Skip to main content

APEX 5 New Runtime API Lockdown Features

In APEX 4.x the developer could implement a feature that involves a call to the APEX API. E.g. you could create new pages on the fly if you would like to (just examine an export file for the how-to). You could drop an application using a procedure from the APEX_INSTANCE_ADMIN package. You could drop a user using APEX_UTIL.REMOVE_USER. If this is all on purpose and secured than that's fine. But maybe you created some opportunities for SQL Injection ... and someone else could use that technique to call those very same procedures. So the bad guy (or girl) could drop your application - or maybe even worse : could create a user and give himself full access to everything!
Of course you should prevent that from happening by fixing the SQL Injection holes. But next to that: You can prevent that your application uses those API's at all! And in APEX 5 that's even the default setting. So you're safe by default ;-)

But assume you really need access to those API's, there is an Application Level Security setting you can set.
So you can switch on access to API's that make changes to Applications or the Workspace. The only thing is - you have to figure out yourself what setting you should enable...
So what happens if your application has the option of creating a user on the fly - and thus calling APEX_UTIL.CREATE_USER - and you didn't switch the "Modify Workspace Repository" ?
Then you (or your user) gets this "nice" error page:
This sounds rather cryptic - and it is - but actually there is an entry in the Debug Messages with that ID. Even when you're not running in debug mode!
And this entry is:
But of course it is better to catch these errors (and all other ones as well) via an Error Handling Function. That way you can get an email when something like this happens and fix it - or be warned that some bad things are happening ....

But it's a nice additional security feature!


Post a Comment

Popular posts from this blog

Refresh selected row(s) in an Interactive Grid

In my previous post I blogged about pushing changed rows from the dabatase into an Interactive Grid. The use case I'll cover right here is probably more common - and therefore more useful!

Until we had the IG, we showed the data in a report (Interactive or Classic). Changes to the data where made by popping up a form page, making changes, saving and refreshing the report upon closing the dialog. Or by clicking an icon / button / link in your report that makes some changes to the data (like changing a status) and ... refresh the report.  That all works fine, but the downsides are: The whole dataset is returned from the server to the client - again and again. And if your pagination size is large, that does lead to more and more network traffic, more interpretation by the browser and more waiting time for the end user.The "current record" might be out of focus after the refresh, especially by larger pagination sizes, as the first rows will be shown. Or (even worse) while you…

Using multiple Authentication Schemes for your APEX application

Recently someone asked me how he could implement multiple authentication schemes for his APEX application. He would like to use (some kind of) Single Sign-on authentication and - as an alternative - an Application Express Authentication. The problem is ... you can only define one Authentication Scheme being "Current" for an application! So how can we solve this issue?

First, we need te be aware that multiple applications can share their authentication by using the same cookie. Thus if you specify "MYCOOKIE" as the Cookie Name in Application A as well as in Application B, you can switch from A to B and back without the need of logging in again. It doesn't matter what Authentication Scheme Type you are using!

Knowing this, we are halfway our solution. We need two Applications. One - the "real" application - using the Application Express Authentication, let's name this one "LAUNCHPAD". And another one using the Single Sign-on Authentication…

Dockerize your APEX development environment

Nowadays Docker is everywhere. It is one of the main components of Continuous Integration / Continuous Development environments. That alone indicates Docker has to be seen more as a Software Delivery Platform than as a replacement of a virtual machine.

However ...

If you are running an Oracle database using Docker on your local machine to develop some APEX application, you will probably not move that container is a whole to test and production environments. Because in that case you would not only deliver a new APEX application to the production environment - which is a good thing - but also overwrite the data in production with the data from your development environment. And that won't make your users very excited.
So in this set up you will be using Docker as a replacement of a Virtual Machine and not as a Delivery Platform.
And that's exactly the way Martin is using it as he described in this recent blog post. It is an ideal way to get up and running with an Oracle database …