Mastering the Oracle Data Pump API


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mastering the Oracle Data Pump API

  1. 1. Making Sense of Apex Security Christoph Ruepprich Enkitec
  2. 2. Who Am I? l  Dad & Husband l  Consultant @ Enkitec l  DBA/Developer l  Fitness l  Bass player l  Board gamer @CRuepprich cruepprich
  3. 3. Things to Cover l  Authentication l  Login / Logout Processing l  Authorization l  Session State Protection
  4. 4. Authentication l  Who gets in: l  Username l  Password
  5. 5. Authentication Types l  Apex Authentication l  LDAP l  Database Account l  Open Door l  OASSO l  HTTP Header Variable l  Custom l  No Authentication
  6. 6. Apex Authentication – The Good l  Built In l  Users defined in Apex workspace l  Quick & easy setup l  User & group management l  Access to all applications in workspace
  7. 7. Apex Authentication – The Bad l  Users tied to a workspace l  Not scalable
  8. 8. LDAP Authentication l  Authenticate against existing LDAP l  Great for enterprise applications
  9. 9. Database Account – The Good l  Existing Database Accounts l  Handy when migrating from Oracle Forms l  No privileges needed l  Does not create a database session
  10. 10. Database Account – The Bad l  Not a good long term solution l  Accounts should be moved to an LDAP or Custom Authentication Scheme
  11. 11. Open Door Credentials l  Only username required l  Not secure l  Useful for testing
  12. 12. Oracle App. Svr. Single Sign On (OASSO) l  For use with Oracle Application Server l  Authenticate once and have access to many other applications. l  Register Apex as a OASSO partner application l  Uses OASSO Login Page
  13. 13. HTTP Header Variable l  Used in conjunction with a single sign-on server that specifies a header variable value for the current user
  14. 14. Custom l  Table Based l  Specify Authentication Function
  15. 15. No Authentication l  No username or password required l  Good for public pages
  16. 16. Authentication l  Apex tracks user and session ID throughout the session ●  :APP_USER :SESSION ●  &APP_USER. &SESSION. ●  v(‘APP_USER’) v(‘SESSION’) l  Unauthenticated users show up as nobody
  17. 17. Additional Settings l  Pre Authentication l  Post Authentication l  Verify Session l  Cookies
  18. 18. Additional Settings l  Pre Authentication l  Post Authentication (not when quitting browser) l  Verify Session l  Cookies •  Fires before authentication function. •  Does not fire with outside authentication (SSO), or no authentication.
  19. 19. Additional Settings l  Pre Authentication l  Post Authentication l  Verify Session l  Cookies •  Fires after user is authenticated, session is registered and cookie is set. •  Good for logging. •  Does not fire with no authentication
  20. 20. Additional Settings l  Pre Authentication l  Post Authentication l  Verify Session l  Cookies•  Good for enforcing business rules. (Can’t log in on Sundays)
  21. 21. Session Verify Function l  Prevent logins on Sundays Is today Sunday? No? Return True. Yes? Return FALSE. FUNCTION session_is_valid RETURN boolean IS BEGIN IF <today is Sunday> THEN RETURN FALSE; ELSE RETURN TRUE; END IF; END;
  22. 22. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Invalid Session ●  Cookies •  Replaces the built-in Apex sentry function •  Called before every page view and asynchronous transaction. •  Returns boolean. •  Ensures session is still valid. •  When FALSE, session is killed and invalid session procedure is called.
  23. 23. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication ●  Invalid Session ●  Cookies •  Fires after user is authenticated, session is registered and cookie is set. •  Good for logging. •  Does not fire with no authentication, or when browser is closed.
  24. 24. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Session Not Valid ●  Cookies•  URL/Page when session is not valid •  Verify Function Name: Good for enforcing business rules. (Can’t log in on Sundays)
  25. 25. Session Cookie l  Cross application authentication l  Specify same cookie name in multiple apps l  Include session id in URL
  26. 26. Session Cookie Kermit Piggy Fozzy f?p=PIGGY:PAGE:&SESSION.
