Configuring Security Attributes

About Navigation Alternatives

The Edit Security Attributes page is divided into the following sections: Authentication, Authorization, Database Schema, Session State Protection, and Virtual Private Database. You can access these sections by scrolling down the page, or by clicking a navigation button at the top of the page.

When you select a button at the top of the page, the selected section appears and all other sections are temporarily hidden. To view all sections of the page, click Show All.

Authentication

Authentication is the process of establishing users' identities before they can access an application. Although you define multiple authentication schemes for your application, only one scheme can be current at a time. Table: Authentication Attributes describes the attributes available under Authentication.

Authorization

Authorization controls user access to specific controls or components based on user privileges. You can specify an authorization scheme for your application, by making a selection from the Authorization Scheme list. You can assign only one authorization to an entire application. However, you can assign an authorization scheme to individual pages, page controls (such as a region, a button, or an item), or a shared component (such as a menu, a list, or a tab).

To create a authorization scheme, click Define Authorization Schemes.

An authorization scheme is a binary operation that either succeeds (equals true) or fails (equals false). If it succeeds, then the component or control can be viewed. If it fails, then the component or control cannot be viewed or processed. When you attach an authorization scheme to a page and it fails, an error message displays instead of the page. However, when you attach an authorization scheme to a page control (for example, a region, a button, or an item) and it fails, no error page displays. Instead, the control either does not display or is not processed or executed.

Database Schema

Use Parsing Schema to specify the database scheme for the current application. Once defined, all SQL and PL/SQL commands issued by the application will be performed with the rights and privileges of the defined database schema.

Session Timeout

Use the following attributes to reduce exposure to abandoned computers with an open Web browser by application:

• Maximum Session Length in Seconds - Enter a positive integer representing how many seconds a session used by this application will exist. Leave the value NULL for the session to exist indefinitely. This session duration may be superseded by the operation of the job that runs every eight hours which deletes sessions older than 24 hours.

• On session timeout direct to this URL - Enter an optional URL to be redirected to when the Maximum Session Length in Seconds has been exceeded. If implemented in Oracle Application Express, the target page in this URL should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If no URL is supplied, the user is redirected to the application home page.

• Maximum Session Idle Time in Seconds - Enter a positive integer representing how many seconds of inactivity or idle time a session used by this application should permit. The idle time is the time between one page request and the next one. Leave the value NULL to prevent session idle time checks from being performed.

• On session idle time timeout direct to this URL - Enter an optional URL to be redirected to when the Maximum Session Idle Time in Seconds has been exceeded. If implemented in Oracle Application Express, the target page in this URL should be a public page. A common use for this page would be to inform the user of the session is redirected to the application home page. If no URL is supplied, the user is redirected to the application home page.

Session State Protection

Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.

To enable or disable Session State Protection for your application, make a selection from the Session State Protection list. Setting Session State Protection to Enabled turns on session state protection controls defined at the page and item level.

Allows URLS Created After lists the date and time after which bookmarked links are usable to access pages in this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application.Bookmarks created before this date and time are not usable to access this application if the bookmarked link contains a checksum and Session State Protection is enabled for the application.Bookmarks that do not contain checksums or bookmarks that contain checksums that are unnecessary are not affected by this attribute. Their usability is determined using other criteria.A hidden application attribute (a checksum salt) is used during the computation and later verification of checksums included in f?p= URLs generated during page rendering. Checksums are included when Session State Protection is enabled for the application. You can reset this checksum salt attribute at any time by clicking the Expire Bookmarks button. Clicking this button causes any bookmarked URLs that contain previously generated checksums to fail when they are subsequently used to access the application.

To configure Session State Protection, click Manage Session State Protection.

Virtual Private Database (VPD)

Use this attribute to enter a PL/SQL block that sets a Virtual Private Database (VPD) context for the current database session associated with the current "show page" or "accept page" request. The block you enter here is executed at a very early point during the page request, immediately after the APP_USER value is established. The value of APP_USER (using :APP_USER or v('APP_USER')) may be used within the block. Values of other items in session state may be referenced as well, but any such items must have been established in session state before the initiation of the current page request. Consider the following example:

dbms_session.set_context('CTX_USER_QRY','USERPRIV',my_package.my_function(:APP_USER));

The previous example sets the value of USERPRIV in the context named CTX_USER_QRY to the value returned by the function my_function in package my_package. The function is passed the current value of APP_USER as an input argument. Presumably, the named context would be used in a VPD policy (created within the application's parsing schema) to effect the generation of predicates appropriate to the authenticated user.

Virtual Private Database, also know as Fine-Grained Access Control or FGAC, is an Oracle database feature that provides an application programming interface (API) that enables developers to assign security policies to database tables and views. Using PL/SQL, developers can create security policies with stored procedures and bind the procedures to a table or view by means of a call to an RDBMS package. Such policies are based on the content of application data stored within the database, or based on context variables provided by Oracle database. In this way, VPD permits access security mechanisms to be removed from applications, and to be situated closer to particular schemas.

The code entered in this section need not pertain to VPD/FGAC and may not be related to security at all. Any code that needs to be executed at the earliest point in a page request can be placed here. For example, to set the database session time zone for every page request:

BEGIN
  EXECUTE IMMEDIATE 'alter session set time_zone = ''Australia/Sydney'' ';
END;