Friday, January 16, 2009

APEX - Application Express 3.2, More than a Forms Conversion Release

Application Express 3.2 has been advertised as a Forms Conversion release, but I've recently been looking over an additional category of enhancements that are due to be in the next early adopters release. It probably comes as not surprise to those who know me that the category is security. Below is a partial list of the enhancements as I understand them. Once I get my hands on the EA release I'll provide more significant commentary, but I like what I see so far.

Declarative authentication timeouts by session length and idle time

Only allow a developer to stay logged into the APEX builder for a specified period of time or time spent idle. This is handled server side, so just hacking the local cookie won't bypass the timeout--nice!

HTML Form settings for Password pages (autocomplete=off)
Does what it says.

Reduced privilege of APEX schema
No change to functionality, or really even to security as long as your FLOWS_xxx schema is secure, but any time you can skinny down privs to the minimum required it closes the possibility of a loophole.

Database monitoring disabled by default

Seems to make sense.

Declarative session state encryption
Now this makes great sense. APEX has a reasonably good security model in place to protect session state information, but we all know where session state is stored, in a single table in the FLOWS_XXX schema. I've never liked the idea that my SSN make hang out in that table for some DBA to look at, or possibly have some rogue developer write some hidden page that let's them go peek at my session state. Allowing a developer to indicate that an item be encrypted when saved in the database without having to worry about encrypting and decrypting the item greatly reduces the developer's burden--or more likely, means it will actually happen.

New Password item types that do not save state
In short, never persist this password data into the APEX sessions state table. I love the idea, though I wonder if a checkbox giving all items this option might not be better. We'll see how this turns out . . .

Ability to specify HTTPS for the APEX instance
In short, only allow the APEX builder to run when the browser is communicating via HTTPS.

OK, so how about one feature that is not on the list? Who would like a "Scratch" item type--an item that is never rendered, never posted and not settable on the URL? It would just be a place to store session state, somewhat like an application item that has session state protection enabled, but the item is on a page. Let me know what you think.


Dimitri Gielis said...
This comment has been removed by the author.
Dimitri Gielis said...

Nice list Anton! And yes I would love to see such a Scratch item type on a page. Like you mentioned, the way you have to do it now is by using an Application Item and restrict it to not be set from the browser (even if you only want to use that item on that page).

Louis-Guillaume Carrier-Bédard said...

I can't wait to get my hands on APEX 3.2!

Declarative authentication timeouts by session length and idle time

Declarative session state encryption

New Password item types that do not save state
I like the checkbox idea (giving all items this option)

"Scratch" item type
yes! yes! yes!


Tonguç said...

I think for these kind of information the corporate blog for apex: is a better place? Carl was on this one before he passed away.

It is really hard to follow each personal blog nowadays, at least for me :)

Anton Nielsen said...


I don't work for Oracle, so I'm not able to post to the official Oracle blog. I just do my best to pass along info I find interesting or helpful.


Tony Miller said...

It should be picked up by the APEX Blog Aggregator.. I look there at least once a day to see what new blogs have been posted!!

A great way to view them all at once..


Tony Miller
Webster, TX
"Understanding is a three edged sword. Your side, their side, and the truth" - Kosh Naranek

mhoys said...

Hello Anton,

I have a question regarding the new Password item type.
I am currently using Apex 3.1.2. When I log in to the Sample Application (username: demo, password: name of the workspace), and then click on the "Session" link, I don't see a value for the Password item. So was this already implemented in Apex 3.1.2 ?


Anton Nielsen said...


If you are using the built-in login page (101) then it will explicitly clear the cache. This is different than the new password type. The new type won't require an additional clear cache command--just choosing either "Password (does not save state)" or "Password (submits when Enter pressed, does not save state)" will keep it from saving in session state. Note that although the language is the same (does not save state) as with Display Only item types, the meaning is very different. Display Only (does not save state) means that it will NOT generate a hidden field in the html. You can still save state to the APEX session, though.

I hope this clarifies it a bit.


Matthias Hoys said...

Ah ok, it's clear now for me.
I have another application where I created a custom login form and there the password shows in the session cache after a successful log in. Guess the new password type would be useful here !


I LOVE YOU said...