Utilizing Improved Security Enhancements in Application Express 3.2

Purpose

This tutorial shows you how to utilize some of the improved security enhancements introduced in Oracle Application Express 3.2.

Time to Complete

Approximately 60 minutes

Topics

This tutorial covers the following topics:

 Overview
 Prerequisites
 Examining the Session State for a Password Item on the Login Page
 Reviewing Differences Between Password Item Types in Session State
 Passing Password Item Values Between Pages
 Identifying At Risk Password Items
 Setting an Application's Idle and Session Timeouts
 Setting Application Express Idle and Session Timeout Defaults
 Setting Password Complexity Rules
 Summary

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: This action loads all screenshots simultaneously, so response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over an individual icon in the following steps to load and view only the screenshot associated with that step. You can hide an individual screenshot by clicking it.

Overview

In Oracle Application Express 3.2, a number of security enhancements have been incorporated. Some key enhancements include the ability to:

 Declaratively encrypt session state
 Declaratively specify session timeouts for maximum idle time and maximum session duration
 Create new password item types that enable users to enter passwords without ever saving them to session state.

Other features designed to minimize the exposed footprint include reducing the privileges required by the Oracle Application Express database account, disabling the Database Monitor feature by default, and providing administrators the ability to require HTTPS for the administration and development suite applications. In addition, administrators can now restrict new or updated account passwords to those that have not previously been used for a specified duration and, for new installations, require that service administrator account passwords conform to a strong password policy.

Oracle Application Express documentation has also been improved to provide you with more resources to build secure Web applications. These new features complement existing Oracle Application Express security features including flexible authentication, authorization schemes, URL tampering protection, and so on. For further information, see Managing Application Security.

Back to Topic List

Prerequisites

Before you perform this tutorial, you should:

1.

Install Oracle Database 11g.

2.

Install Oracle Application Express Release 3.2 located on OTN.

3.

Create a Workspace and make sure the Sample Application is installed.

Back to Topic List

Examining the Session State for a Password Item on the Login Page

To review the session state of the password item on the login page of the Sample Application, perform the following steps:

1.

Enter the following URL to log in to Oracle Application Express.

http://<hostname>:8080/apex

 

2.

To log in to Oracle Application Express, enter the following details, and click Login.

Workspace: <your workspace name>
Username: <your username>
Password: <your password>

 

3.

On the Workspace home page, click Application Builder .

 

4.

Select Sample Application.

 

5.

Select 16-20 link to go to the second page.

 

6.

Navigate to the Application Page for the Sample Application and click the 101 - Login page. Note this page is on the second page of the Sample Application.

 

7.

You want to review the session state values of the current login page. Click Run.

 

8.

Enter demo for the User Name and enter something invalid for the Password and click Login.

 

9.

Select the Session link in the developer toolbar.

 

10.

Notice that the Display for the Password item is set to Password (submits when Enter pressed, does not save state). This is a new item type in Application Express 3.2. Close this window.

In previous releases, the type for the Password on the login page was set to Password (submits when Enter pressed) which did show the value in session state.

Note that if you have an existing Application or Packaged Application that you import with a Login page, the item type for Password will not change. If you want to take advantage of the new item type, you will need to change it manually.

 

Back to Topic List

Reviewing Differences Between Password Item Types in Session State

To see how the various password item types work with session state, you will create a new page that contains four items:

1.

Password item that will not be stored in session state

2.

Password item that will be stored in session state and encrypted

3.

Password item that will be stored in session state that is not encrypted

4.

Text item that will be stored in session state that is encrypted

Perform the following steps:

1.

To show the difference between the password types, you will create a page that contains two items with different password items. Select the Create link in the developer toolbar.

 

2.

Select New Page and click Next.

 

3.

Make sure Blank Page is selected and click Next.

 

4.

Click Next.

 

5.

Enter Password Item Test for the Name and click Next.

 

6.

Select Yes - Use an existing tab set and create a new tab within the existing tab set and click Next.

 

7.

Accept the default and click Next.

 

8.

Enter Password Item for the Label and click Next.

 

9.

Click Finish.

 

10.

You want to add a region and some items to the page. Click Edit Page.

 

11.

Under Regions, click the Create Region icon.

 

12.

Make sure HTML is selected and click Next.

 

13.

Make sure HTML is selected and click Next.

 

14.

Enter Password Testing for the Title and click Create.

 

15.

You can now create some items. Click the Create Item icon.

 

16.

Select the Password item type and click Next.

 

17.

Select Password (submits when Enter pressed, does not save state) and click Next.

 

18.

Enter P10_PASSWORD for the Item Name and click Next.

