Questions on Authentication, Security, and APEX_PUBLIC_USER
Hello,
I’m evaluating APEX and my DBA’s have some questions about authentication and database connections. I have audit tables in my schema (created using Oracle Designer) and I’ve noticed that APEX_PUBLIC_USER is the user recorded in my created_by and modified_by columns. I’ve read several posts about this expected behavior and its solution - (UPPER(NVL(V('APP_USER'),USER)). See:
Re: User in journal
Re: DB connection by apex_public_user or by registered schema name?
How can I store the user name, not APEX_PUBLIC_USER
I’m ok making the changes in my triggers, but my question is what is the consequence from the DBA’s perspective? If there are 100 users in my application and the DBA’s look at current database connections it will show 100 APEX_PUBLIC_USERs correct? What about any internal Oracle auditing? This is really my first true venture into web style programming. Maybe this is expected behavior.
I also noticed that there are 157 PUBLIC grants to objects in the FLOWS_030000 schema. This means that any DB account has access to these objects by default. Is this a security risk? I would have expected the objects to be granted directly to APEX_PUBLIC_USER. My company is heavily audited in both in an internal and a Sarbanes-Oxley (Sox) sense. This may not be a concern to everyone, but it may be a concern to us. How do other people explain/justify this?
Are we expected to not make DB accounts and only create users inside of APEX? I know APEX supports the DB authentication, but I haven’t seen any definitive “best practice” recommendations on this. I have looked at all the documentation here:
http://download-west.oracle.com/docs/cd/B32472_01/doc/nav/portal_booklist.htm
Is there more documentation with a better explanation than this?
Can anyone explain how APEX_PUBLIC_USER has no direct privilege on tables in my schema, yet it is the user recorded for DML changes?
I know this is alot of questions; we're just trying to get a better understanding of APEX before we make the commitment to begin using it.
Thanks for the help.
Message was edited by:
jabolen
This FLOWS_xxxxxx schema has enough privilege to do DML in my schema (probably why FLOWS_xxxxxx is locked). Is that about right?
Sort of. It has privilege to dynamically execute your DML (and other code) using your schema, so it is your schema that parses the code. (search: sys.dbms_sys_sql)
...enterprise-level identity management solutions...Is one example of that creating DB accounts? I assume others are SSO, LDAP, etc. Where can I read about the pro’s and con’s of these choices?
Good topic for another thread: Best tools for managing user populations (tens, hundreds, thousands, internal company vs. internet/public, etc.) One key factor is who's going to do the work and how does that fit with your business, e.g., user forgets password -> user calls help desk (24/7?) -> help desk accesses admin account and resets password...Will help desk admin use EM, Application Express admin app, SQL*Plus, OID admin, ...?
About authorization and roles, be aware that roles are useful in an Application Express environment only if you have a database user account for each application user (presumably named the same as the account the application user uses to authenticate, regardless of how the username/password lookup is performed, i.e., using the database account's password, LDAP, or something else) and your authorization code has enough privileges to check the current user's default roles, again the roles assigned to the database user account that corresponds to the application user name. This precludes the use of dynamically enabled roles. It also requires your application parsing schema to be able to access global views like dba_tab_privs. So, IMO, it's not the most streamlined approach unless you already have (or don't mind maintaining) a database user account for every named application user, a provision that may be unnecessary to support your authentication (vs.authorization) requirements.
About ref cursors, there wouldn't be any privileges problems - your application's parsing schema must have the privilege to execute whatever definer's rights packages are to be called and these packages, as you said, would do the DML.. As to other issues involving the use of ref cursors, we'd need to know more about your approach and how you want to define reports. I suggest you build a small prototype app and try it out.
Scott
Similar Messages
-
Question about wireless security and setup.
