Edit D:\app\Administrator\product\11.2.0\dbhome_1\apex\images\doc\bldr_attr_sec.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta http-equiv="Content-Script-Type" content="text/javascript" /> <title>Configuring Security Attributes</title> <meta name="generator" content="Oracle DARB XHTML Converter (Mode = ohj/ohw) - Version 5.1" /> <meta name="date" content="2009-04-14T16:11:26Z" /> <meta name="robots" content="noarchive" /> <meta name="doctitle" content="Configuring Security Attributes" /> <meta name="relnum" content="Release 3.2" /> <meta name="partnum" content="E11947-01" /> <link rel="copyright" href="dcommon/html/cpyr.htm" title="Copyright" type="text/html" /> <link rel="stylesheet" href="dcommon/css/blafdoc.css" title="Oracle BLAFDoc" type="text/css" /> <link rel="contents" href="toc.htm" title="Contents" type="text/html" /> <link rel="up" href="preface.htm" title="Home" type="text/html" /> <link rel="up" href="bldr.htm" title="Using Application Builder" type="text/html" /> <link rel="up" href="bldr_attr.htm" title="About Application Attributes" type="text/html" /> <link rel="up" href="bldr_attr_sec.htm" title="Configuring Security Attrib..." type="text/html" /> <link rel="prev" href="bldr_attr_standard.htm" title="Previous" type="text/html" /> <link rel="next" href="bldr_attr_global.htm" title="Next" type="text/html" /> </head> <body> <p id="BREADCRUMBING"><a href="preface.htm" title="Home">Home</a> > <a href="bldr.htm" title="Using Application Builder">Using Application Builder</a> > <a href="bldr_attr.htm" title="About Application Attributes">About Application Attributes</a> > Configuring Security Attrib...</p> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <col width="86%" /> <col width="*" /> <tr valign="bottom"> <td align="left"></td> <td align="center"><a href="bldr_attr_standard.htm"><img src="dcommon/gifs/leftnav.gif" alt="Previous" /><br /> <span class="icon">Previous</span></a> </td> <td align="center"><a href="bldr_attr_global.htm"><img src="dcommon/gifs/rightnav.gif" alt="Next" /><br /> <span class="icon">Next</span></a></td> </tr> </table> <p><a id="CHDJGEAG" name="CHDJGEAG"></a></p> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h1><a name="HTMDB25081" id="HTMDB25081"></a>Configuring Security Attributes<a id="sthref386" name="sthref386"></a><a id="sthref387" name="sthref387"></a></h1> <p>You can provide security for your application by configuring attributes on the Edit Security Attributes page. The Security Attributes you choose apply to all pages within an application.</p> <a id="sthref388" name="sthref388"></a> <p class="subhead2">Topics:</p> <ul> <li> <p><a href="#CHDCFJGD">Accessing the Edit Security Attributes Page</a></p> </li> <li> <p><a href="#CHDHIBHE">About the Security Attributes Page</a></p> </li> </ul> <div align="center"> <div class="inftblnotealso"><br /> <table class="NoteAlso oac_no_warn" summary="" cellpadding="3" cellspacing="0"> <tbody> <tr> <td align="left"> <p class="notep1">See Also:</p> <a href="sec.htm#BGBGGGDE">"Managing Application Security"</a></td> </tr> </tbody> </table> <br /></div> <!-- class="inftblnotealso" --></div> <a id="CHDCFJGD" name="CHDCFJGD"></a> <div class="sect3"><!-- infolevel="all" infotype="General" --> <h2><a name="HTMDB25082" id="HTMDB25082"></a>Accessing the Edit Security Attributes Page</h2> <p>To access the Edit Security Attributes page:</p> <ol> <li> <p>On the Workspace home page, click the <span class="bold">Application Builder</span> icon.</p> </li> <li> <p>Select an application.</p> </li> <li> <p>Click <span class="bold">Shared Components</span>.</p> <p>The Shared Components page appears.</p> </li> <li> <p>Under Security, click <span class="bold">Edit Security Attributes</span>.</p> </li> </ol> <p>The Edit Security Attributes page appears.</p> <a id="CJGDHEDD" name="CJGDHEDD"></a> <div class="sect4"><!-- infolevel="all" infotype="General" --> <h3><a name="HTMDB25083" id="HTMDB25083"></a>About Navigation Alternatives</h3> <p>The Edit Security Attributes page is divided into the following sections: Authentication, Authorization, Database Schema, Session State Protection, and Virtual Private Database. You can access these sections by scrolling down the page, or by clicking a navigation button at the top of the page.