tag:blogger.com,1999:blog-12214002.post8127075549369020043..comments2024-03-09T06:56:57.099-05:00Comments on Let's Wreck This Together...with Oracle Application Express!: Securing Oracle Application Express when using Oracle REST Data Services (ORDS)Joel R. Kallmanhttp://www.blogger.com/profile/01915290758512999160noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-12214002.post-11017438149631216752016-12-18T12:31:54.461-05:002016-12-18T12:31:54.461-05:00Just a warning to folks using security.requestVali...Just a warning to folks using security.requestValidationFunction to replace the mod_plsql version by virtually the same name (PLSQLrequestValidationFunction). It does not work the same. First, it is not per database ("DAD") setup. It must be in defaults.xml and applicable to all database connections configured. Second, it is cached whether you like it or not (3.0.8) which means that result from the first hit/user applies until ORDS is restarted. That is fine for a procedure name white list applicable to all, but it is not fine for authorization per user. Finally, if you turn this feature on and have APEX, you are forced to use wwv_flow_epg_include_modules.authorize (i.e. in any wrapper function you implement) or something will not work like the retrieval of workspace images. I would rather have the option to turn on or off the cache (which would seem useful for rest calls too with SSO). I was able to use preProcess instead along with redirection to block unauthorized users for non-APEX applications (i.e. older PL/SQL web toolkit applications). E. O'Brienhttps://www.blogger.com/profile/07438012692051944366noreply@blogger.comtag:blogger.com,1999:blog-12214002.post-46063063837510589442016-07-31T05:12:50.241-04:002016-07-31T05:12:50.241-04:00Hi Richard,
the package wwv_flow_epg_include_mod...Hi Richard, <br /><br />the package wwv_flow_epg_include_modules actually calls the function wwv_flow_epg_include_mod_local in the APEX schema, this is typically where you would extend the whitelist. <br /><br />This is also a very old mechanism, see here: http://daust.blogspot.co.uk/2006/04/xe-calling-stored-procedures.html. <br /><br />The advantage is that this works across all gateways (ords, epg, ohs) in the same way. <br /><br />I don't like too much that we have to modify a function in the apex schema. In order to avoid that you can always write your own wrapper and call wwv_flow_epg_include_modules.authorize to check for the apex whitelist. If it still returns false you can use your own additional whitelist. <br /><br />Then you would certainly have to register your own public function in the ords configuration. <br /><br />Cheers, <br />~Dietmar. <br />Anonymoushttps://www.blogger.com/profile/04283721022948206416noreply@blogger.comtag:blogger.com,1999:blog-12214002.post-11045123875183785242016-07-26T07:24:10.173-04:002016-07-26T07:24:10.173-04:00Joel, thanks, we definately should implement this ...Joel, thanks, we definately should implement this by default.<br />Is there an option to extend the whitelist?<br />I remember the Apex Listener 1.x had an option for that.Richard Martenshttps://www.blogger.com/profile/15806256075352156783noreply@blogger.comtag:blogger.com,1999:blog-12214002.post-25529248064115850622016-07-26T07:22:48.943-04:002016-07-26T07:22:48.943-04:00This comment has been removed by the author.Richard Martenshttps://www.blogger.com/profile/15806256075352156783noreply@blogger.comtag:blogger.com,1999:blog-12214002.post-40302917380890990052016-07-26T01:02:25.727-04:002016-07-26T01:02:25.727-04:00Thanks for the tip. Glad to know that this setting...Thanks for the tip. Glad to know that this setting will be default from ORDS 3.0.7.<br /><br />Regards,<br />HariHarihttps://www.blogger.com/profile/11210159692003463123noreply@blogger.com