Authentication is used to determine if a user is allowed to access an application. Unless an application is public, where no authentication is required, end users must specify a username and password to gain access. Oracle Application Express provides a number of built-in authentication schemes including:

• Oracle Application Express Managed Users
• Single Sign On
• Database Account Credentials
• Custom schemes

Authorization schemes are used within Application Express to control the rendering and processing of components based on user privileges. You apply authorization to an entire application, or selectively to pages, or page components such as tabs, regions, buttons, items, validations, processes, and so on. Authorization schemes either succeed or fail. Only if the associated authorization scheme succeeds will a user be able to see or use the component.

Workspace administrators can create new Application Express user accounts, manage existing user accounts, and change user passwords. Application Express user accounts can be workspace administrators, workspace developers, or end users. Development privileges are defined using Oracle Application Express user accounts however Oracle Application Express applications can be run using external authentication methods. Oracle Application Express user accounts can be locked and support password expiration and password complexity, as well as other rules.

Instance Administrators can define maximum session length and maximum idle time for Application Express developers. Similarly, developers can define maximum session length and idle time for each application which moderates access by end-users.

For testing and production instances, Oracle Application Express supports the ability to install just a runtime version. This minimizes the installed footprint and privileges. It also improves your application consistency because in a runtime instance developers cannot inadvertently update any application source.

Cross site-scripting (also referred to as XSS) is a security breach that takes advantage of dynamically generated Web pages. In a XSS attack, a Web application is sent a script that activates when it is read by a user's browser. Once activated, these scripts can steal data, even session credentials, and return the information to the attacker. If malicious code were introduced into an Oracle Application Express application, it could be rendered into HTML regions and other places within the application during normal page rendering. To learn more about potential vulnerabilities and secure coding practices to minimize such risks, see online Help.

SQL Injection enables input from an application to flow into a SQL statement, effectively altering the SQL statement. A very effective method to ensure SQL statements are protected from SQL injection is to use bind variables. Oracle Application Express supports the use of bind variables in all SQL and PL/SQL statements. To build a secure application all dynamic SQL needs to ensure that no end user input can be injected into the SQL statement.

Session State Protection is built-in functionality that prevents hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy. Enabling Session State Protection is a two-step process. First, you enable the feature. Second, you set page and item security attributes.