Home > Using Application Builder > About Application Attributes > Configuring Security Attrib...
You can provide security for your application by configuring attributes on the Edit Security Attributes page. The Security Attributes you choose apply to all pages within an application.
Topics:
To access the Edit Security Attributes page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
The Shared Components page appears.
Under Security, click Edit Security Attributes.
The Edit Security Attributes page appears.
The Edit Security Attributes page is divided into the following sections: Authentication, Authorization, Database Schema, Session State Protection, and Virtual Private Database. You can access these sections by scrolling down the page, or by clicking a navigation button at the top of the page.
When you select a button at the top of the page, the selected section appears and all other sections are temporarily hidden. To view all sections of the page, click Show All.
The following sections describe the attributes available on the Edit Security Attributes page.
Topics:
Authentication is the process of establishing users' identities before they can access an application. Although you define multiple authentication schemes for your application, only one scheme can be current at a time. Table: Authentication Attributes describes the attributes available under Authentication.
Authentication Attributes
Attribute | Descriptions |
---|---|
Specifies a URL or procedure that should be run when you run the application. For example, Home Link could contain the relative URL used to locate the application home page. For example, You can also use this attribute to name a procedure. For example, you could create a procedure such as Note: Do not use the Home Link attribute to determine the page that displays after authentication. The page that displays after authentication is determined by other components within the application's authentication scheme. See Also: "HOME_LINK" |
|
Replaces the substitution strings See Also: "LOGIN_URL" and "Creating an Authentication Scheme" |
|
Identifies the Oracle schema used to connect to the database through the database access descriptor (DAD). The default value is Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string Note: Previous versions of Oracle Application Express used the built-in substitution string When
If the current application user ( For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using See Also: "HOME_LINK" and "Understanding Conditional Rendering and Processing" |
|
Click this button to define a new authentication scheme. See Also: "Understanding How Authentication Works" and "Creating an Authentication Scheme" |
Authorization controls user access to specific controls or components based on user privileges. You can specify an authorization scheme for your application, by making a selection from the Authorization Scheme list. You can assign only one authorization to an entire application. However, you can assign an authorization scheme to individual pages, page controls (such as a region, a button, or an item), or a shared component (such as a menu, a list, or a tab).
To create a new authorization scheme, click Define Authorization Schemes.
An authorization scheme is a binary operation that either succeeds (equals true) or fails (equals false). If it succeeds, then the component or control can be viewed. If it fails, then the component or control cannot be viewed or processed. When you attach an authorization scheme to a page and it fails, an error message displays instead of the page. However, when you attach an authorization scheme to a page control (for example, a region, a button, or an item) and it fails, no error page displays. Instead, the control either does not display or is not processed or executed.
Use Parsing Schema to specify the database scheme for the current application. Once defined, all SQL and PL/SQL commands issued by the application will be performed with the rights and privileges of the defined database schema.
Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.
To enable or disable Session State Protection for your application, make a selection from the Session State Protection list. Setting Session State Protection to Enabled turns on session state protection controls defined at the page and item level.
To configure Session State Protection, click Manage Session State Protection.
Use this attribute to enter a PL/SQL block that sets a Virtual Private Database (VPD) context for the current database session associated with the current "show page" or "accept page" request. The block you enter here is executed at a very early point during the page request, immediately after the APP_USER
value is established. The value of APP_USER
(using :APP_USER
or v('APP_USER')
) may be used within the block. Values of other items in session state may be referenced as well, but any such items must have been established in session state prior to the initiation of the current page request. Consider the following example:
dbms_session.set_context('CTX_USER_QRY','USERPRIV',my_package.my_function(:APP_USER));
The previous example sets the value of USERPRIV
in the context named CTX_USER_QRY
to the value returned by the function my_function
in package my_package
. The function is passed the current value of APP_USER
as an input argument. Presumably, the named context would be used in a VPD policy (already created within the application's parsing schema) to effect the generation of predicates appropriate to the authenticated user.
Virtual Private Database, also know as Fine-Grained Access Control or FGAC, is an Oracle database feature that provides an application programming interface (API) that enables developers to assign security policies to database tables and views. Using PL/SQL, developers can create security policies with stored procedures and bind the procedures to a table or view by means of a call to an RDBMS package. Such policies are based on the content of application data stored within the database, or based on context variables provided by Oracle database. In this way, VPD permits access security mechanisms to be removed from applications, and to be situated closer to particular schemas.
The code entered in this section need not pertain to VPD/FGAC; in fact, it may not be related to security at all. Any code that needs to be executed at the earliest point in a page request can be placed here. For example, to set the database session timezone for every page request:
BEGIN EXECUTE IMMEDIATE 'alter session set time_zone = ''Australia/Sydney'' '; END;