How to secure an Apex application?

I have created an Apex web based application and like to distribute the URL to public.
Any user can query something and can insert new records (but not update or delete).
How can I prevent my site from malicious attacks?
Eg. some bots trying to insert junk data million times.
Some junk trying to run automated queries to fetch all data from database
Any other suggestions welcome.
Thanx

Hi
Session State protection
Example:
http://apps2fusion.com/at/64-kr/400-preventing-url-tampering-using-apex-session-state-protection
Explaination
http://theheat.dk/oracle/ukoug2007/Lorenzen-apex.ppt
Regards,
Iloon
Don't forget to mark replies helpful or correct ;)

Similar Messages

Securing my APEX application from theft.

I have an APEX application that I have created and am delivering to a customer.
How do I make it so they can’t copy it and use it in other departments without buying a new licensee?
How can I make it so their employees can’t steal the application?
Technically speaking

I'm not sure there is a way to make it 100% secure. If you don't have any control over the customer's environment, any future developer could technically undo any licensing measures you've added. Your best bet would be to get the customer to agree to some sort of Terms of Use which would give you future legal recourse. My only other thought is to host some parts of the application on your own site which would give you more control over licensing, but then you run into problems when connectivity goes down on either end.

How to access my Apex application as a website

On my Windows 8.1 desktop machine, the stack is,
Oracle Standard 11g R2
Apex 4.2.6
ORDS 2.0.10
Open Source Glassfish 4.1
Apache Tomcat 8.0.21
Apache HTTP Server 2.4.3
Port details
Apex ORDS - 8080
Glassfish - 8090
Tomcat - 8888
Apache HTTP server - 9090
I have done Port Forwading to myDesktop on my home wi-fi as follows
Apex ORDS 8080
Glassfish 8090
Tomcat 8888
Apache HTTP server 9090
Following is c:\windows\system32\drivers\etc\hosts
127.0.0.1       localhost
::1                 localhost
100.100.1.1     myDesktop       ( This is fixed IP of the desktop at my home network. This is made up here )
100.100.1.1     www.my_website.com       ( This is fixed IP of the desktop at my home network. This is made up here )
c:\Program Files\Apache Software Foundation\Apache2.4\conf\httpd.conf
Listen 80
c:\Program Files\Apache Software Foundation\Apache2.4\conf\extra\httpd-vhosts.conf
<VirtualHost *:80>
    ServerName www.my-website.com
    ServerAlias my-website
    ErrorLog "logs/my-website.com-error.log"
    TransferLog "logs/my-website.com-access.log"
    Redirect / http://www.my-website.com/ords/f?p=100:LOGIN_DESKTOP
    <Location /ords/>
        ProxyPass               http://localhost:8888/ords/
        ProxyPassReverse        http://localhost:8888/ords/
    </Location>
    <Location /i/>
        ProxyPass               http://localhost:8888/i/
        ProxyPassReverse        http://localhost:8888/i/
    </Location>
</VirtualHost>
When I access 111.111.11.11:8888 from outside, I can access Tomcat page successfully.
( 111.111.11.11 is my static IP provided by my ISP ).
Without internet, I can access the Apex Admin page on the same desktop machine by www.my-website.com/ords/f?p=4550. This indicates, all the stack is working properly.
But if I access www.my-website.com, over the internet, I only get blank page.
(my domain is registered with GoDaddy and I forwarded to 111.111.11.11 which is my static IP)
Why can't I access my Apex application over the internet by typing the website.

Hi 3ds/Niranjan,
     To all the forum members, this thread is related to : 2 applications on one website
     I have helped him to setup architecture like this : Dimitri Gielis Blog (Oracle Application Express - APEX): Preparing architecture for APEX 5.0 upgrade
     The above architecture is setup properly on his home PC. He has obtained a domain from GoDaddy and on the domain he has configured redirect to his home PC.
     This redirect thing will not work I have explained him. For an APEX application to be accessible on internet(hosted) it should be hosted on APEX hosting solution providers domain. Refer : https://apex.oracle.com/pls/otn/f?p=24793:11::::::
     OR there is cloud option available.
     Refer :
hosted or cloud ? Apex...
Re: Apex on Cloud?
     Forum members can provide more clearance on this issue.
     Hope this helps!
Regards,
Kiran

How to secure the Webdynpro Application name ?

