Configuring Security Settings

 Previous
Previous 		 Next
Next

Oracle Application Express administrators can configure security settings, such as turning off cookies used to populate the login form in Application Express, controlling access to accounts, and setting up password policies.

Topics:

Turning Off Cookies Used to Populate the Login Form for Application Express

Oracle Application Express administrators can control if a convenience cookie is sent to the user's computer whenever a developer or administrator logs in to a workspace from the Application Express Login page. By default, the Set Workspace Cookie option is set to Yes.

If selected, Application Express sends a persistent cookie that:


Note:

If your computer has already received this cookie, you can physically remove it from its persistent location on disk using browser tools or system utilities. The cookie is named ORACLE_PLATFORM_REMEMBER_UN and may exist for each Application Express service accessed having distinct hostname and path components.

To prevent a cookie from being sent to the user's computer when logging in:

  1. Log in to Oracle Application Express Administration Services. See "Logging in to Oracle Application Express Administration Services".

  2. Click Manage Service.

  3. Under Manage Environment Settings, click Security.

  4. Locate the Security section.

  5. For Set Workspace Cookie, select No.

  6. Click Apply Changes.

Excluding Domains from Regions of Type URL and Web Services

It is possible to restrict regions of type URL and Web services for the entire Oracle Application Express instance. The Oracle Application Express administrator defines excluded domains and regions of type URL. If a Web reference or region of type URL contains an excluded domain, an error displays informing the user that it is restricted.

To exclude a domain from regions of type URL and Web services:

  1. Log in to Oracle Application Express Administration Services. See "Logging in to Oracle Application Express Administration Services".

  2. Click Manage Service.

  3. Under Manage Environment Settings, click Security.

  4. In Domain Must Not Contain, enter a colon-delimited list of excluded domains.

  5. Click Apply Changes.

Enabling Login Controls for All Workspaces

By default, no login controls are enabled across an Oracle Application Express instance. Oracle Application Express administrators can enable login controls for all accounts in all workspaces across an entire development instance. Account login controls include:

If the Oracle Application Express administrator does not enable login controls for an entire instance then each Workspace administrator can enable the following controls on a workspace-by-workspace basis. See "Enabling Login Controls for a Workspace".

Note that Account Login control affect applications that use the Application Express user account creation facilities and authentication against those accounts.

To enable login controls for all workspaces:

  1. Log in to Oracle Application Express Administration Services. See "Logging in to Oracle Application Express Administration Services".

  2. Click Manage Service.

  3. Under Manage Environment Settings, click Security.

  4. Scroll down to Account Login control.

  5. Under Account Login Control:

    1. Require User Account Expiration and Locking - Select Yes to enable this feature for all workspaces across an entire Oracle Application Express instance. This feature applies to end-user accounts created using the Application Express end-user account management interface.

      Select No to relinquish control to each Workspace administrator.

    2. Maximum Login Failures Allowed - Enter a number for the maximum number of consecutive unsuccessful authentication attempts allowed before a developer or administrator account is locked. If you do not specify a value in this field, the default value is 4 is.

      This setting applies to Application Express administrator and developer accounts. It does not apply to end user accounts.

      The value you enter is used as the default for the workspace-level Maximum Login Failures Allowed preference, if the Workspace administrator does not specify a value. That preference is used for end-user accounts within the respective workspace.

    3. Account Password Lifetime (days) - Enter a number for the maximum number of days a developer or administrator account password may be used before the account expires. If you do not specify a value in this field, a default value is 45 days.

      This setting applies to accounts used to access the Application Express administration and development environment only. It does not apply to end-user accounts used by applications developed in Application Express.

      The value you enter is used as the default workspace-level End User Account Lifetime preference, if the Workspace administrator specifies no value. That preference is used for end-user accounts within the respective workspace.

  6. Click Apply Changes.


Tip:

This feature applies only to accounts created using the Application Express user creation and management facilities. It provides additional authentication security for applications. See "Managing Application Express Users".

About Password Policies

Oracle Application Express administrators can enable password policies for:

Configuring Password Policies

To configure password policies:

  1. Log in to Oracle Application Express Administration Services. See "Logging in to Oracle Application Express Administration Services".

  2. Click Manage Service.

  3. Under Manage Environment Settings, click Security.

  4. To set up a password policy for Workspace administrators, developers, and end users, scroll down to Workspace Password Policy and specify the attributes described in Table: Workspace Password Policy Attributes.

    Workspace Password Policy Attributes

    Attribute Description

    Minimum Password Length

    Enter a number for the minimal character length for passwords.

    Minimum Password Differences

    Enter a positive integer or 0.

    When users change their password, the new password must differ from the old password by this number of characters. The old and new passwords are compared, character-by-character, for differences such that each difference in any position common to the old and new passwords counts toward the required minimum difference.

