By default when you create On Demand application process there is no authorization scheme selected:
and that makes your On Demand processes very vulnerable and publicly available.
For example, if you create On Demand application process without authorization scheme named DUMMY that creates record in DEPT table:
Table before executed JS statement:
If you change authorization scheme of your On Demand application process to Must Not Be Public User:
it will not be publicly available and unauthorized users will not be able to call it without logging in into application.
Environment: APEX 4.2.5.00.08 and Oracle XE 11.2.0.2.0 database.
and that makes your On Demand processes very vulnerable and publicly available.
For example, if you create On Demand application process without authorization scheme named DUMMY that creates record in DEPT table:
it can easily be called from browser console window without being logged in into application (e.g. on login page 101) by executing this JS statement:
apex.server.process ("DUMMY"
,{x01: "IT",x02: "LOS ANGELES"}
,{dataType:"text"}
);| DEPTNO | DNAME | LOC |
| 10 | ACCOUNTING | NEW YORK |
| 20 | RESEARCH | DALLAS |
| 30 | SALES | CHICAGO |
| 40 | OPERATIONS | BOSTON |
Table after executed JS statement:
| DEPTNO | DNAME | LOC |
| 10 | ACCOUNTING | NEW YORK |
| 20 | RESEARCH | DALLAS |
| 30 | SALES | CHICAGO |
| 40 | OPERATIONS | BOSTON |
| 50 | IT | LOS ANGELES |
it will not be publicly available and unauthorized users will not be able to call it without logging in into application.
Environment: APEX 4.2.5.00.08 and Oracle XE 11.2.0.2.0 database.
No comments:
Post a Comment