d e v e l o p e r BROWSER-BASED
BY DAVID PEAKE
Developing Secure Applications
Defend your Oracle Application Express applications against unauthorized use.
ecurity must be designed into
applications from the outset,
starting with database design;
continuing through application design, development, and testing;
and finishing with implementation
and training. This column outlines the
measures you should incorporate to
develop secure applications with Oracle
The column’s examples all use
the sample application on the hosted
instance of Oracle Application Express
at apex.oracle.com. (You must request
a free workspace to use the hosted
instance.) After getting a brief overview
of authentication and authorization in
Oracle Application Express, you’ll learn
how to set session timeouts and manage
session state, protect your applications
from SQL injection, and defend against
AUTHENTICATION AND AUTHORIZATION
Authentication and authorization are
the basic mechanisms for securing an
Oracle Application Express application. Authentication establishes that a
user is allowed to log in to the application; authorization implements various
access levels within the application.
Oracle Application Express provides
several preconfigured authentication
schemes, including LDAP credentials,
Oracle Application Server Single Sign-On, and Oracle Application Express
credentials. You can also define custom
authentication by using the built-in
page sentry or custom sentry functions.
Authenticated users’ session details are
stored in the database and verified with
each page request and submission.
Authorization schemes, once
defined, can be used to control access
to pages, buttons, tabs, items, and so
on. It is important to add authoriza-
tion to all restricted pages, not just to
the navigational controls used to access
MANAGING SESSION TIMEOUTS
One essential way to harden your
application is to ensure that users are
automatically timed out of the current
session after a period of time or if
they are idle for a certain period of
time. Timeouts limit the ability of
unauthorized people to access the
open application from a valid user’s
Follow these steps to define, in the
Sample Application, a public Session
Timeout page to which timed-out users
are automatically sent:
1. Select the Sample Application from
Application Builder. Click Create Page.
Select Blank Page, and click Next twice.
2. Enter Session Timeout for Name, click
Next twice, and then click Finish.
3. Note the number of the new page,
which you’ll need for a later step. Click
4. Under Page, click Session Timeout
for Page Name. Click Security, select
Page is Public for Authentication, and
click Apply Changes.
5. In the Regions area, click the Create
icon. Select HTML, and click Next.
Select HTML again, and click Next.
6. Enter Idle Timeout for Title, and
click Next. In the Enter HTML Text
Region Source box, enter Idle time has
been exceeded and your session has been
expired. Click Next.
7. Select Request = Expression 1 for
Condition Type, enter IDLE in the
Expression 1 box, and click Create
8. Repeat Step 5.
9. Enter Maximum Session Timeout for
Title, and click Next. In the Enter
HTML Text Region Source box, enter
Total session time has been exceeded and
your session has been expired. Click Next.
10. Select Request = Expression 1 for
Condition Type, enter MAXIMUM in the
Expression 1 box, and click Create
11. Click Shared Components.
Under Security, click Edit Security
12. Click Session Timeout, and select
1 Minute for Maximum Session
Length in Seconds. Using the application ID in place of &APP_ID and
the actual page number from Step
3 in place of xx, enter f?p=&APP_
ID:xx:0:MAXIMUM for Session Timeout
10 Seconds for Maximum
Session Idle Time in Seconds, enter
f?p=&APP_ID:xx:0:IDLE for Idle Timeout
URL, and click Apply Changes.
Now you can test the timeout. Run
the application, but do nothing in the
application’s user interface for at least
15 seconds. The Session Timeout page
should appear, with the idle message
shown in Figure 1.
Log back in to the application, by
clicking the Logout link at the top of
the screen. Navigate around the application continuously for more than one
minute. The Session Timeout page
should appear, with the maximum
Go back to Application Builder, and
follow Steps 11 and 12 above, this time
resetting the session timeout variables
to appropriate values.
Figure 1: Idle timeout