Ok, I have a pretty long house and my router is in the garage and I want wireless access in my bedroom. Here's the deal. Coming from the wall I have cable modem plugged into a WRT54g. That feeds 5 or 6 different WIRED PC's on that side of the house, but the other side isnt wired. So 1/2 way across I have a WRE54G setup as a range extender to reach the bedroom. I just bought a WUSB11 because the pc in the bedroom has no open PCI slots, and doesnt need the speed of G so a B connection should be fine. If I turn off all security everything is ok, everybody gets connected, including the neighb's. So I turned on WEP in the router WRT54G, it generates 6 keys I setup the WRE54G from my laptop sitting right next to it, and I enabled WEP in that as well, so I enabled WEP there and entered key #2 from the list supplied by the WRT54G, key#1 went into my laptop, which connects just fine. HOWEVER in the bedroom the WUSB11 sees the network just fine, but no matter WHAT key I enter into the WUSB11 it will NOT connect in anyway. anyone have ANY ideas? I would REALLY love to have this working and I would HATE to have top turn off my security, I really dont like o tust ny neighbors. thanks j
thanks wizzard, now I had a chat going with linksys tech support and they suggested that the WEP keys in all THREE devices be the same. now I may have left out of my original message the fact that key #1 that was generated by the router, is currently being used in an ACER laptop that has a NON linksys G device, and it connects just fine. so should EVERYTHING on the wireless be using the same key? and oobviously the same transmit id (1) thanks for your help j
-
Several questions about Application Security
Hello,
I have several questions about Application Security and perhaps I need a few tips...
I have a lot of users in a few groups which have access to my application! And the different groups should have only access to their pages.
In my application I use trees to navigate through the application.
So my idea is that i display different trees for the different user groups and restrict the user to access the URL....so the user can only see and contact "their" pages.
I know how to create the logic behind the trees, but how can I create the restricted URL access...
The "No URL Access" in the Session State Protection can not be used, because I use a lot of links in reports and HTML regions.
Is there another way to solve that?
But I am unsure if that is a "good" solution for my problem!
What do you think about that?
Am I going to do that too complicated?
Could that be done by authentication or authorization?
(By the way, I do not understand the differences between authentication and authorization. Can anyone help?)
I would be glad for any reply!
Thank you,
TimHey Arie and Scott,
thank you for your quick reply!
Now I understand the context around authorization and authentication...
I try the Access Control List and I think that is a very nice feature! Really good!
But now I am wondering, how I can create more privileges?
So that I have a few "end-user-roles" and then I can choose who have access to a page and who not!
Does anybody know how to do that?
Thank you,
Tim -
Wireless Authentication/Security Design questions
Wireless newbie here...I was required to quicky stand up a wireless deployment at a new warehouse/office building. I have the basic network up and working. My remote AP's have associated with the 2106 in the main office and users can associate and authenticate with the 1130G AP's and can access the office network. I did the basic configs and am now looking to tighten up security. My questions are as follows:
1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.
2) Should I be using some kind of supplicant client on the laptops?
3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.
4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?
5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?
I have attached a diagram to help explain. Any help would be appreciated.
v/r
Chad1. LEAP is a form of EAP, so you must already have something terminating your EAP sessions. The WLC can do this to some extent, or ACS. Which one you chose will be based upon your requirements for manageability, scalability and feature-richness. I would suggest that PEAP-MSCHAPv2 provides a good balance of usability and security, and is significantly better than LEAP.
2. No, stick with Windows XP SP2 supplicant. This can be configured using domain policy (2k3 SP1 or better) and is pretty good. Just make sure your laptops have new Intel drivers on them. Dell in particular have been quite bad with sending out old drivers in the builds.
3. MAC authentication is now lergely regarded as a waste of time. It is so easy to spoof a MAC address it's ridiculous, and it's a fair amount of work for the admin(s).
4. The LWAPP tunnel encrypts all management / config / security related traffic between the AP and WLC, while user data is simply encapsulated in LWAPP, so it can potentially be read if packets are captured.
5. All APs will do rogue detection, don't really need to have dedicated APs unless you're REALLY paranoid. Main benefit is quicker detection, but drawback is that the 'detector' AP won't serve clients.
Regards,
Richard -
Forgot your security question in my account and I want to get it back
Forgot your security question in my account and I want to get it back
Provided your still able to log in to your Apple ID, you should be able to follow this link through and change them
https://appleid.apple.com/cgibin/WebObjects/MyAppleId.woa/192/wo/4tSJBrdAn9ISICR 0hw7ubM/7.0.67.17.11.3.1?menuOption=EditAppleIDAndPassword
Otherwise contacting support may be an option? -
Hello there .. When I want to change my security question I can't and show me Emil not for me to send the information for change the security question how to fix this problem
Alternatives for Help Resetting Security Questions and/or Rescue Mail
1. If you have a rescue email address or a Security Questions issue, then see:
If you forgot the answers to your Apple ID security questions - Apple Support.