    Must Contain At Least One Alphabetic Character

    Select Yes to require that user passwords contain at least one alphabetic character. The Alphabetic Characters field lists the letters considered alphabetic characters.

    Must Contain At Least One Numeric Character

    Select Yes to require that user passwords contain at least one Arabic numeric character: 0,1,2,3,4,5,6,7,8, 9.

    Must Contain At Least One Punctuation Character

    Select Yes to require that user passwords contain at least one punctuation character. The Punctuation Characters field lists the symbols considered punctuation characters.

    Must Contain At Least One Upper Case Character

    Select Yes to require that user passwords contain at least one uppercase alphabetic character.

    Must Contain At Least One Lower Case Character

    Select Yes to require that passwords for users contain at least one lowercase alphabetic character.

    Must Not Contain Username

    Select Yes to prevent user passwords from containing the username, regardless of case.

    Must Not Contain Workspace Name.

    Select Yes to prevent user passwords from containing the workspace name, regardless of case.

    Must Not Contain

    Enter words, separated by colons, that may not be included in user passwords. These words may not appear in the password in any combination of uppercase or lowercase.

    This feature improves security by preventing the creation of some simple, easy-to-guess passwords based on words like hello, guest, welcome, and so on.

    Alphabetic Characters

    Enter new text or edit the existing text. This is the set of characters used in password validations involving alphabetic characters.

    Punctuation Characters

    Enter new text or edit the existing text. This is the set of characters used in password validations involving punctuation characters.

    Next, set up a password policy for service administrators.

  5. Scroll down to the Service Administrator Password Policy and specify one of the following:

    1. Use policy specified in Workspace Password Policy - Applies the password rules specified above in Workspace Password Policy to service administrator passwords.

    2. Use default strong password policy - Applies the default strong password policy to service administrator passwords. To learn more, see item Help.

  6. Click Apply Changes.

Disabling Access to Oracle Application Express Administration Services

Oracle Application Express administrators can restrict user access to Oracle Application Express Administration Services. This prevents any user from logging in to Oracle Application Express Administration Services.

To disable user access to Oracle Application ExpressAdministration Services:

  1. Log in to Oracle Application Express Administration Services. See "Logging in to Oracle Application Express Administration Services".

  2. Click Manage Service.

  3. Under Manage Environment Settings, click Security.

  4. For Disable Administrator Login, select Yes.

  5. Click Apply Changes.

Setting this value and logging out prevents anyone from logging in to Oracle Application Express Administration Services.

To reverse this setting, connect in SQL*Plus or SQL Developer as the Application Express engine schema and execute the following:

BEGIN
    WWV_FLOW_API.SET_SECURITY_GROUP_ID(p_security_group_id=>10);
    WWV_FLOW_PLATFORM.SET_PREFERENCE( 
        p_preference_name => 'DISABLE_ADMIN_LOGIN',
        p_preference_value => 'N' );
end;
/

commit
/

Disabling Access to Oracle Application Express Internal Applications

The applications that constitute Oracle Application Express (such as Application Builder and SQL Workshop) exist within a workspace named Internal. To restrict user access to Internal applications, select Yes from Disable Workspace Login. Selecting Yes in production environments prevents all users from running applications (such as Application Builder and SQL Workshop) in the Internal workspace. Administrators who use this feature should also consider disabling user access to Oracle Application Express Administration Services.


See Also:

"Disabling Access to Oracle Application Express Administration Services"

To disable user access to the Internal workspace:

  1. Log in to Oracle Application Express Administration Services. See "Logging in to Oracle Application Express Administration Services".

  2. Click Manage Service.

  3. Under Manage Environment Settings, click Security.

  4. From Disable Workspace Login, select Yes.

    Selecting Yes prevents users from logging in to the Internal workspace.

  5. Click Apply Changes.

Restricting User Access by IP Address

Oracle Application Express administrators can restrict user access to an Oracle Application Express instance by creating a Runtime setting named RESTRICT_IP_RANGE.

To restrict user access by IP address:

  1. Log in to Oracle Application Express Administration Services. See "Logging in to Oracle Application Express Administration Services".

  2. Click Manage Service.

  3. Under Manage Environment Settings, click Security.

  4. For Disable Administrator Login, select No.

  5. In Restrict Access by IP Address, enter a comma-delimited list of IP addresses. Use an asterisk (*) to specify a wildcard.

    You can enter IP addresses from one to four levels. For example:

    141, 141.* ...
192.128.23.1 ...

    Note:

    When using wildcards, do not include additional numeric values after wildcard characters. For example, 138.*.41.2.

  6. Click Apply Changes.

Previous
Previous 		 Next
Next