Saturday, November 12, 2016

Application authorization scheme

When building an application in Oracle Application Express, we can restrict access to pages, regions, buttons, items,... by using Authorization Schemes. In this blog post I will focus on applying scheme to (all) pages.

For example, I can create a simple scheme, which will just check if I am a valid user:

After that, I can go to a page in my application and I can apply this scheme:

If I log into the application with user that is not ALJAZ and I go to the page with this scheme, I will see following message:

In general, if we want that our application is secure, then we should apply authorization scheme to all pages. Normally our application starts with just a few pages, but in time it will just grow. And sometimes, it can happen that we forget to add authorization scheme to newly created pages. By doing that, every user that can log in in the application has access to this pages. But at least users must still login to access this pages, right? What about if we are using Single Sign On to allow access to our applications? In this case, once I'm logged in (and authenticated) into my company's network, I have access to all unprotected pages in all APEX applications.

We can agree that it is a good idea to check our applications, if there are unprotected pages. To do that, we can simply use Advisor Utility and it will check this (among many other useful checks). For example in my demo application page 1 is unprotected and I can see this result:

One option that we have is that we go to all those pages and we apply authorization scheme. But this still does not solves the original problem - that we might forget to apply scheme on newly created pages. But there is one really nice feature/setting in APEX that will solve exactly this problem - Application Authorization Scheme. We can find this setting, if we to Edit Application Security Attributes ( Edit Application / Security Tab )

By setting Application Authorization Scheme, we are applying this scheme to all unprotected pages in our application (if page all ready has an authorization scheme, then scheme on a page will be used). Additional setting that we can specify, is if this scheme is also applied on public pages. 

In this way even when we create new pages, this pages are protected.