Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Making Sense of Apex
Security
Christoph Ruepprich
Enkitec
Who Am I?
l  Dad & Husband
l  Consultant @ Enkitec
l  DBA/Developer
l  Fitness
l  Bass player
l  Board gamer
rueppri...
Things to Cover
l  Authentication
l  Login / Logout Processing
l  Authorization
l  Security Settings and Reports
Authentication
l  Who gets in:
l  Username
l  Password
Authentication Types
l  Apex Authentication
l  LDAP
l  Database Account
l  Open Door
l  SSO
l  HTTP Header Variable
...
Apex Authentication – The Good
l  Built In
l  Users defined in Apex workspace
l  Quick & easy setup
l  User & group ma...
Apex Authentication – The Bad
l  Users tied to a workspace
l  Not scalable
LDAP Authentication
l  Authenticate against existing LDAP
l  Great for enterprise applications
l  Requires ACL setup (1...
Database Account – The Good
l  Existing Database Accounts
l  Handy when migrating from Oracle Forms
l  No privileges ne...
Database Account – The Bad
l  Not a good long term solution
l  Accounts should be moved to an LDAP or
Custom Authenticat...
Open Door Credentials
l  Only username required
l  Not secure
l  Useful for testing
Oracle App. Svr. Single Sign On (OASSO)
l  For use with Oracle Application Server
l  Authenticate once and have access t...
No Authentication
l  No username or password required
l  Good for public pages
HTTP Header Variable
l  Used in conjunction with a single sign-on server
l  Uses value from header variable
l  Header v...
Authentication
l  Apex tracks user throughout the session
●  :APP_USER
●  &APP_USER.
●  V(‘APP_USER’)
l  Unauthenticated...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication (not when quitting browser)
●  Sessi...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication (not when quitting browser)
●  Inval...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication (not when quitting browser)
●  Inval...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication
●  Invalid Session
●  Cookies
•  Fir...
Settings
l  Processing points
●  Sentry
●  Pre Authentication
●  Post Authentication (not when quitting browser)
●  Sessi...
Session Cookie
l  Cross application authentication
l  Specify same cookie name in multiple apps
l  Include session id i...
Authentication
Authentication
l  All Apex needs is a TRUE or FALSE from an
authentication process
l  Apex knows what to do in either ca...
Browsing to a page
Authentication Flow
l  Each page uses a sentry function to determine
whether the session is valid (session ID +
cookie)
l...
Logging In
Login Page Processing
1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE
2.  If exists, populate P101_USERNAME
3.  Pass...
Login Page Processing
1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE
2.  If exists, populate P101_USERNAME
3.  Pass...
Logout Processing
l  Logout can happen at various events
●  Logout link is clicked
●  Session duration exceeded
●  User e...
Logout Cleanup
l  When logout link is clicked, session is
terminated and stored session values get
deleted.
l  Any other...
Application Level Authentication
l  Set for entire application
Page Level Authentication
l  Pages are either authenticated or public
Edit Page -> Security
Custom Authentication
l  Complete Control
l  Table Based
l  Can be either very simple or complex
Custom Authentication
l  User Table
l  Group Table
l  Function to verify credentials
Custom Authentication
l  User Table Example
●  ID
●  USERNAME
●  PASSWORD
●  FIRST_NAME
●  LAST_NAME
●  EMAIL_ADDRESS
Custom Authentication
l  Authentication function
●  Arguments: username, password
●  Return TRUE if authenticated
Custom Authentication
apex_auth.authenticate_fn
Check
Password
against table
Match?
Return TRUE.
No Match?
Return FALSE.
F...
Custom Authentication
l  If function returns TRUE
Redirect to Home URL
Edit Application Properties -> User Interfaces -> ...
Password Security
l  Store encrypted password in user table.
l  dbms_crypto.hash(
utl_raw.cast_to_raw(p_str),2
);
l  In...
Additional Processing Points
l  Pre-Authentication
Before credentials are verified.
l  Post-Authentication
Only after cr...
Session Verify Function
l  Prevent logins on Sundays
Is today
Sunday?
No?
Return True.
Yes?
Return FALSE.
FUNCTION sessio...
Session Cookie
Kermit
Piggy
Fozzy
f?p=PIGGY:PAGE:&SESSION.
Session Cookie
Kermit
Piggy
Fozzy
f?p=SHOW:101
Logout URL
f?p=SHOW:101
f?p=SHOW:101
Authorization
Authorization
l  After authentication
l  Control access to
●  Applications*
●  Pages
●  Page items
●  Etc.
l  Depends o...
