Friday, January 11, 2013

APEX Listener PL/SQL Validations

There's a 2 ways to lockdown which applications/URLS are accessible for any APEX installation with the APEX Listener.

First, I showed the new javascript method in the 2nd half of this post.  This is very nice as it stops any database communication at all.

Now let's talk about the PL/SQL validation function and the part that I forgot to document.  The normal  PL/SQL Validation that has been in mod_plsql for a long time is supported.  With that method, you have a function that takes in a varchar and returns a boolean if it's allowed or not.  The input is the last portion of the URI.  That means for Application Express it would be something like "f" or "wwv_flow.show".  This works great if you want to allow or deny an entry point.

function authorize(
    procedure_name in varchar2)
    return boolean;

The bind is assumed in this case and not needed in the configuration.  The config file for this would look like this
<entry key="apex.security.requestValidationFunction">
authorize
</entry>

The new way is similar however you can reference some bind values.  This offer more flexibility on which web server which Application Express applications are allowed on.

Let's take and example of 1 Application Express install where there is a public application ( app id 123 ) and an admin application ( app id 456) .  For security reasons, the admin application is not to be accessible to the internet.  The following function would only allow app id 123 and allow all others be blocked.

create or replace function is_allowed(
    flow_id in varchar2,
    page_id in varchar2)
    return boolean as
begin
   if ( flow_id = 123 ) then
      return true;
   end if;
   return false;
end;
/ 
show errors


The configuration for this would look like:

<entry key="apex.security.requestValidationFunction">
is_allowed(flow_id=>:P_FLOW_ID,page_id=>:P_FLOW_STEP_ID)
</entry>

There Apex Listener looks for the bind and puts them in automatically when referenced.  The full list available is:
 :URL, :PROCNAME, :P_FLOW_ID , :P_FLOW_STEP_ID, :P_INSTANCE, :P_PAGE_SUBMISSION_ID , :P_REQUEST"    

Now that the external webserver is setup and locked down to only our 123 application.  There is another Apex Listener installed on an internal webserver.  This internal install could run with no function at all and that would allow all applications to be accessible.