Hi Experts,
I have a requirement to send the Webdynpro Application name to Outlook inbox where the users will logs into that application and they will see the view the data and clicks on some action(Approve or Reject).
Now the my client does not want send that actual Webdynpro URL to outlook mailbox as it is having some security issues(host and domain details). Instead of that, can we change the actual Application name to any custom name by changing the host , domain and etc, parameters ?
Thanks in Advance,
Regards,
Giri

Hi,
If you want to hide the application path, goto SICF transaction and then create an External Alias for your WDA application path and then send the Alias path name.
Suppose, you have the WDA application url as
host:port/sap/bc/webdynpro/<APPLICATION_NAME> . Instead of this you can just show
host:port/sap/<Your Name> ( or any other) using Alias.
Regards,
Kiran

Change security of adf application on weblogic

hi all,
i am new in weblogic. i set oid in weblogic succesfully. But i couldn't change security of adf application. Is there any documantationof how change security of adf application?

hi frank,
i mean that i set oid in myrealm which is my default security realm. I change order of Authentication Providers. all of the users of oid are in myrealm . However my application does not use this ldap configuration. i couldn't change security of application, and i need help. Before i deploy my 10.1.3 adf application to oc4j and during deployment i can set the security of application but i couldnt see anything like oc4j in weblogic
i configure my oid like below link
http://www.oracle.com/technology/products/jdev/tips/fnimphius/oidconfig/index.html

Deploy APEX Application

Hi,
I'm using Oracle Apex for development, I designed a small application. I checked with in my computer(as my PC is application server) when I use following link to different PC it can not be run
http://<my_pc_IP>:8080/apex/f?p=100:101:688126209521487:::::
can anyone describe me how I'll Deploy APEX Application?
Thank in advance.
Baloch

1. switch off firewall
2. Log to sqlplus as sys as sysdba and launch this:
begin
dbms_xdb.setListenerLocalAccess (l_access => FALSE);
end;
3. Try again

How to log in automatically to an Apex application

I'm looking for a way to launch an Apex app that uses database authentication from e.g. Forms without having to enter your username and password again and I found this clue in a document about extending Oracle Applications 11i with Apex:
"The next problem to overcome is the automatic logon to the Apex application. Here two approaches that could be used are:
1. Create an Apex public logon page where you can supply the username and password as parameters to the page;
2. Pass the username and password from Applications 11i to Apex in a cookie."
I'm more interested in the first option but I can't find any examples of it. The Apex sample application seems to have a login page but I can't figure out how it would accept the username and password as parameters?

Pauli,
This might be useful: Re: Direct Login to Application Remember to use https (SSL) if you are passing clear text passwords around, otherwise you need a more secure technique.
Scott

How to provide the user in an APEX application with low-vision apex option

Hi I've a small problem I'm trying to solve but can't seem to find anything on this.
The issue is this I've developed an application and the user can log on and use it successfully. For those users that are visually impared I need a link on my main application to a High Contrast version of the same application.
Is this even possible.
I don't want to have to create a new application using a high contrast theme, as I would need to maintain 2 applications in the end.
Is there a way of changing the colors at run time to a higher contrast version.
Many thanks.

Hi,
I just wanted to add to this discussion with some functionality introduced in APEX 4.1 that may help here. In APEX 4.1, we introduced a new 'High Contrast Mode' which basically identifies sessions as optimized for high contrast in the APEX development environment and websheet runtime. This allowed us to get around some issues we were having when a user was running in 'Windows High Contrast Mode' (where CSS background images are ignored) and also some issues with insufficent contrast. To read more about this mode, please see the 'About Constrast Mode' section in the 'Accessibility in Oracle Application Express' appendix here:
http://download.oracle.com/docs/cd/E23903_01/doc/doc.41/e21674/accessibility002.htm#BABBCIJD
Now, although this mode is available for use within your own database applications, it really only provides the framework for you to provision the mode and importantly, will not make any changes to your application (that's still up to you). But I think the framework is still useful and provides some nice API's to help you turn the mode on or off and also determine the status of the mode.
I have setup a simple example to show you how this works:
http://apex.oracle.com/pls/apex/f?p=11005:1
It's rudimentary, just showing 1 region if High Contrast Mode is on, and another if it's off. This page has the following:
1) Select list to select whether the mode is on or off.
2) Page process to set the mode, depending on the select list value. This performs the following PL/SQL (showing the APIs you can use to switch the mode on or off):
if :P1_HIGH_CONTRAST = 'Y' then
apex_util.set_session_high_contrast_on;
elsif :P1_HIGH_CONTRAST = 'N' then
apex_util.set_session_high_contrast_off;
end if;3) The region's have 'PL/SQL Expression' conditions that call another API that you can use to check if the current session is running in HC Mode. For example:
apex_util.is_high_contrast_sessionOnce the mode is enabled, it will remain enabled for the length of the current session (or until it is switched off). To understand more about how you can use HC Mode, please see here:
http://download.oracle.com/docs/cd/E23903_01/doc/doc.41/e21674/advnc001.htm#CIJCDGII
So as I said, the example I gave as kinda simple. But you could easily extend this to say include an additional CSS file when running in HC Mode (containing the CSS styles and properties that would give you the increased contrast). You could do this by adding a page zero page process to run before header, that calls the apex_util.is_high_contrast_session API to determine if the current session is in HC mode, then include the CSS file if so. To see an example of this, please see here:
http://download.oracle.com/docs/cd/E23903_01/doc/doc.41/e21676/apex_util.htm#autoId71
I hope this helps, at least with the framework side of things, if you can upgrade to 4.1 at all.
Regards,
Anthony.