 

19.

Accept the default and click Next.

 

20.

Click Create Item.

 

21.

You want to add a few more items to this page which you can do using the Drag and Drop layout. Select the Drag and Drop layout icon.

 

22.

Drag a Password item to the second line.

 

23.

Enter P10_PIN_NUMBER for the Item Name, Pin Number for the Label and select Password (submits when Enter pressed) for Display Type. Then drag another Password item to the third line.

 

24.

Enter P10_DEPRECATED for the Item Name, Deprecated for the Label and select Password (submits when Enter pressed) for Display Type. Then drag a Text item to the fourth line.

 

25.

Enter P10_SSN for the Item Name, SSN for the Label and select Text Field for Display Type. Then drag a Button item to the fifth line.

 

26.

Enter P10_SUBMIT for the Item Name and Submit for the Label. Then click Next.

 

27.

Click Apply Changes.

 

28.

You want the Pin Number and SSN items to be stored in the database and displayed in session state, however, you want the values in session state to be encrypted. Therefore, you need to encrypt these items. Under Items, select the P10_PIN_NUMBER link.

 

29.

Select the Security tab.

 

30.

Change the value for Stored value encrypted in session state to Yes and click Apply Changes.

 

31.

You want to also encrypt P10_SSN. Under Items, select the P10_SSN link.

 

32.

Since you had already selected the Security tab, you should be taken directly to the tab this time. Change the value for Stored value encrypted in session state to Yes and click Apply Changes.

 

33.

You need to create a branch which will return to the same page when the Login button is pressed. Select the Create Branch icon.

 

34.

Click Next.

 

35.

Enter 10 for the Page and click Next.

 

36.

Click Create Branch.

 

37.

Now you are ready to test the page. Click Run.

 

38.

Enter demo for the Username and your workspace name as Password and click Login.

 

39.

Select the Password Item tab.

 

40.

Enter any value for all 4 items. Then click Submit.

 

41.

To see what is in session state, select the Session link in the developer toolbar.

 

42.

Notice the following:

P10_PASSWORD

Not saved to the database or shown in session state

P10_PIN_NUMBER

Saved in the database and shown encrypted in session state

P10_DEPRECATED

Saved in the database and shown in session state. This is the least secure option.

P10_SSN

Saved in the database and shown encrypted in session state.

When done reviewing., close the session state window to return to your application.

 

Back to Topic List

Passing Password Item Values Between Pages

You want to examine what happens in session state when a password item value is passed between pages. You will copy the page you created previously and create a branch from Page 10 to the new page to display the password item values. Perform the following steps:

1.

Select the Edit Page 10 link in the developer toolbar.

 

2.

Click Copy.

 

3.

Make sure Page in this Application is selected and click Next.

 

4.

Enter Show Password Items From Page 10 and click Next.

 

5.

Change the New Value for Region to Show Password Items From Page 10 and click Next.

 

6.

Accept the default again and click Next.

 

7.

Click Finish.

 

8.

Click Edit Page.

 

9.

You only want to display the value of the Password items on this page so you need to change the Display As for each item. Under Items, select the P18_PASSWORD link.

 

10.

Click the Name tab. Select the [Display Only] quick link and the Display as Text (escape special characters, does not save state) will appear in the Display As field. Then click Apply Changes.

 

11.

Repeat the previous 2 steps for each item (except the button) so that all your items have the same display as shown in the screenshot.

 

12.

You need to change the branch on page 10 to pass the values to this new page. Enter 10 in the Page field and click Go.

 

13.

Under Branches, select the Go to Page 10 link.

 

14.

You want to change the branch to page 18 and then you need to set the items to pass to the page. Change the page to 18 and select the flashlight icon for Set these items.

 

15.

Select the flashlight for the first Item.

 

16.

Select P18_PASSWORD from the list of items.

 

17.

Select the flashlight for the first value.

 

18.

Select &P10_PASSWORD. from the lists.

 

19.

Repeat the steps to select the following items and assign the following values in the table below. Then click Apply.

P18_PIN_NUMBER

&P10_PIN_NUMBER.

P18_DEPRECATED

&P10_DEPRECATED.

P18_SSN

&P10_SSN.

 

20.

Notice that the appropriate fields are populated. Click Apply Changes.

 

21.

Click Run.

 

22.

Enter a different value in each of the 4 fields than you did previously and click Submit.

 

23.

You are now on Page 18. Notice the URL contains the values you are passing. This is a security vulnerability. You can correct this vulnerability by sending the values to session state before branching. Select the Edit Page 18 link in the developer toolbar.

