Database security with PUBLIC EXECUTE privileges for Application Express
I recently tried installing APEX into an existing database containing a data warehouse. Security on this database is quite controlled and PUBLIC EXECUTE to SYS owned objects had been removed. Ie there was no PUBLIC EXECUTE on:
DBMS_LOB
UTL_HTTP
UTL_FILE
UTL_SMTP
UTL_RAW.
When I tried to install APEX, I got all kinds of errors and logged a TAR. The analyst told me to grant execute to public to the above SYS owned objects. This contradicts the "Policies" in 10G Grid control and the Metalink Notes 131752.1 &
Note:247093.1.
Can these execute privileges be changed to another user in the htmlDB
application such as FLOWS_FILES? Or HTMLDB_PUBLIC_USER? What is the security reccomendations for Oracle Application Express? Calling any product managers out there....
Developers/users have started clicking around and are now getting errors. There is a function called CUSTOM_AUTH and one called CUSTOM_HASH which do not compile. They have complain about not seeing UTL_RAW so had been relying on PUBLIC synonyms. here's the 1 function:
create or replace function custom_hash (p_username in varchar2, p_password in varchar2)
return varchar2
is
l_password varchar2(4000);
l_salt varchar2(4000) := '2ZVKZMILYMGVFRFXOZIVZ72RJNJY8V';
begin
-- This function should be wrapped, as the hash algorhythm is exposed here.
-- You can change the value of l_salt or the method of which to call the
-- DBMS_OBFUSCATOIN toolkit, but you much reset all of your passwords
-- if you choose to do this.
l_password := utl_raw.cast_to_raw(dbms_obfuscation_toolkit.md5
(input_string => p_password || substr(l_salt,10,13) || p_username ||
substr(l_salt, 4,10)));
return l_password;
end;
Similar Messages
-
About Leveraging database security with JPA...
I've googled the web but haven't find anything about considering the security as an aspect of the development with JPA and TopLink Essentials as you can integrate VPD with Toplink... http://www.oracle.com/technology/products/ias/toplink/doc/1013/main/_html/dblgcfg008.htm
What would be the best way to :
1- Track user's specific behavior
2- Implement Fine Grained access control
from the database...
Even if it's not in the spec... What do you think could be a design pattern to leverage the Oracle database features ?
Best Regards,
-GregoryGregory,
Using VPD with an ORM solution involves two pieces of functionality:
1. An isolated cache so that entities read from a table using VPD cannot accidentally be accessed by other application threads. TopLink Essentials does support this through is JPA extensions:
http://www.oracle.com/technology/products/ias/toplink/jpa/resources/toplink-jpa-extensions.html
2. An approach for configuring the user credentials in the connections. Oracle TopLink provides exclusive connections with event call-backs for this as well as proxy authentication support. We do not currently support these options within TopLink Essentials.
To address #2 using JPA and TopLink Essentials I would need to know more about your architecture. Assuming you are using JPA in EE with session beans and JTA transactions then you could lookup the JDBC connection directly from container within your transaction (prior to your first query requiring JPA) and invoke your VPD user config stored procedure.
If you would like to work through the specifics of your requirements and then post the final solution back here you can contact me directly: douglas.clarke at oracle.com.
Doug -
How to create files with read/write privileges for everyone?
I have two iMacs 7,1 (one with Snow Leopard and the other with Mountain Lion) in a local area wireless network.
I have shared the "documents" folder in the Snow Leopard iMac in order to have files available to the other iMac. The folder has read/write privileges for everyone.
When I create a new file in the shared "Documents" folder (for example a new Open office document, or a Keynote presentation) this file is by default "read/write" for the Administrator but only "read" for all the other users, so when I try to open it from the other iMac, I am informed that the file is "read only".
I can obviously change the privileges of the file in the information window, but I have to do on a file per file basis and this takes too long.
Is it possible to change settings in order to create files which are always "read/write" for everyone?
And, secondly, since I have several existing files whose privileges I should manually change one by one, is it possible to make global changes of their privileges?
