Friday, January 16, 2009

APEX - Application Express 3.2, More than a Forms Conversion Release

Application Express 3.2 has been advertised as a Forms Conversion release, but I've recently been looking over an additional category of enhancements that are due to be in the next early adopters release. It probably comes as not surprise to those who know me that the category is security. Below is a partial list of the enhancements as I understand them. Once I get my hands on the EA release I'll provide more significant commentary, but I like what I see so far.


Declarative authentication timeouts by session length and idle time

Only allow a developer to stay logged into the APEX builder for a specified period of time or time spent idle. This is handled server side, so just hacking the local cookie won't bypass the timeout--nice!

HTML Form settings for Password pages (autocomplete=off)
Does what it says.

Reduced privilege of APEX schema
No change to functionality, or really even to security as long as your FLOWS_xxx schema is secure, but any time you can skinny down privs to the minimum required it closes the possibility of a loophole.


Database monitoring disabled by default

Seems to make sense.

Declarative session state encryption
Now this makes great sense. APEX has a reasonably good security model in place to protect session state information, but we all know where session state is stored, in a single table in the FLOWS_XXX schema. I've never liked the idea that my SSN make hang out in that table for some DBA to look at, or possibly have some rogue developer write some hidden page that let's them go peek at my session state. Allowing a developer to indicate that an item be encrypted when saved in the database without having to worry about encrypting and decrypting the item greatly reduces the developer's burden--or more likely, means it will actually happen.

New Password item types that do not save state
In short, never persist this password data into the APEX sessions state table. I love the idea, though I wonder if a checkbox giving all items this option might not be better. We'll see how this turns out . . .

Ability to specify HTTPS for the APEX instance
In short, only allow the APEX builder to run when the browser is communicating via HTTPS.

OK, so how about one feature that is not on the list? Who would like a "Scratch" item type--an item that is never rendered, never posted and not settable on the URL? It would just be a place to store session state, somewhat like an application item that has session state protection enabled, but the item is on a page. Let me know what you think.