Authorization – Application Level
Who gets into the
application.
You may have 1000s
of users, but only a
small group shoul...
Authorization – Application Level
l  Application Properties -> Security
Authorization – Page Level
l  Edit Page -> Security
Authorization – Item Level
l  Edit Item -> Security
Authorization – Bulk Edit
l  Application -> Utilities -> Cross Page Utilities ->
Grid Edit all Pages
Group Management
l  Apex Authorization
●  Authorization Scheme
apex_util.get_groups_user_belongs_to(:APP_USER);
l  LDAP
...
Apex Group
declare
l_groups varchar2(1000);
l_arr_groups apex_application_global.vc_arr2;
l_authorized boolean := false;
l...
LDAP Group
Custom Group
FUNCTION belongs_to_admins (p_username VARCHAR2)
RETURN boolean;
IS
l_yesno VARCHAR2(3);
BEGIN
SELECT NVL(MAX...
Authorization - Utilization
l  Shared Components -> Authorization Schemes
-> Utilization
Pages With Authorization Schemes
Pages Without Authorization Schemes
Example: Apex Authentication
Apex User Attributes
l  Admin/Developer attributes
l  Groups
Apex Account Privileges
SELECT 1
FROM APEX_WORKSPACE_APEX_USERS
WHERE user_name = :APP_USER
AND is_admin = 'Yes';
Get Acco...
Apex Group Assignment
Apex Groups
Authentication Scheme
l  Check for group membership
Authentication Subscription
l  Subscribe to existing scheme
l  Changes get passed on
Authorization Subscription
l  Changes are not automatically passed on
l  Push changes
Authentication Subscription
l  Pull changes individually
Invalid Session Detail
l  Fires after page sentry
l  Specify URL to go when invalid session is
detected.
f?p=KSCOPE13:10...
Account Login Control
l  Works on end user accounts of Apex user
management.
Apex Instance Controls
l  Session Timeout
Apex Instance Controls
l  General Login Control
Password Policy
l  For Apex accounts
Password Policy
Continued:
Reports
l  Login Attempts
l  Login Attempts by Authentication Result
l  Developer Login Summary
Administration -> Monit...
Session State Protection
Making Sense of APEX Security by Christoph Ruepprich
Nächste SlideShare
Wird geladen in …5
×

Making Sense of APEX Security by Christoph Ruepprich

3.833 Aufrufe

Veröffentlicht am

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Making Sense of APEX Security by Christoph Ruepprich

  1. 1. Making Sense of Apex Security Christoph Ruepprich Enkitec
  2. 2. Who Am I? l  Dad & Husband l  Consultant @ Enkitec l  DBA/Developer l  Fitness l  Bass player l  Board gamer ruepprich.wordpress.com @CRuepprich cruepprich cruepprich@enkitec.com
  3. 3. Things to Cover l  Authentication l  Login / Logout Processing l  Authorization l  Security Settings and Reports
  4. 4. Authentication l  Who gets in: l  Username l  Password
  5. 5. Authentication Types l  Apex Authentication l  LDAP l  Database Account l  Open Door l  SSO l  HTTP Header Variable l  No Authentication
  6. 6. Apex Authentication – The Good l  Built In l  Users defined in Apex workspace l  Quick & easy setup l  User & group management l  Access to all applications in workspace
  7. 7. Apex Authentication – The Bad l  Users tied to a workspace l  Not scalable
  8. 8. LDAP Authentication l  Authenticate against existing LDAP l  Great for enterprise applications l  Requires ACL setup (11g)
  9. 9. Database Account – The Good l  Existing Database Accounts l  Handy when migrating from Oracle Forms l  No privileges needed l  Does not create a database session
  10. 10. Database Account – The Bad l  Not a good long term solution l  Accounts should be moved to an LDAP or Custom Authentication Scheme
  11. 11. Open Door Credentials l  Only username required l  Not secure l  Useful for testing
  12. 12. Oracle App. Svr. Single Sign On (OASSO) l  For use with Oracle Application Server l  Authenticate once and have access to many other applications. l  Register Apex as a OASSO partner application l  Uses OASSO Login Page
  13. 13. No Authentication l  No username or password required l  Good for public pages
  14. 14. HTTP Header Variable l  Used in conjunction with a single sign-on server l  Uses value from header variable l  Header variables can be viewed with owa_util.print_cgi_env;.