  27. 27. Session Cookie Kermit Piggy Fozzy f?p=SHOW:101 Logout URL f?p=SHOW:101 f?p=SHOW:101
  28. 28. Authentication Processing
  29. 29. Authentication Processing l  All Apex needs is a TRUE or FALSE from an authentication process l  Apex knows what to do in either case l  Same for all authentication types
  30. 30. Browsing to a page
  31. 31. Authentication Flow l  Each page uses a sentry function to determine whether the session is valid (session ID + cookie) l  Sentry returns TRUE/FALSE l  Invalid session gets redirected to elswhere (see Invalid Session settings) l  Valid session sees page
  32. 32. Logging In
  33. 33. Login Page Processing 1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE 2.  If exists, populate P101_USERNAME 3.  Password field does not save state. 4.  When page is submitted 1.  The LOGIN_USERNAME_COOKIE is set with the username value 2.  The APEX_AUTHENTICATION API processes username and password 3.  When API returns TRUE, session info is stored in WWV_FLOW_SESSIONS$ 4.  Cookie OWA_WWV_APP_nnn is set with hash of session ID 5.  A process clears the page cache 5.  Browser is redirected
  34. 34. Logout Processing l  Logout can happen at various events ●  Logout link is clicked ●  Session duration exceeded ●  User exits browser ●  Session cookie is altered ●  Etc. l  These events make session invalid
  35. 35. Logout Cleanup l  When logout link is clicked ●  Post Logout procedure is called ●  Session is terminated and stored session values get deleted. l  Any other termination invalidates session state and a purge job cleans up the stored data later. (ORACLE_APEX_PURGE_SESSIONS)
  36. 36. Application Level Authentication l  Set for entire application
  37. 37. Page Level Authentication l  Pages are either authenticated or public Edit Page -> Security
  38. 38. Custom Authentication
  39. 39. Custom Authentication l  Complete Control l  Table Based l  Can be either very simple or complex
  40. 40. Custom Authentication l  User Table l  Group Table l  Function to verify credentials
  41. 41. Custom Authentication l  User Table Example ●  ID ●  USERNAME ●  PASSWORD ●  FIRST_NAME ●  LAST_NAME ●  EMAIL_ADDRESS
  42. 42. Edit Shared Components l  Shared Components -> Security -> Authentication Schemes
  43. 43. Custom Authentication l  Authentication function ●  Arguments: username, password ●  Return TRUE if authenticated
  44. 44. Custom Authentication apex_auth.authenticate_fn Check Password against table Match? Return TRUE. No Match? Return FALSE. FUNCTION authenticate_fn (p_username VARCHAR2 , p_password VARCHAR2) RETURN boolean IS BEGIN /* do some verification */ APEX_UTIL.SET_AUTHENTICATION_RESULT(n); RETURN (TRUE|FALSE); END;
  45. 45. Custom Authentication l  If function returns TRUE Redirect to Home URL Edit Application Properties -> User Interfaces -> User Interfaces -> User Interface Details
  46. 46. Password Security l  Store encrypted password in user table. l  dbms_crypto.hash( utl_raw.cast_to_raw(p_str),2 ); l  In authenticaton function: compare encrypted password from login page to user_table.password.
  47. 47. Switch Authentication Scheme
  48. 48. Switch Authentication Scheme
  49. 49. Authorization
  50. 50. Edit Shared Components l  Shared Components -> Security -> Authorization Schemes
  51. 51. Authorization l  After authentication l  Control access to ●  Applications ●  Pages ●  Regions ●  Page items ●  Buttons ●  Tabs ●  Etc.
  52. 52. Authorization – Application Level Who gets into the application. You may have 1000s of users, but only a small group should have access. Gatekeeper
  53. 53. Gatekeeper l  Restricts application to a subset of authenticated user. l  Should check whether the user has at least one role in the application.
