Oracle Magazine - July/August 2009

d e v e l o p e r BROWSER-BASED

BY DAVID PEAKE

Developing Secure Applications
Defend your Oracle Application Express applications against unauthorized use.

ecurity must be designed into
applications from the outset,
starting with database design;

continuing through application design, development, and testing; and finishing with implementation and training. This column outlines the measures you should incorporate to develop secure applications with Oracle Application Express.

The column’s examples all use the sample application on the hosted instance of Oracle Application Express at apex.oracle.com. (You must request a free workspace to use the hosted instance.) After getting a brief overview of authentication and authorization in Oracle Application Express, you’ll learn how to set session timeouts and manage session state, protect your applications from SQL injection, and defend against cross-site scripting.

AUTHENTICATION AND AUTHORIZATION

Authentication and authorization are the basic mechanisms for securing an Oracle Application Express application. Authentication establishes that a user is allowed to log in to the application; authorization implements various access levels within the application.

Oracle Application Express provides several preconfigured authentication schemes, including LDAP credentials, Oracle Application Server Single Sign-On, and Oracle Application Express credentials. You can also define custom authentication by using the built-in page sentry or custom sentry functions. Authenticated users’ session details are stored in the database and verified with each page request and submission.

Authorization schemes, once defined, can be used to control access to pages, buttons, tabs, items, and so on. It is important to add authoriza-

tion to all restricted pages, not just to the navigational controls used to access those pages.

MANAGING SESSION TIMEOUTS

One essential way to harden your application is to ensure that users are automatically timed out of the current session after a period of time or if they are idle for a certain period of time. Timeouts limit the ability of unauthorized people to access the open application from a valid user’s unattended system.

Follow these steps to define, in the Sample Application, a public Session Timeout page to which timed-out users are automatically sent: 1. Select the Sample Application from Application Builder. Click Create Page. Select Blank Page, and click Next twice. 2. Enter Session Timeout for Name, click Next twice, and then click Finish. 3. Note the number of the new page, which you’ll need for a later step. Click Edit Page.

4. Under Page, click Session Timeout
for Page Name. Click Security, select
Page is Public for Authentication, and
click Apply Changes.

5. In the Regions area, click the Create icon. Select HTML, and click Next. Select HTML again, and click Next. 6. Enter Idle Timeout for Title, and click Next. In the Enter HTML Text Region Source box, enter Idle time has been exceeded and your session has been expired. Click Next.

7. Select Request = Expression 1 for
Condition Type, enter IDLE in the
Expression 1 box, and click Create
Region.

8. Repeat Step 5.

9. Enter Maximum Session Timeout for
Title, and click Next. In the Enter
HTML Text Region Source box, enter

Total session time has been exceeded and your session has been expired. Click Next. 10. Select Request = Expression 1 for Condition Type, enter MAXIMUM in the Expression 1 box, and click Create Region.

11. Click Shared Components.
Under Security, click Edit Security
Attributes.

12. Click Session Timeout, and select 1 Minute for Maximum Session Length in Seconds. Using the application ID in place of &APP_ID and the actual page number from Step

3 in place of xx, enter f?p=&APP_ ID:xx:0:MAXIMUM for Session Timeout URL, select 10 Seconds for Maximum Session Idle Time in Seconds, enter f?p=&APP_ID:xx:0:IDLE for Idle Timeout URL, and click Apply Changes.

Now you can test the timeout. Run the application, but do nothing in the application’s user interface for at least 15 seconds. The Session Timeout page should appear, with the idle message shown in Figure 1.

Log back in to the application, by clicking the Logout link at the top of the screen. Navigate around the application continuously for more than one minute. The Session Timeout page should appear, with the maximum session message.