Thanks in advance
Best regardscouple of different changes - 1st, if you want to share folders, doing your whole documents folder is not the best way. Since both your computers can handle AidDrop, that's what I would recommend - http://osxdaily.com/2011/11/14/how-to-use-airdrop-in-mac-os-x/ - as it create an instant Ad-Hoc network between the two computers and then let's it done.
A second possibility that may not be what you're looking for, is to use google drive or some similay cloud sharing app to sync the documents back and forth. both of these solutions will transfer the files well, but the airdrop may be simplest -
Version Control for Application Express
Hi all,
We are using Application Express (HTML-DB) 2.0 with Oracle 10g Release 2. We have developed a number of pages within our application (basically sales reporting). We are starting to get ready move these pages to a test and production environment.
Before we move to a production environment we need to implement a version control and migration (development -> test -> production) system. I have read various posts about importing and exporting pages and applications that have been very informational. However, I am still not clear on certain areas, any help/information on the below questions/comments would be helpful.
1. How are other people implementing version control? For some of our other environments (for example, PeopleSoft-SQR) we use Visual Source Safe. Can we use this along with Application Express or is there a way to keep track of versions within Application Express it self?
2. I see you can view a pages history at Home>Application Builder>Application 107>Page Definition>History. Is there a way to view the differences between the pages or to revert back to an older page?
3. I know you can export a single page but that leaves shared components behind that might leave the complex page in a non-working state if imported and installed in the production application. Is there a way export and import shared components, for example LOVs?
These are a few of the questions I have but I thought it would be a good place to start.
Here are a couple of links that have given me some information related to the topic.
Synonyms
http://htmldb.oracle.com/i/doc/mvl_manage002.htm#sthref1206#BABFBBEE (I believe this is for HTML-DE Version 1.5 I did look in the same area for 2.0)
Version Control
How do people version control HTML DB applications?
I would be interested in hearing your thoughts and ideas on this topic.
Thanks,
StuffStuff - this is also something we've been grappling with.
Did you see the excellent tip about using Web server (or PL/SQL) redirects to point to the current app? The idea is that you copy the current prod app, work on the copy and then update the redirect to point to the new app when it's released and make the old app unavailable.
This is quite brilliant in its simplicity, and has the added benefit of leaving the old app intact for bug fixes and re-releases, (or even rollback) if necessary. However, the problem with it, and the reason it's no good for our purposes, is because it sits on top of the same schema, so if the version control applies to objects in the database (i.e. the schema itself or packages etc.), then you're snookered (as far as I understand it anyway).
In a previous project, our suppliers used VSS and versioned code at the app and function/procedure/package level - I'd love to know if anyone has a robust scheme for versioning at page level.
I suspect History is an audit trail rather than versioning - I can't imagine that all the objects in all their respective states are being persisted for anything other than 'undo' purposes.
Versioning at page level seems to be problematic but it can be done, provided that the shared components are sufficiently consistent. The trick is to edit the security group ID, but the usual caveats apply.
What seems problematic to us is how to create a build out of components at different versions, like you might in a conventionally-packaged exe. I think we might end up checking in (or just saving in the file system) consistent versions at app and package level (having developed and tested in a separate schema or instance), and doing an overwrite of the prod app plus running a DDL script for package/function/procedure updates with schema deltas and other things like image uploads applied manually at cutover.
I suspect that once I delve a bit deeper into where all these objects are stored, there will be more potential for scripting, but I'm not entirely confident that this will, reliably, give us entirely what we had in Pre-Prod. Another problem I've found with this approach is that packages don't get consistently replaced.
It may simply be that we're applying waterfall concepts to what is really a RAD tool, but in any case this is my first Web-enabled development so I've been at sea with everything from design methodology to version control.
Like you, I would be really interested to hear of other suggestions.
Regards,
John. -
Access Remote DB Object using Public DB Link in Application Express -HTMLDB
How to access and list remote database objects in HTMLDB - V2 (Application Express).