 

24.

You need to change the branch again on page 10 so that the values are passed into session state before the branch is performed. Enter 10 in the Page field and click Go.

 

25.

Under Branches, select the Go to Page 10 link.

 

26.

Select the save state before branching check box. Click Apply Changes.

 

27.

Click Run.

 

28.

Enter a value for each of the 4 items and click Submit.

 

29.

Notice the URL did not contain the values you passed. The values were sent to session state before the branching occurred. Select the Session link in the developer toolbar.

 

30.

Notice that the values were passed through session state from page 10 to page 18. The items that were saved in session state were passed correctly, however, the item P10_PASSWORD which was set as Password (submit when Enter pressed, does not save state) was passed to P18_PASSWORD as a character string because the display as is Display as Text (escape special characters, does not save state).

This is a good example of what NOT to do as it is a security vulnerability. To remove the vulnerability, you should remove the item from being passed in the branch on page 10.

When passing values from one page to another, you need to be careful to examine the content of every value passed from page to page to make sure that it satisfies your information security requirements.

 

31.

Switch to Application Express and select the Application link in the developer toolbar.

 

Back to Topic List

Identify At Risk Password Items

There are a number of reports that help to identify at risk password items. Perform the following steps:

1.

From the Tasks menu, select Application Reports.

 

2.

Click Page Components.

 

3.

Under Items, select Password Items.

 

4.

The list of password items for this application is displayed. Notice that you can see what the session state and encryption is set to as well as see whether it is an at risk password item. To view the password items for all application in your workspace, select the Application Reports breadcrumb.

 

5.

Click Cross Application.

 

6.

Under cross Application Attribute Reports, select Password Items.

 

7.

A list of all the password items for all applications in this workspace are displayed. To view only the items at risk, select Show at Risk Password Items from the Password Items drop down and click Go.

 

8.

Now only the at risk password items for all applications in the workspace are displayed. Click the Application breadcrumb.

 

Back to Topic List

Setting an Application's Idle and Session Timeouts

You can set the idle and session timeouts for a particular application. In this section, you will set the timeout values and show how to test them. Perform the following steps:

1.

You first need to create a page that the application will branch to when the timeout occurs. Click Create Page.

 

2.

Make sure Blank Page is selected and click Next.

 

3.

Click Next.

 

4.

Enter Timeout Page for the Name and click Next.

 

5.

Click Next.

 

6.

Click Finish.

 

7.

Select Edit Page.

 

8.

You will create an HTML region that will display a message. Under Regions, select the Create Region icon.

 

9.

Make sure HTML is selected and click Next.

 

10.

Make sure HTML is selected again and click Next.

 

11.

Enter Idle Timeout for the Title and click Next.

 

12.

Enter Your session has been timed out as you remained idle for too long. in the HTML source field and click Next.

 

13.

This region will only be displayed when REQUEST=IDLE. Select the [Request=e1] quick link and enter IDLE in the Expression 1 field and click Create Region.

 

14.

You want to create another region for the Session Timeout. You can just copy the one you just created. Click the Copy Region icon.

 

15.

Select the Idle Timeout region link.

 

16.

Accept the defaults and click Next.

 

17.

Enter Session Timeout for Region Name and click Copy Region.

 

18.

Under Regions, select the Session Timeout link.

 

19.

Change the Region Source to Your session has timed out and click the Conditions tab.

 

20.

This region will only be displayed when REQUEST=SESSION. Change the Expression 1 field to SESSION and click Apply Changes.

 

21.

You need to make this page public so the login screen will not appear when the timeout occurs. Select the Edit Page Attributes icon.

 

22.

Select the Security tab.

 

23.

Select Page is Public for Authentication and click Apply Changes.

 

24.

At this point, you are ready to define the idle timeout parameters. Select the Shared Components icon.

 

25.

Under Application, select Definition.

 

26.

Select the Security tab.

 

27.

Select the Session Timeout tab.

 

28.

You want to the timeout so that the region with the SESSION condition will show after the length of the session is 60 seconds. If someone does not press a key (is idle) after 10 seconds, the region with the condition set to IDLE will display.

Enter 60 for Maximum Session Length in Seconds and f?p=&APP_ID.:19:0:SESSION for Session Timeout URL. Enter 10 for Maximum Session Idle Time in Seconds and f?p=&APP_ID.:19:0:IDLE (make sure you add the '.' after the substitution string &APP_ID.) for Idle Timeout URL. Click Apply Changes.

Notice the '0' in the URL string. This is a new feature in Application Express 3.2. If the page is public, the user can use zero as the session id which will prevent multiple users from sharing the same session id.