Manage your Apple ID primary, rescue, alternate, and notification email addresses - Apple Support
2. Fill out and submit this form. Select the topic, Account Security. You must
have a Rescue Email to use this option.
3. This is the only option if you do not already have a valid Rescue Email.
These are telephone numbers for contacting Apple Support in your country.
Apple ID- Contacting Apple for help with Apple ID account security. Select
the appropriate country and call. Ask to speak to the Account Security Team.
4. Account security issues almost always require you to speak directly to an
Apple representative to securely establish your identity as the account holder.
You can set it up so that Apple calls you, either immediately or at a time
convenient to you.
1. Go to www.apple.com/support.
2. Choose Contact Support and click Contact Us.
3. Choose Other Apple ID Topics and choose the appropriate topic for
your issue.
4. Follow the onscreen instructions.
Note: If you have already forgotten your security questions, then you cannot
set up a rescue email address in order to reset them. You must set up
the rescue email address beforehand.
Your Apple ID: Manage My Apple ID.
Apple ID- All about Apple ID security questions. -
when i got my i phone they had me answer questions for security and now i went to itunes to buy something and they asked me totally different questions...so now i cant buy things from itunes..can i reset or change the questions
Welcome to the Apple community.
You might try to see if you can change your security questions. Start here, change your country if necessary and go tomanage your account > Password and Security.
I'm able to do this, others say they need to input answers to their current security questions in order to make changes, I'm inclined to think its worth a try, you don't have anything to lose.
If that doesn't help you might try contacting Apple through Express Lane (select your country, navigate to iCloud help and enter the serial number of one of your devices) -
HT5312 Hi, i'm forget answer for may security questions for Apple ID and can't reset it
HI. i'm forget answer for may security questions for Apple ID and can't reset it, after verified email adress the link for reset questions is not available.
The reset link will only show if you have a rescue email address on your account - if you've just added an address then it will be an alternate/secondary email address, which is a different setting/address on your account (a rescue email address can only be added by answering 2 of your questions).
You will need to contact iTunes Support / Apple to get the questions reset : http://support.apple.com/kb/HT5699
When they've been reset you can then use the steps half-way down the page that you posted from to add a rescue email address for potential future use -
Webservices security and authentication..?
Hi Guys,
Thanks for the previous help. Can anyone suggest a solution/mechanism to
enforce security and authentication for published webservices?
I have situation where an external system (of Business Partner) would
like to request-services of webservices deployed via SOAP XML messaging.
How could i authenticate the system requesting the service is our
business partner system?
Any suggestions welcome,
thanks\
RAYou have two choices:
1. Use HTTP simple ( password based ) authentication. This is
usually called transportation level authentication.
2. Use SOAP signature and time stamp (X509 Certificate based) authentication.
This is called content level authentication.
In both case, you need modify the SOAP client to put in authentication information
and add interceptor in server side to do actually authentication before SOAP router
actually dispatch the calls to the service.
Heyun Zheng
Ramesh Ankam <[email protected]> wrote:
Hi Guys,
Thanks for the previous help. Can anyone suggest a solution/mechanism
to
enforce security and authentication for published webservices?
I have situation where an external system (of Business Partner) would
like to request-services of webservices deployed via SOAP XML messaging.
How could i authenticate the system requesting the service is our
business partner system?
Any suggestions welcome,
thanks\
RA -
Hi i have problem in my security question email is blocked and i cant rested my security question in second emial becouse i cant see this linked
You need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
(117310) -
I want buy Apps but need security questions,i forgot security questions and i forg reset security info email address. how can i do. I know my ID and passworld
i cant rember questions and my reset security info email(address and passworld)
How can i do? i want buy apps but need ask this questions.......Welcome to the Apple Community.
Start here (change country if necessary) and navigate to 'Password and Security', reset your security questions using the link provided, you will receive an email to your rescue address, use the link in the email and reset your security questions.