  54. 54. Gatekeeper – Application Level l  Application Properties -> Security
  55. 55. Authorization – Page Level l  Edit Page -> Security
  56. 56. Authorization – Item Level l  Edit Item (and other elements) -> Security
  57. 57. Authorization – Bulk Edit l  Application -> Utilities -> Cross Page Utilities -> Grid Edit all Pages
  58. 58. Group Management l  Apex Authorization ●  Authorization Scheme apex_util.get_groups_user_belongs_to(:APP_USER); l  LDAP ●  apex_auth.ldap_get_groups_fn ●  apex_ldap.member_of l  Custom Authorization ●  Table based ●  Custom function to get group membership
  59. 59. Apex Group declare l_groups varchar2(1000); l_arr_groups apex_application_global.vc_arr2; l_authorized boolean := false; l_idx pls_integer; begin -- get comma separated list of groups user belongs to l_groups := apex_util.get_groups_user_belongs_to(:APP_USER); -- convert l_groups into array l_arr_groups := apex_util.string_to_table(p_string => l_groups ,p_separator => ','); -- check if vocals group is present for l_idx in 1..l_arr_groups.count loop if (trim(l_arr_groups(l_idx)) = 'vocals') then l_authorized := true; end if; end loop; return l_authorized; end;
  60. 60. LDAP Group
  61. 61. Custom Group FUNCTION belongs_to_admins (p_username VARCHAR2) RETURN boolean; IS l_yesno VARCHAR2(3); BEGIN SELECT NVL(MAX('YES'), 'NO’) INTO l_yesno FROM my_user_table WHERE username = p_username AND usergroup = 'ADMINS'; IF l_yesno = 'YES’ THEN RETURN TRUE; ELSE RETURN FALSE; END IF; END;
  62. 62. Authorization - Utilization l  Shared Components -> Authorization Schemes -> Utilization
  63. 63. Pages With Authorization Schemes
  64. 64. Pages Without Authorization Schemes
  65. 65. Apex User Attributes l  Admin/Developer attributes l  Groups
  66. 66. Apex Account Privileges SELECT 1 FROM APEX_WORKSPACE_APEX_USERS WHERE user_name = :APP_USER AND is_admin = 'Yes'; Get Account Privileges: SELECT 1 FROM APEX_WORKSPACE_APEX_USERS WHERE user_name = :APP_USER AND is_developer = 'Yes';
  67. 67. Apex Group Assignment
  68. 68. Apex Groups
  69. 69. Authentication Scheme l  Check for group membership
  70. 70. Account Login Control l  Works on end user accounts of Apex user management.
  71. 71. Apex Instance Controls l  Session Timeout
  72. 72. Apex Instance Controls l  General Login Control
  73. 73. Password Policy l  For Apex accounts
  74. 74. Password Policy Continued:
  75. 75. Authorization Subscription l  Changes are not automatically passed on l  Push changes
  76. 76. Authentication Subscription l  Pull changes individually
  77. 77. Session State Protection l  Prevents altering item values in the URL l  Item Level: Invalidates bookmarks
  78. 78. Application Level SSP - URL Tampering l  Application Level SSP ●  Unrestricted ●  Arguments Must Have Checksum ●  No Arguments Allowed (no values can be passed) ●  No URL Access (branch only)
  79. 79. Bookmark Expiration l  Item Level ●  Application Level (share among users in App) ●  User Level (only for user) ●  Session Level (only for session, bookmarking not worth it)
  80. 80. Edit Shared Components l  Shared Components -> Security -> Session State Protection
  81. 81. SSP Protection Controls l  Pages l  Page Items l  Application Items
  82. 82. SSP Page Report
  83. 83. SSP Page Item Report
  84. 84. SSP Application Item Report
  85. 85. Set Protection Wizard l  Disable l  Enable l  Configure
  86. 86. Set Protection Wizard
  87. 87. Expire Bookmarks l  Done from Application Administration Edit Application -> Security -> Session State Protection l  Invalidates bookmarks containing checksums
  88. 88. Reports l  Login Attempts l  Login Attempts by Authentication Result l  Developer Login Summary Administration -> Monitor Activity
  89. 89. Subscriptions l  Subscribe to existing scheme l  Changes get passed on