 

29.

Select your Application breadcrumb

 

30.

Click Run Application.

 

31.

Your timeout page will appear. To get a new session id, you need to login to the application again. Click Logout.

 

32.

Login to your application.

 

33.

Wait about 5 seconds and click the Customer tab.

 

34.

The idle timeout page is displayed. Notice the URL that is displayed with the IDLE request. To test the session timeout, you need to relogin. Click Logout.

 

35.

Login to your application again.

 

36.

This time you will need to continue to click through the application without any idle time of more than 10 seconds. After 60 seconds, you will see the session timeout region appear. Notice the URL that is displayed with the SESSION request.

 

Back to Topic List

Setting Application Express Idle and Session Timeout Defaults

You can set idle and session timeout defaults for the entire Application Express installation. In this section, you will set defaults for idle and session timeouts. Perform the following steps:

1 .

Enter the following URL in your browser to login to the Application Express Administrator tool:

                               
http://<hostname>:8080/apex/apex_admin
                            

Enter <your admin user> for the Username and <your admin password> for the Password and click Login.

 

2 .

Click Manage Service.

 

3 .

Under Manage Environment Settings, select Security.

 

4 .

Notice the Security and HTTPS sections. This is where you can set a number of security settings which will affect the way that the Application Express environment will operate. Select the Session Timeout tab.

 

5 .

You can set the maximum timeout values for session and idle for the Application Express development suite.
Note that this does not affect runtime behavior. Runtime maximum session and idle times are defined for each application as discussed above.

In the next section, you will set some password complexity rules.

 

Setting Password Complexity Rules

In this section, you set your pasword complexity rules for your workspace. Perform the following steps:

1.

Select the Workspace Password Policy tab.

 

2.

Change the following values. When done, select the Service Administrator Password Policy tab.

Minimum Password Length:  
                              
6
Minimum Password Differences:  
                              
2
Must contain At Least One Alphabetic Character:  
                              
Yes
Must Contain At Least One Numeric Character:  
                              
Yes
Must Not Contain Username:  
                              
Yes
Must Not Contain Workspace Name:  
                              
Yes
                            

You will test the affect these parameters have on the password later in this section.

 

3.

You can set the password policy for administrators so that it has the same policy as the workspace or utilize the default strong password policy. The default in Application Express 3.2 has been change to use default strong password policy. Click Apply Changes.

Note that the strong password policy is the following:

 Consist of at least six characters
 Contain at least one lowercase alphabetic character, one uppercase alphabetic character, one numeric digit, and one punctuation character
 Cannot include the username
 Cannot include the word Internal
 Cannot contain any words shown in the Must Not Contain field specified above in Workspace Password Policy

 

4.

To test your new Workspace Password Policy, you need to logout of the Administration Tool and login to the Application Express development environment. Click Logout.

 

5.

Click Login.

 

6.

Login to your workspace as the workspace administrator and click Login.

 

7.

Under Administration, click Manage Application Express Users.

 

8.

Click Create.

 

9.

Enter Michelle for the Username, Password and Confirm Password and click Create User.

 

10.

Notice that you receive an error because you need to specify at least one number as well as letters and you can not have the username as your password.

 

10.

Enter queen1 for the password and confirm password and click Create User.

 

11.

Your user, Michelle was created successfully. You can now test some of the other password policy parameters since when you login for the first time, you will be prompted to change your password. Click Logout.

 

12.

Click Login again.

 

13.

Enter your workspace, michelle for Username and queen1 for the password and click Login.

 

14.

When asked to change your password, enter queen1 for the Current Password, and queen2 for the New Password and Confirm New Password and click Apply Changes.

 

15.

Notice that you receive an error because you only changed one character in the password when 2 characters was required to be changed. Enter queen1 for the Current Password, and test1 for the New Password and Confirm New Password and click Apply Changes.

 

16.

Notice that you receive another error because your new password did not contain at least 6 characters. Enter queen1 for the Current Password, and water1 for the New Password and Confirm New Password and click Apply Changes.

 

17.

Your password was changed successfully. Click Return..

 

18.

Enter your workspace name, enter michelle for the Username and water1 for the password and click Login.

 

19.

You have logged in successfully with your new password. .


Back to Topic List

Summary

In this tutorial, you learned how to:

 Examine the session state for a password item on the login page
 Review the differences between password item types in session state
 Pass password item values between pages
 Identify at risk password items
 Set an application's idle and session timeouts
 Set the Application Express idle and session timeout defaults
 Set password complexity rules

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

 

Left Curve
Popular Downloads
Right Curve
Untitled Document