  15. 15. Authentication l  Apex tracks user throughout the session ●  :APP_USER ●  &APP_USER. ●  V(‘APP_USER’) l  Unauthenticated users show up as nobody
  16. 16. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Session Not Valid ●  Cookies
  17. 17. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Invalid Session ●  Cookies •  Replaces the built-in Apex sentry function •  Called before every page view and asynchronous transaction. •  Returns boolean. •  Ensures session is still valid. •  When FALSE, session is killed and invalid session procedure is called.
  18. 18. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Invalid Session ●  Cookies •  Fires before authentication function. •  Does not fire with outside authentication (SSO), or no authentication.
  19. 19. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication ●  Invalid Session ●  Cookies •  Fires after user is authenticated, session is registered and cookie is set. •  Good for logging. •  Does not fire with no authentication, or when browser is closed.
  20. 20. Settings l  Processing points ●  Sentry ●  Pre Authentication ●  Post Authentication (not when quitting browser) ●  Session Not Valid ●  Cookies•  Fires when sentry returns FALSE •  Good for enforcing business rules. (Can’t log in on Sundays) •  Specifies where user will be re-directed to
  21. 21. Session Cookie l  Cross application authentication l  Specify same cookie name in multiple apps l  Include session id in URL
  22. 22. Authentication
  23. 23. Authentication l  All Apex needs is a TRUE or FALSE from an authentication process l  Apex knows what to do in either case l  Same for all authentication types
  24. 24. Browsing to a page
  25. 25. Authentication Flow l  Each page uses a sentry function to determine whether the session is valid (session ID + cookie) l  Sentry returns TRUE/FALSE l  Invalid session gets redirected to Login (see Application Properties -> User Interfaces) l  Valid (or public) session sees page
  26. 26. Logging In
  27. 27. Login Page Processing 1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE 2.  If exists, populate P101_USERNAME 3.  Password field does not save state. 4.  When login page is submitted, the APEX_AUTHENTICATION API processes username and password 5.  The API calls the current authentication scheme and returns TRUE or FALSE 6.  When TRUE session info is stored in WWV_FLOW_SESSIONS$ 7.  Finally the page cache for login page is cleared. 8.  Browser is redirected to next page
  28. 28. Login Page Processing 1.  Get Username Cookie – reads LOGIN_USERNAME_COOKIE 2.  If exists, populate P101_USERNAME 3.  Password field does not save state. 4.  When page is submitted 1.  The login cookie is set with the username value 2.  The APEX_AUTHENTICATION API processes username and password 3.  When API returns TRUE, session info is stored in WWV_FLOW_SESSIONS$ 4.  A process clears the page cache 5.  Browser is redirected
  29. 29. Logout Processing l  Logout can happen at various events ●  Logout link is clicked ●  Session duration exceeded ●  User exits browser ●  Session cookie is altered ●  Etc. l  These events make session invalid and invoke the Session Not Valid action
  30. 30. Logout Cleanup l  When logout link is clicked, session is terminated and stored session values get deleted. l  Any other termination invalidates session state and a purge job cleans up the stored data later. (ORACLE_APEX_PURGE_SESSIONS)
  31. 31. Application Level Authentication l  Set for entire application
  32. 32. Page Level Authentication l  Pages are either authenticated or public Edit Page -> Security
  33. 33. Custom Authentication l  Complete Control l  Table Based l  Can be either very simple or complex
  34. 34. Custom Authentication l  User Table l  Group Table l  Function to verify credentials
  35. 35. Custom Authentication l  User Table Example ●  ID ●  USERNAME ●  PASSWORD ●  FIRST_NAME ●  LAST_NAME ●  EMAIL_ADDRESS
  36. 36. Custom Authentication l  Authentication function ●  Arguments: username, password ●  Return TRUE if authenticated
  37. 37. Custom Authentication apex_auth.authenticate_fn Check Password against table Match? Return TRUE. No Match? Return FALSE. FUNCTION authenticate_fn (p_username VARCHAR2 , p_password VARCHAR2) RETURN boolean IS BEGIN /* do some verification */ APEX_UTIL.SET_AUTHENTICATION_RESULT(n); RETURN (TRUE|FALSE); END;
  38. 38. Custom Authentication l  If function returns TRUE Redirect to Home URL Edit Application Properties -> User Interfaces -> User Interfaces -> User Interface Details
  39. 39. Password Security l  Store encrypted password in user table. l  dbms_crypto.hash( utl_raw.cast_to_raw(p_str),2 ); l  In authenticaton function: compare encrypted password to user_table.password.
