43. Session Cookie Kermit Piggy Fozzy f?p=SHOW:101 Logout URL f?p=SHOW:101 f?p=SHOW:101
  44. 44. Authorization
  45. 45. Authorization l  After authentication l  Control access to ●  Applications* ●  Pages ●  Page items ●  Etc. l  Depends on ●  User attributes ●  Groups
  46. 46. Authorization – Application Level Who gets into the application. You may have 1000s of users, but only a small group should have access. Gatekeeper
  47. 47. Authorization – Application Level l  Application Properties -> Security
  48. 48. Authorization – Page Level l  Edit Page -> Security
  49. 49. Authorization – Item Level l  Edit Item -> Security
  50. 50. Authorization – Bulk Edit l  Application -> Utilities -> Cross Page Utilities -> Grid Edit all Pages
  51. 51. Group Management l  Apex Authorization ●  Authorization Scheme apex_util.get_groups_user_belongs_to(:APP_USER); l  LDAP ●  :AI_LDAP_GROUPS := apex_auth.ldap_get_groups_fn(:APP_USER); l  Custom Authorization ●  Table based ●  Custom function to get group membership
  52. 52. Apex Group declare l_groups varchar2(1000); l_arr_groups apex_application_global.vc_arr2; l_authorized boolean := false; l_idx pls_integer; begin -- get comma separated list of groups user belongs to l_groups := apex_util.get_groups_user_belongs_to(:APP_USER); -- convert l_groups into array l_arr_groups := apex_util.string_to_table(p_string => l_groups ,p_separator => ','); -- check if vocals group is present for l_idx in 1..l_arr_groups.count loop if (trim(l_arr_groups(l_idx)) = 'vocals') then l_authorized := true; end if; end loop; return l_authorized; end;
  53. 53. LDAP Group
  54. 54. Custom Group FUNCTION belongs_to_admins (p_username VARCHAR2) RETURN boolean; IS l_yesno VARCHAR2(3); BEGIN SELECT NVL(MAX('YES'), 'NO’) INTO l_yesno FROM my_user_table WHERE username = p_username AND usergroup = 'ADMINS'; IF l_yesno = 'YES’ THEN RETURN TRUE; ELSE RETURN FALSE; END IF; END;
  55. 55. Authorization - Utilization l  Shared Components -> Authorization Schemes -> Utilization
  56. 56. Pages With Authorization Schemes
  57. 57. Pages Without Authorization Schemes
  58. 58. Example: Apex Authentication
  59. 59. Apex User Attributes l  Admin/Developer attributes l  Groups
  60. 60. Apex Account Privileges SELECT 1 FROM APEX_WORKSPACE_APEX_USERS WHERE user_name = :APP_USER AND is_admin = 'Yes'; Get Account Privileges: SELECT 1 FROM APEX_WORKSPACE_APEX_USERS WHERE user_name = :APP_USER AND is_developer = 'Yes';
  61. 61. Apex Group Assignment
  62. 62. Apex Groups
  63. 63. Authentication Scheme l  Check for group membership
  64. 64. Authentication Subscription l  Subscribe to existing scheme l  Changes get passed on
  65. 65. Authorization Subscription l  Changes are not automatically passed on l  Push changes
  66. 66. Authentication Subscription l  Pull changes individually
  67. 67. Invalid Session Detail l  Fires after page sentry l  Specify URL to go when invalid session is detected. f?p=KSCOPE13:101:&APP_SESSION.:HELLO_KITTY:&DEBUG.::::
  68. 68. Account Login Control l  Works on end user accounts of Apex user management.
  69. 69. Apex Instance Controls l  Session Timeout
  70. 70. Apex Instance Controls l  General Login Control
  71. 71. Password Policy l  For Apex accounts
  72. 72. Password Policy Continued:
  73. 73. Reports l  Login Attempts l  Login Attempts by Authentication Result l  Developer Login Summary Administration -> Monitor Activity
  74. 74. Session State Protection

×