How to deploy a secured ADF 11g application to WebLogic 10.3 server?

Hi,
I have just enabled security in our ADF 11g application, as descripbed in [chapter 29|http://download.oracle.com/docs/cd/E12839_01/web.1111/b31974/adding_security.htm#insertedID0] of the Fusion Developer's Guide. It works fine in the embedded WebLogic server of JDeveloper.
Now I'm trying to deploy to our WebLogic 10.3 server, which runs in production mode. I'm running into all sorts of problems. The WebLogic console seems to have hundreds of security related pages, I don't know which one I should use, let alone how to use it. The Fusion Developer's Guide doesn't cover deployment to a production server:
>
When the target server is configured for production mode, you typically handle the migration task outside of JDeveloper using tools like Oracle Enterprise Manager. For details about using tools outside of JDeveloper to migrate the policy store to the domain-level in a production environment, see the [Oracle Fusion Middleware Security Guide|http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/toc.htm].
>
However, this guide is of very little help to me. I found [chapter 7|http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/addlsecfea.htm#insertedID0], which says "The recommended tool is Fusion Middleware Control." I have no idea what "Fusion Middleware Control" is, where to get it and how to use it.
Long story short: I'm totally lost. I'm looking for a step by step guide on how to deploy a secured ADF 11g application to a WegLogic 10.3 server that is running in production mode. Any help is highly appreciated.

Ok, I found a [very helpful blog post |http://andrejusb.blogspot.com/2009/01/practical-adf-security-deployment-on.html] by [Andrejus Baranovski|http://www.blogger.com/profile/04468230464412457426]. I wish Oracle's documentation was as clear as this...
The blog post refers to an article by Steve Muench, called [Simplified ADF 11g Application Credential and Policy Migration to Standalone WebLogic Servers|http://www.oracle.com/technology/products/jdev/tips/muench/credmig111100/index.html]. This article presents an Ant script that migrates policies from JDeveloper to WebLogic, using some PFM. (See the last definition here.)
The problem is that Steve Muench's script assumes that JDeveloper and the standalone WebLogic are on the same machine. However, in a typical environment, such as the one I'm working in currently, this is not the case. In our case the developer stations are Windows machines, while our WebLogic server runs on a HP-UX machine. So the question is: how to perform this migration between two machines with different operating systems?
Regards,
Bart Kummel

How to Import 3.0 application in APEX 3.2?

How to Import 3.0 application in APEX 3.2? These two are on two different machines. It is not upgrade.
Pls help.

Hello,
APEX supports backward compatibility. It means that 3.2 version can run any application that was developed in earlier versions.
In your case, just export the full application from 3.0 and import it in the 3.2
Regards,
Arie.
&diams; Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.
&diams; Forthcoming book about APEX: Oracle Application Express 3.2 – The Essentials and More

How to display the entire application in two different languages in apex

Hi,
How to display the entire application in two different languages in apex...
For example i need to display each item in both English and Hindi..
To achieve this initially i have the select the language otherwise the item label alone ll be displayed in both languages ...
Anyhow how it ll be apex is it possible
Regards,
Pavan

Hi pars,
http://www.packtpub.com/sites/default/files/1346-chapter-6-creating-multilingual-apex-applications.pdf?utm_source=packtp…
In this link also i struck in
In page 10 of that document
The application is now ready to be translated. Everything is in place to run it in any language imaginable.To ca ll the application in another language, change the URL of your application to the following:
http://yourdomain:port/pls/apex/f?p=&APP_ID.:&PAGE_ID.:&SESSION_ID.:LANG:NO::FSP_LANGUAGE_PREFERENCE:nl
This example will call the chosen page in the application and show it in the Dutch language instead of in English. To select another language change the property nl at the end of the URL to your desired language code.
Thanks alot for ur suggestions.kindly provide more inputs..............