  40. 40. Additional Processing Points l  Pre-Authentication Before credentials are verified. l  Post-Authentication Only after credentials are verified. l  Session Verify Function Additional business rules. No login throttle
  41. 41. Session Verify Function l  Prevent logins on Sundays Is today Sunday? No? Return True. Yes? Return FALSE. FUNCTION session_is_valid RETURN boolean IS BEGIN IF <today is Sunday> THEN RETURN FALSE; ELSE RETURN TRUE; END IF; END;
  42. 42. Session Cookie Kermit Piggy Fozzy f?p=PIGGY:PAGE:&SESSION.
  43. 43. Session Cookie Kermit Piggy Fozzy f?p=SHOW:101 Logout URL f?p=SHOW:101 f?p=SHOW:101
  44. 44. Authorization
  45. 45. Authorization l  After authentication l  Control access to ●  Applications* ●  Pages ●  Page items ●  Etc. l  Depends on ●  User attributes ●  Groups
  46. 46. Authorization – Application Level Who gets into the application. You may have 1000s of users, but only a small group should have access. Gatekeeper
  47. 47. Authorization – Application Level l  Application Properties -> Security
  48. 48. Authorization – Page Level l  Edit Page -> Security
  49. 49. Authorization – Item Level l  Edit Item -> Security
  50. 50. Authorization – Bulk Edit l  Application -> Utilities -> Cross Page Utilities -> Grid Edit all Pages
  51. 51. Group Management l  Apex Authorization ●  Authorization Scheme apex_util.get_groups_user_belongs_to(:APP_USER); l  LDAP ●  :AI_LDAP_GROUPS := apex_auth.ldap_get_groups_fn(:APP_USER); l  Custom Authorization ●  Table based ●  Custom function to get group membership
  52. 52. Apex Group declare l_groups varchar2(1000); l_arr_groups apex_application_global.vc_arr2; l_authorized boolean := false; l_idx pls_integer; begin -- get comma separated list of groups user belongs to l_groups := apex_util.get_groups_user_belongs_to(:APP_USER); -- convert l_groups into array l_arr_groups := apex_util.string_to_table(p_string => l_groups ,p_separator => ','); -- check if vocals group is present for l_idx in 1..l_arr_groups.count loop if (trim(l_arr_groups(l_idx)) = 'vocals') then l_authorized := true; end if; end loop; return l_authorized; end;
  53. 53. LDAP Group
  54. 54. Custom Group FUNCTION belongs_to_admins (p_username VARCHAR2) RETURN boolean; IS l_yesno VARCHAR2(3); BEGIN SELECT NVL(MAX('YES'), 'NO’) INTO l_yesno FROM my_user_table WHERE username = p_username AND usergroup = 'ADMINS'; IF l_yesno = 'YES’ THEN RETURN TRUE; ELSE RETURN FALSE; END IF; END;
  55. 55. Authorization - Utilization l  Shared Components -> Authorization Schemes -> Utilization
  56. 56. Pages With Authorization Schemes
  57. 57. Pages Without Authorization Schemes
  58. 58. Example: Apex Authentication
  59. 59. Apex User Attributes l  Admin/Developer attributes l  Groups
  60. 60. Apex Account Privileges SELECT 1 FROM APEX_WORKSPACE_APEX_USERS WHERE user_name = :APP_USER AND is_admin = 'Yes'; Get Account Privileges: SELECT 1 FROM APEX_WORKSPACE_APEX_USERS WHERE user_name = :APP_USER AND is_developer = 'Yes';
  61. 61. Apex Group Assignment
  62. 62. Apex Groups
  63. 63. Authentication Scheme l  Check for group membership
  64. 64. Authentication Subscription l  Subscribe to existing scheme l  Changes get passed on
  65. 65. Authorization Subscription l  Changes are not automatically passed on l  Push changes
  66. 66. Authentication Subscription l  Pull changes individually
  67. 67. Invalid Session Detail l  Fires after page sentry l  Specify URL to go when invalid session is detected. f?p=KSCOPE13:101:&APP_SESSION.:HELLO_KITTY:&DEBUG.::::
  68. 68. Account Login Control l  Works on end user accounts of Apex user management.
  69. 69. Apex Instance Controls l  Session Timeout
  70. 70. Apex Instance Controls l  General Login Control
  71. 71. Password Policy l  For Apex accounts
  72. 72. Password Policy Continued:
  73. 73. Reports l  Login Attempts l  Login Attempts by Authentication Result l  Developer Login Summary Administration -> Monitor Activity
  74. 74. Session State Protection

×