</p> <img src="img/sec_attribute_tabs.gif" alt="Description of sec_attribute_tabs.gif follows" title="Description of sec_attribute_tabs.gif follows" longdesc="img_text/sec_attribute_tabs.htm" /><br /> <a id="sthref389" name="sthref389" href="img_text/sec_attribute_tabs.htm">Description of the illustration sec_attribute_tabs.gif</a><br /> <br /> <p>When you select a button at the top of the page, the selected section appears and all other sections are temporarily hidden. To view all sections of the page, click <span class="bold">Show All</span>.</p> </div> <!-- class="sect4" --></div> <!-- class="sect3" --> <a id="CHDHIBHE" name="CHDHIBHE"></a> <div class="sect3"><!-- infolevel="all" infotype="General" --> <h2><a name="HTMDB25084" id="HTMDB25084"></a>About the Security Attributes Page</h2> <p>The following sections describe the attributes available on the Edit Security Attributes page.</p> <a id="sthref390" name="sthref390"></a> <p class="subhead2">Topics:</p> <ul> <li> <p><a href="#CHDIFJEI">Authentication</a></p> </li> <li> <p><a href="#CHDFBDGG">Authorization</a></p> </li> <li> <p><a href="#CHDCIDGC">Database Schema</a></p> </li> <li> <p><a href="#BGBDEDCH">Session Timeout</a></p> </li> <li> <p><a href="#CHDCDIAE">Session State Protection</a></p> </li> <li> <p><a href="#CHDFCFGD">Virtual Private Database (VPD)</a></p> </li> </ul> <a id="CHDIFJEI" name="CHDIFJEI"></a> <div class="sect4"><!-- infolevel="all" infotype="General" --> <h3><a name="HTMDB25085" id="HTMDB25085"></a>Authentication<a id="sthref391" name="sthref391"></a><a id="sthref392" name="sthref392"></a><a id="sthref393" name="sthref393"></a></h3> <p><span class="bold">Authentication</span> is the process of establishing users' identities before they can access an application. Although you define multiple authentication schemes for your application, only one scheme can be current at a time. <a href="#CHDIIBAI">Table: Authentication Attributes</a> describes the attributes available under Authentication.</p> <div class="tblformal"><a id="sthref394" name="sthref394"></a><a id="CHDIIBAI" name="CHDIIBAI"></a> <p class="titleintable">Authentication Attributes</p> <table class="Formal" title="Authentication Attributes" summary="This table describes the attributes available under Authentication on the Edit Security Attributes page." dir="ltr" border="1" width="100%" frame="hsides" rules="groups" cellpadding="3" cellspacing="0"> <col width="31%" /> <col width="*" /> <thead> <tr align="left" valign="top"> <th align="left" valign="bottom" id="r1c1-t24">Attribute</th> <th align="left" valign="bottom" id="r1c2-t24">Descriptions</th> </tr> </thead> <tbody> <tr align="left" valign="top"> <td align="left" id="r2c1-t24" headers="r1c1-t24"> <p>Home Link<a id="sthref395" name="sthref395"></a><a id="sthref396" name="sthref396"></a><a id="sthref397" name="sthref397"></a></p> </td> <td align="left" headers="r2c1-t24 r1c2-t24"> <p>Specifies a URL or procedure that should be run when you run the application.</p> <p>For example, Home Link could contain the relative URL used to locate the application home page. For example, <code>f?p=6000:600</code> would specify application 6000 with a home page number of 600. In this example, the value you enter in Home Link replaces the <code>#HOME_LINK#</code> substitution string in application templates.</p> <p>You can also use this attribute to name a procedure. For example, you could create a procedure such as <code>personal_calendar</code> which renders an HTML page to serve as the application home.</p> <p><span class="bold">Note:</span> Do not use the Home Link attribute to determine the page that displays after authentication. The page that displays after authentication is determined by other components within the application's authentication scheme.</p> <p><span class="bold">See Also:</span> <a href="concept_sub_strings.htm#CIHHHHDD">"HOME_LINK"</a></p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r3c1-t24" headers="r1c1-t24"> <p>Login URL<a id="sthref398" name="sthref398"></a><a id="sthref399" name="sthref399"></a></p> </td> <td align="left" headers="r3c1-t24 r1c2-t24"> <p>Replaces the substitution strings <code>&LOGIN_URL.</code> in HTML or <code>#LOGIN_URL#</code> in templates.