How to restore or backup Apex application from Command line ? URGENT

We have Oracle apex 4.1 installed in Oracle 11g R2 database (windows 64-bit) 2008 R2
For some reason our database dictionary objects are corrupted.
We wanted to backup our Apex applications in some workspaces ASAP.
We are not able to access apex from http://localhost:7777/pls/apex/htmldb_login
We have an underlying database schema export (expdp).
1) Is there a way to export or backup the apex application without logging into the apex URL ? if yes how ?
2) Does Oracle has any of its own native tool to backup and restore from command line ?
Thanks in advance

My (MS Windows) experience, if I may; perhaps you'll find something useful.
You'll find the README.TXT file in /apex/utilities directory. Read it.
In order to use APEXExport, you need JDK version 1.5 or higher. Check your version by typing (and viewing the result):
C:\>java –version
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)Its directory should be part of the PATH environment variable: on my computer, directory name isC:\Program Files\Java\jre1.6.0_06\binFurthermore, Oracle JDBC class libraries must be part of the CLASSPATH environment variable. Check whether it exists (in Control Panel - System - Advanced - Environment Variables). For my 10gXE, it is here:C:\oraclexe\app\oracle\product\10.2.0\server\jdbc\lib\ojdbc14.jarI couldn't make it work; didn't know that ".\" directory must be entered into CLASSPATH as well (found that information in Arie Geller's book). Therefore, my final CLASSPATH version is:.\;C:\oraclexe\app\oracle\product\10.2.0\server\jdbc\lib\ojdbc14.jarOK, setup is done. Now, go to your /apex/utilities directory and, from the command prompt, run (mind the upper case!)java oracle.apex.APEXExportwhich will show a short help.
I chose to export the whole workspace. In order to do that, I need the workspace ID (got it from Apex's SQL Workshop; that might be a problem as you can't get there, can you? I can't tell how to find that information apart from SQL Workshop, but I'm pretty sure someone, who is much more experienced than me, will know it). OK, here's how you find it:select v('WORKSPACE_ID') from dual;Finally, here's the final step - export:C:\apex\utilities>java oracle.apex.APEXExport -db localhost:1521:xe -user scott -password tiger -workspaceid 1038408092496568The result are fxxx.sql files (where "xxx" represents application number).
I hope you'll manage to export your applications; basically, nothing special here (except that ".\" directory in the CLASSPATH variable).
Best of luck!

How to Save HTML page in Apex application into our local Windows Box

Hi,
I am having one HTML page in my Apex Application. I want to download this page into my Local Windows machine. How to do this?
Thanks
Yash

I am having one HTML page in my Apex ApplicationWhat did you mean by this ?
<li> If you meant an application page, then they are anot stored as html file anywhere as the page that you see is generated at the run time only, however you can can save that run time page , but its of not much use.
<li> If your intention is to save/backup an apex page, go to the page and export it . This generates a SQL file which you can import into any other apex application and recreate that apex page.
<li> You can also export the entire application as a single file too.

How to secure one page not entire application?

Hi there,
I'm looking for some guidance on how to secure individual pages on my site. I've read a number of articles discussing creating a login using the Application.cfc. The thing is this approach locks down the entire site. I only want to secure a page. In my scenario, if the user hasn't logged in, and goes to a profile.cfm page, they will be asked to login. Once they login, they will then be directed to the profile.cfm page.
Any and all advice would be greatly appreciated.
Thanks.
Novian

Hi, Novian,
An option that come directly to mind is to check for the specific page to be locked down in onRequestStart of your Application.cfc.
This approach is relatively easy to implement but may not be the best approach (don't know how it might affect performance or something else). Basically, use a conditional in your onRequestStart method to see if the page being requested by the user is the page that needs to be secured. Something along the lines of:
<cffunction name="onRequestStart">
     <cfargument name="target_page" />
     <cfif target_page is 'super-secure-page.cfm'>
          
     </cfif>
</cffunction>
There are, of course, other options but this was a quick and easy one that came right to mind.

How to secure Oracle Applications?

i have implemented security mechanisms in the database,but i would like to know how to implement security in an application rather than doing so through the database?
Thank you

Hi Kiranjaly!
Basically there are some things to keep in mind:
When you put security in the application you still need to protect the data - as somebody could choose not to use the application to get access to the data (eg using SQLPlus).
Furthermore it would be a great idea to have a link between authentication and authorisation. My bet is to place the authorisation information in the OID (LDAP) as this is used for the authentication as well (SSO).
And of course you need auditing in the database, the application server and in the application.
cu
Andreas

How to secure an Apex application?

Similar Messages

Maybe you are looking for