If that doesn't help, you don't receive a reset email or you don't have a rescue address, you should contact AppleCare who will initially try to assist you with a reset email or if unsuccessful will pass you to the security team to reset your security questions for you.
If you are in a region that doesn't have international telephone support try contacting Apple through iTunes Store Support. -
I can't downloamd Things just because I forgot the security questions and I I'm putting the security questions the wrong answers and they blocked me how can I unblock it
Forgotten Security Questions/Answers
You need to contact Apple by:
1 - Use the Express lane and start here:
https://expresslane.apple.com
then click More Products and Services>Apple ID>Other Apple ID Topics>Forgotten Apple ID security questions.
or
Apple - Support -form iTunes Store - Contact Us
2 - Call Apple in your country by getting the number from here:
http://support.apple.com/kb/HE57
or
Apple ID: Contacting Apple for help with Apple ID account security
3 - Use your rescue email address if you set one up
Rescue email address and how to reset Apple ID security questions
For general information see:
Apple ID: All about Apple ID security questions -
HT5312 Please i forget my question security and my Id is blocked
Please i forget my question security and my Id is blocked
You need to contact Apple to get the questions reset. Click here, phone them, and ask for the Account Security team, or fill out and submit this form.
(94232) -
I forgot my security questions. Called apple and they want to charge me 19.99 to talk with a real person. What else can I do?I don't have a reset button.
See Kappy’s great User Tips.
See my User Tip for some help: Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities
https://discussions.apple.com/docs/DOC-4551
Rescue email address and how to reset Apple ID security questions
http://support.apple.com/kb/HT5312
Send Apple an email request for help at: Apple - Support - iTunes Store - Contact Us http://www.apple.com/emea/support/itunes/contact.html
Call Apple Support in your country: Customer Service: Contacting Apple for support and service http://support.apple.com/kb/HE57
About Apple ID security questions
http://support.apple.com/kb/HT5665
If you forgot the answers to your Apple ID security questions
http://support.apple.com/kb/HT6170
Cheers, Tom -
I need help resetting my security questions, i try to and it says email sent but i never get the email to my main email or alternate email, i never set my questions but somehow there set, so i can also not buy apps without entering my question awnsers please help
Forgotten Security Questions/Answers
You need to contact Apple by:
1 - Use the Express lane and start here:
https://expresslane.apple.com
then click More Products and Services>Apple ID>Other Apple ID Topics>Forgotten Apple ID security questions.
or
Apple - Support -form iTunes Store - Contact Us
2 - Call Apple in your country by getting the number from here:
http://support.apple.com/kb/HE57
or
Apple ID: Contacting Apple for help with Apple ID account security
3 - Use your rescue email address if you set one up
Rescue email address and how to reset Apple ID security questions
For general information see:
Apple ID: All about Apple ID security questions
Maybe you are looking for
-
When i click on safari top sites page comes up ,how do i remove it
Hi When i click on safari icon to bring it up, my top site page comes up instead ,usually the apple page comes up advertising the i phone 5 How do I get it back, I have deleted all the sites on page so its just a blank page now, can anyone help ,I ha
-
I have a linksys WRT54G router that we use as a base. I want to use Airplay using Airport Express and hook up my stereo to it. How can i set up my Airport express without a PC/laptop? I just downloaded Airport utility on my iphone and ipad,will that
-
PI 7.3 AEX - XI 3.0 message protocol in the SOAP adapter.
Hello, My client's landscape is on SAP PI 7.3 AEX(Java only installation) and SAP ECC 6.0 EhP4. I have configured a HTTP-Proxy scenario. For the proxy messages to go into the SAP ECC system, I have configured a SOAP Receiver adapter in PI 7.3 AEX. I
-
when hiring applicant applicant number is coming multi ple of 5 first applicnt 5 and next applicant 10 and next applicant 15 like this number is coming pls put some light on this thanls
-
Adding a database instance target.
Hello, Now That I have OEM grid control install I want to add a database instance to monitor. So in The OEM console I went to TARGETS -> DATABASES ->ADD. I enter the database host ip. (The database is install in a different machine from OEM). Error m