</p> <p><span class="bold">See Also:</span> <a href="concept_sub_strings.htm#BCEHHHGD">"LOGIN_URL"</a> and <a href="sec_auth_create.htm#BABICFBJ">"Creating an Authentication Scheme"</a></p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r4c1-t24" headers="r1c1-t24"> <p>Public User<a id="sthref400" name="sthref400"></a><a id="sthref401" name="sthref401"></a></p> </td> <td align="left" headers="r4c1-t24 r1c2-t24"> <p>Identifies the Oracle schema used to connect to the database through the database access descriptor (DAD). The default value is <code>ANONYMOUS</code> in environments where the database server version is Oracle Database Express Edition and it is <code>APEX_PUBLIC_USER</code> for all other versions of the database server.</p> <p>Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string <code>APP_USER</code>.</p> <p><span class="bold">Note</span>: Previous versions of Oracle Application Express used the built-in substitution string <code>HTMLDB_PUBLIC_USER</code>.</p> <p>When <code>APP_USER</code> equals this value, the Application Express engine considers the current session to be a public user session. The Application Express engine supports the following built-in display conditions:</p> <ul> <li> <p>USER_IS_PUBLIC_USER</p> </li> <li> <p>USER_IS_NOT_PUBLIC_USER</p> </li> </ul> <p>If the current application user (<code>APP_USER</code>) equals the value of this attribute, then the user is logged on as a public user. Some applications have public (not logged in) and a private (logged in) modes. By determining if the user is the public user, you can conditionally display or hide information.</p> <p>For example, you can show a login button if the user is the public user and a logout link if the user is not a public user. Reference this value using <code>APEX_APPLICATION.G_PUBLIC_USER</code>. The Application Express engine also has built in condition types <code>USER_IS_PUBLIC_USER</code> and <code>USER_IS_NOT_PUBLIC</code>.</p> <p><span class="bold">See Also:</span> <a href="concept_sub_strings.htm#CIHHHHDD">"HOME_LINK"</a> and <a href="concept_cond_process.htm#BEIEBEHI">"Understanding Conditional Rendering and Processing"</a></p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r5c1-t24" headers="r1c1-t24"> <p>Define Authentication Scheme<a id="sthref402" name="sthref402"></a><a id="sthref403" name="sthref403"></a></p> </td> <td align="left" headers="r5c1-t24 r1c2-t24"> <p>Click this button to define an authentication scheme.</p> <p><span class="bold">See Also:</span> <a href="sec_auth_about.htm#BABCEGGJ">"Understanding How Authentication Works"</a> and <a href="sec_auth_create.htm#BABICFBJ">"Creating an Authentication Scheme"</a></p> </td> </tr> </tbody> </table> <br /></div> <!-- class="tblformal" --></div> <!-- class="sect4" --> <a id="CHDFBDGG" name="CHDFBDGG"></a> <div class="sect4"><!-- infolevel="all" infotype="General" --> <h3><a name="HTMDB25086" id="HTMDB25086"></a>Authorization<a id="sthref404" name="sthref404"></a><a id="sthref405" name="sthref405"></a><a id="sthref406" name="sthref406"></a><a id="sthref407" name="sthref407"></a><a id="sthref408" name="sthref408"></a></h3> <p>Authorization controls user access to specific controls or components based on user privileges. You can specify an authorization scheme for your application, by making a selection from the <span class="bold">Authorization Scheme</span> list. You can assign only one authorization to an entire application. However, you can assign an authorization scheme to individual pages, page controls (such as a region, a button, or an item), or a shared component (such as a menu, a list, or a tab).</p> <p>To create a authorization scheme, click <span class="bold">Define Authorization Schemes</span>.</p> <p>An authorization scheme is a binary operation that either succeeds (equals true) or fails (equals false). If it succeeds, then the component or control can be viewed. If it fails, then the component or control cannot be viewed or processed. When you attach an authorization scheme to a page and it fails, an error message displays instead of the page. However, when you attach an authorization scheme to a page control (for example, a region, a button, or an item) and it fails, no error page displays. Instead, the control either does not display or is not processed or executed.</p> <div align="center"> <div class="inftblnotealso"><br /> <table class="NoteAlso oac_no_warn" summary="" cellpadding="3" cellspacing="0"> <tbody> <tr> <td align="left"> <p class="notep1">See Also:</p> <a href="sec_authorization.htm#BABEDFGB">"Providing Security Through Authorization"</a></td> </tr> </tbody> </table> <br /></div> <!-- class="inftblnotealso" --></div> </div> <!