I can query using Public DB Link with SQL.It is not possible. To create reports or forms on remote objects, create local views of the remote objects.
Mike -
Oracle OpenSSO Pattern Matching for Application Express "Free" Pages
Has anyone successfully established a "Free" page within an Application Express application under Oracle's OpenSSO? The problem seems to be associated with the use of wildcards and the f?p syntax. In addition, the use of wildcards and multi-level wildcards in the OpenSSO un-enforced policy list seems to drop semi-colons from the posted URLs. We have successfully deployed applications which require authentication, but applications which contain a "free" landing page elude me.
Any insight would be appreciated.
Thank you.Has anyone successfully established a "Free" page within an Application Express application under Oracle's OpenSSO? The problem seems to be associated with the use of wildcards and the f?p syntax. In addition, the use of wildcards and multi-level wildcards in the OpenSSO un-enforced policy list seems to drop semi-colons from the posted URLs. We have successfully deployed applications which require authentication, but applications which contain a "free" landing page elude me.
Any insight would be appreciated.
Thank you. -
Creating HTMLDB DAD for Application Express
Good Morning
I have http server running on port 7777 with PLSQL _mod. I can add DAD's using
the Mod plsql configuration menu
and get data back from procedures in my schema.
I have downloaded and installed Application Express ,its all gone into
FLOWS_02000 schema. It all loaded ok.
I don't seem to have a htmldb DAD set up though.
I tried to configure one using the Mod plsql configuration menu with out success
Is there an application that creates the necessary configuration to get HTMLDB
and http server working together.
Thanks
David HillsDavid,
The installation guide (also included in the HTML DB 2.0 distribution) describes how to configure Oracle HTTP Server manually:
http://download-west.oracle.com/docs/cd/B19306_01/install.102/b16375/post_inst.htm#BHAFJJDA
Sergio -
PDF Generators for Application Express
Can anyone make a few recommendations on third party products, etc. that can create pdf reports from Application Express?
Thanks,
Bob T.Jes,
I've found those docs and have installed plpldf under user plpdf. I've tried to get the test2 example working in the manual install manual and haven't figured it out yet. Can anyone provide specific instruction.........
I've tried creating an anonymous pl/sql block in apex page. Created a process and inserted the test2 code there also. apex is telling me that it doesn not recognize plpdf.init method.......I've tried granting execute privilages but this hasn't made a difference. -
How to use same database connection..... for application forms.
hello
im creating an database application using java swing and mysql.... it an mdi application ..... i want to know that how use a single connection for all forms in the application.... any example... coz im new for the java swing and mysql application .... ill be thankful for reply and solution....Crost post:
http://forum.java.sun.com/thread.jspa?threadID=785812&messageID=4466100#4466100 -
Online Security with "best attempts" set for certificate verification
As many others, I've had some security issues with both webkit browsers and the iTunes store after upgrading to 10.4.8 and running the late-November security update. Basically it was impossible to access https sites as well as the iTunes store without changing my certificate verification settings in Keychain.
After switching Keychain preferences for certificates to "best attempt" for both OCSP and CRL, things are working fine again. But now my concern is about security. Basically, how insecure are such settings? Is Apple working at all on a fix for this or should I basically wait to upgrade to Leopard before expecting a solution?
Thanks in advance.Hi Shadya10,
Those are some pretty big questions! I'm not saying that your company can't become a CA because obviously there are companies that have, but this is almost something that happens at the state level if your not already intimate with PKI. Just from the tenor of your questions I'd suggest you contract with a reputable, existing CA to provide your PKI infrastructure. I could explain key management and how revocation checking works, but really if you're asking in an Adobe forum this is way more than you want to be dealing with.
If you're really interested you need to start with reading RFC 5280.
Steve -
How to build a form with multiple tables in oracle application express
Hi everyone,
I have got problem in building a form with multiple tables.I have a main table with (20) columns and this main table is related to the other tables with the primary key-foreign key relation ship.My requirement is i have to build a form which has fields from many tables and all the fields are related to the main table using (ID) column.In that form if i enter ID field i have to get information from differnt tables.