-- class="sect4" --> <a id="CHDCIDGC" name="CHDCIDGC"></a> <div class="sect4"><!-- infolevel="all" infotype="General" --> <h3><a name="HTMDB25087" id="HTMDB25087"></a>Database Schema<a id="sthref409" name="sthref409"></a><a id="sthref410" name="sthref410"></a><a id="sthref411" name="sthref411"></a><a id="sthref412" name="sthref412"></a><a id="sthref413" name="sthref413"></a></h3> <p>Use <span class="bold">Parsing Schema</span> to specify the database scheme for the current application. Once defined, all SQL and PL/SQL commands issued by the application will be performed with the rights and privileges of the defined database schema.</p> </div> <!-- class="sect4" --> <a id="BGBDEDCH" name="BGBDEDCH"></a> <div class="sect4"><!-- infolevel="all" infotype="General" --> <h3><a name="HTMDB25221" id="HTMDB25221"></a>Session Timeout<a id="sthref414" name="sthref414"></a><a id="sthref415" name="sthref415"></a><a id="sthref416" name="sthref416"></a><a id="sthref417" name="sthref417"></a><a id="sthref418" name="sthref418"></a></h3> <p>Use the following attributes to reduce exposure to abandoned computers with an open Web browser by application:</p> <ul> <li> <p><span class="bold">Maximum Session Length in Seconds</span> - Enter a positive integer representing how many seconds a session used by this application will exist. Leave the value <code>NULL</code> for the session to exist indefinitely. This session duration may be superseded by the operation of the job that runs every eight hours which deletes sessions older than 24 hours.</p> </li> <li> <p><span class="bold">Session Timeout URL</span> - Enter an optional URL to be redirected to when the Maximum Session Length in Seconds has been exceeded. If implemented in Oracle Application Express, the target page in this URL should be a public page. A common use for this page would be to inform the user of the session expiration and to present a login link or other options. If no URL is supplied, the user is redirected to the application home page.</p> </li> <li> <p><span class="bold">Maximum Session Idle Time in Seconds</span> - Enter a positive integer representing how many seconds of inactivity or idle time a session used by this application should permit. The idle time is the time between one page request and the next one. Leave the value <code>NULL</code> to prevent session idle time checks from being performed.</p> </li> <li> <p><span class="bold">Idle Timeout URL</span> - Enter an optional URL to be redirected to when the Maximum Session Idle Time in Seconds has been exceeded. If implemented in Oracle Application Express, the target page in this URL should be a public page. A common use for this page would be to inform the user of the session is redirected to the application home page. If no URL is supplied, the user is redirected to the application home page.</p> </li> </ul> <div align="center"> <div class="inftblnotealso"><br /> <table class="NoteAlso oac_no_warn" summary="" cellpadding="3" cellspacing="0"> <tbody> <tr> <td align="left"> <p class="notep1">See Also:</p> <a href="sec_session_timeout.htm#CHDEBHEF">"Understanding Session Timeout"</a> and "Configuring Session Timeout" in <span class="italic"><a href="http://www.oracle.com/pls/db112/lookup?id=AEADM293">Oracle Application Express Administration Guide</a></span></td> </tr> </tbody> </table> <br /></div> <!-- class="inftblnotealso" --></div> </div> <!-- class="sect4" --> <a id="CHDCDIAE" name="CHDCDIAE"></a> <div class="sect4"><!-- infolevel="all" infotype="General" --> <h3><a name="HTMDB25088" id="HTMDB25088"></a>Session State Protection<a id="sthref419" name="sthref419"></a><a id="sthref420" name="sthref420"></a><a id="sthref421" name="sthref421"></a><a id="sthref422" name="sthref422"></a></h3> <p>Enabling Session State Protection can prevent hackers from tampering with URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.</p> <p>To enable or disable Session State Protection for your application, make a selection from the Session State Protection list. Setting Session State Protection to <span class="bold">Enabled</span> turns on session state protection controls defined at the page and item level.</p> <p>To configure Session State Protection, click <span class="bold">Manage Session State Protection.</span></p> <div align="center"> <div class="inftblnotealso"><br /> <table class="NoteAlso oac_no_warn" summary="" cellpadding="3" cellspacing="0"> <tbody> <tr> <td align="left"> <p class="notep1">See Also:</p> <a href="sec_session_protection.htm#CDDGIGJH">"Understanding Session State Protection"</a></td> </tr> </tbody> </table> <br /></div> <!-- class="inftblnotealso" --></div> </div> <!-- class="sect4" --> <a id="CHDFCFGD" name="CHDFCFGD"></a> <div class="sect4"><!-- infolevel="all" infotype="General" --> <h3><a name="HTMDB25089" id="HTMDB25089"></a>Virtual Private Database (VPD)<a id="sthref423" name="sthref423"></a><a id="sthref424" name="sthref424"></a><a id="sthref425" name="sthref425"></a></h3> <p>Use this attribute to enter a PL/SQL block that sets a Virtual Private Database (VPD) context for the current database session associated with the current "show page" or "accept page" request. The block you enter here is executed at a very early point during the page request, immediately after the <code>APP_USER</code> value is established. The value of <code>APP_USER</code> (using <code>:APP_USER</code> or <code>v('APP_USER')</code>) may be used within the block. Values of other items in session state may be referenced as well, but any such items must have been established in session state before the initiation of the current page request. Consider the following example:</p> <pre xml:space="preserve" class="oac_no_warn"> dbms_session.set_context('CTX_USER_QRY','USERPRIV',my_package.my_function(:APP_USER)); </pre> <p>The previous example sets the value of <code>USERPRIV</code> in the context named <code>CTX_USER_QRY</code> to the value returned by the function <code>my_function</code> in package <code>my_package</code>. The function is passed the current value of <code>APP_USER</code> as an input argument. Presumably, the named context would be used in a VPD policy ( created within the application's parsing schema) to effect the generation of predicates appropriate to the authenticated user.</p> <p>Virtual Private Database, also know as Fine-Grained Access Control or FGAC, is an Oracle database feature that provides an application programming interface (API) that enables developers to assign security policies to database tables and views. Using PL/SQL, developers can create security policies with stored procedures and bind the procedures to a table or view by means of a call to an RDBMS package. Such policies are based on the content of application data stored within the database, or based on context variables provided by Oracle database. In this way, VPD permits access security mechanisms to be removed from applications, and to be situated closer to particular schemas.</p> <p>The code entered in this section need not pertain to VPD/FGAC; in fact, it may not be related to security at all. Any code that needs to be executed at the earliest point in a page request can be placed here. For example, to set the database session time zone for every page request:</p> <pre xml:space="preserve" class="oac_no_warn"> BEGIN EXECUTE IMMEDIATE 'alter session set time_zone = ''Australia/Sydney'' '; END; </pre> <div align="center"> <div class="inftblnotealso"><br /> <table class="NoteAlso oac_no_warn" summary="" cellpadding="3" cellspacing="0"> <tbody> <tr> <td align="left"> <p class="notep1">See Also:</p> <a href="sec_authorization.htm#BABEDFGB">"Providing Security Through Authorization"</a> and <a href="http://www.oracle.com/pls/db112/lookup?id=OLSAG"><span class="italic">Oracle Label Security Administrator's Guide</span></a></td> </tr> </tbody> </table> <br /></div> <!-- class="inftblnotealso" --></div> </div> <!-- class="sect4" --></div> <!-- class="sect3" --></div> <!-- class="sect2" --> <!-- Start Footer --> <div class="footer"> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <col width="86%" /> <col width="*" /> <tr> <td align="left"><span class="copyrightlogo">Copyright © 2003, 2009, Oracle and/or its affiliates. All rights reserved.</span><br /> <a href="dcommon/html/cpyr.htm"><span class="copyrightlogo">Legal Notices</span></a></td> <td align="center"><a href="bldr_attr_standard.htm"><img src="dcommon/gifs/leftnav.gif" alt="Previous" /><br /> <span class="icon">Previous</span></a> </td> <td align="center"><a href="bldr_attr_global.htm"><img src="dcommon/gifs/rightnav.gif" alt="Next" /><br /> <span class="icon">Next</span></a></td> </tr> </table> </div> <!-- class="footer" --> </body> </html>
Ms-Dos/Windows
Unix
Write backup
jsp File Browser version 1.2 by
www.vonloesch.de