Please help me to solve this (building a form with mutiple tables)
Thank you
sansSans,
I am no Apex expert, but with a situation as "complex" as yours, have you thought about creating a VIEW that joins these 7/8 tables, placing an INSTEAD OF trigger on that view to do all the business logic in the database, and base your application on the view?
This is the "thick-database" approach that has been gaining momentum of late. The idea is to put your business logic in the database wherever possible, and let the application (Form, Apex, J2EE, whatever) concentrate on UI issues, -
WPA security with both time capsule and airport express not working together
I want to set WPA security on my time capsule so that my teenager can not access wireless with out permission but when I add a security key my airport express disappears from list.
I have tried setting a password then the time capsule restarts and when it does the aiport express is gone from list and can not be found when rescanned.
Do I need to set time capsule and then reset airport express by pluggin it directly into desktop and resetting its software?
ThanksI would suggest, reconnecting the Express to the TC again. Use the AirPort Utility to make ALL configuration changes including the network extending settings. Then restart both base stations and check that the settings are still good. Then disconnect the Express and give it a few minutes to initialize. It should connect. If not, then the issue may be either the distance or obstructions (like walls, ceilings, floors, etc.) that is preventing the Express from getting a signal from the TC that is adequate enough to extend.
-
How to find my post for Application express
Hi,
I posted a question last week but I can't find it. I know there has got to be a quick link to any and all my post isn't there. Sorry, this really seems like a dumb question but I've been on the site for awhile and I can't find it.
Thanks,
tom1. Go to the link your control panel
2. Then click on the link "Your public profile"
I thnik there may be some more quick and short cut methode but this the one I use myself. If anyone a more quick methode then plz reply, I will also benifit from it. -
Database or Application Express Authentication
For an APEX application that resides behind a secured portal, which authentication scheme should I use?
It seems to me Database authentication is more flexible (many db users granted with different privileges) while Application Express authentication is easier (one user with authorization not as flexible).
Am I off on the assumption? can someone tells me the pros and cons of the two?
TIA,
YivonHi, Dimitri --
It is not Oracle portal. This portal is set up to limit access from public. I will have a link behind the portal, but I still need to limit access to groups of users with various permissions. Meaning whoever can click on the link does not necessary have permission to access my APEX application, and even if he/she can access the application, he/she may not be able to access certain pages or buttons.
My questions is: which authentication scheme will be better and why.
Thanks again,
Yivon -
Make execute privileges on a package default to all schemas
I have to grant execute privileges on dbms_aq package to schemas created in our database. Instead of granting these privileges explicitly after a schema is created is there a way to make dbms_aq to be executable for all schemas and any new schemas created there after.
Something along the lines of dbms_utility having executable privileges for all schemas.
thanks for your help"grant execute on dbms_aq to public"
Maybe you are looking for
-
Yahoo & YouTube won't open in Safari, blank page only
Just bought a new MBP 13" and set up a user account (no parental controls) and Yahoo and YouTube will not open in Safari, Chrome or Firefox. I get a blank page whenever I attempt to access either of these two websites in Safari. These sites will n
-
Classic.xml in Dreamweaver is empty
I use classic.xml in Dreamweaver. Somehow the file has become empty. Could someone send me a copy of it? Dreamweaver won't finish loading without it.
-
Hi , my name is Svilen and I tried to install the iOS 8.1.2 but it wants me to enter a pass code witch I don't know . I will be very thankful if you could help me . Many thanks , Svilen
-
Want to put 2 pages on one sheet
Windows Adobe Acrobat 7.0 Professional I have copied a camera manual as a .pdf file. The pages are small enough that I want to put two pages on one 8 1/2 x 11 sheet. When I have only one page per sheet, the image on the screen and on the printed page
-
How do I get JavaDoc help for the JSPs. what settings do I need to make in the Jdeveloper. Atpresent,I am getting help for standard java. Any suggestions...?