APEX_PUBLIC_USER

I know that we should always lock FLOWS_XXX or APEX_040100 schemes for security reasons. We should also lock the APEX_PUBLIC_USER, too?

Thank you.
Andy

andychow wrote:
We should also lock the APEX_PUBLIC_USER, too?

Hello

It depends on do you use that user to connect to the database. For example, by default, you use APEX_PUBLIC_USER on mod_plsql and APEX listener and you can't block this user.
If you use Embed PL/SQL gateway, then by default, the user is ANONYMOUS and you can lock APEX_PUBLIC_USER.

Kind regards
Jari

http://dbswh.webhop.NET/dbswh/f?p=blog:Home:0

Tags: Database

Similar Questions

Confusion between ORDS_PUBLIC_USER and APEX_PUBLIC_USER

I was using ADR 2 and apex4 and now I have upgraded to ords3.02 and apex 5.0.2.
I had the problem with the url mapped and RESTful service. RESTful service does not work with URLs mapped. 404 error.
To resolve this problem, I replaced all APEX_PUBLIC_USER with ORDS_PUBLIC_USER in all the files of configuration of ADR, and that's how I solved the problem.

My questions are:
1 - is the medium recommended for installation of ADR?
2 is the APEX_PUBLIC_USER not need more?

Hi pchiu,

pchiu wrote:

I was using ADR 2 and apex4 and now I have upgraded to ords3.02 and apex 5.0.2.

I had the problem with the url mapped and RESTful service. RESTful service does not work with URLs mapped. 404 error.

To resolve this problem, I replaced all APEX_PUBLIC_USER with ORDS_PUBLIC_USER in all the files of configuration of ADR, and that's how I solved the problem.

This should not be done. Users of DB when configuring the ADR are intended for different purposes, and as a result they are given privileges during the installation of the APEX, the RESTful Web Services or setting up ADR configuration.

Reference: http://docs.oracle.com/cd/E56351_01/doc.30/e56293/install.htm#AELIG7180

My questions are:

1 - is the medium recommended for installation of ADR?

Just no.

As stated in above documentation and my interpretation:
- If you want to configure 3 ADR with APEX 5: Configure the ' PL/SQL gateway' during setup of the ADR. This means configuration APEX_PUBLIC_USER during the installation of the ADR.
- If you want to use the RESTful Web Services in Oracle APEX 5: Configure the RESTful Services after the installation of the APEX using apex_rest_config.sql (this step creates the APEX_LISTENER and APEX_REST_PUBLIC_USER with privileges). Configure APEX_LISTENER and APEX_REST_PUBLIC_USER during the installation of the ADR.
NOTE: This step is REQUIRED with 5 APEX and ADR as APEX 5 itself using RESTful Web Services internally to transmit static files in the shared components.

Reference: https://docs.oracle.com/cd/E59726_01/install.50/e39144/listener.htm#HTMIG29472
- (Required with ADR 3) ADR equipped RESTful Web Services configuration: this step configures users of ORDS_PUBLIC_USER and ORDS_METADATA RESTful Web Services that emit RESTful Web Services without using Oracle APEX (before ADR, RESTful Web Services required Oracle APEX 3.0). These users are created and account privileges during installation 3 ADR required.
2 is the APEX_PUBLIC_USER not need more?

Lol APEX_PUBLIC_USER is required if you want to configure the ADR with Oracle APEX.

I had the problem with the url mapped and RESTful service. RESTful service does not work with URLs mapped. 404 error.

I also had the same problem with ADR 3.0.1. You have configured a custom URL mapping?

Reference: an ADR - multiple databases

With ADR installable 3.0.2.294.08.40 'readme.html' file is provided with the section 'Changes since 3.0.1' paragraph 'Issues Fixed since 3.0.1' is provided which says:

BUG: 21448390 -Fix regression where several database mappings configured via url - mapping.xml did not work properly

Kind regards

Kiran

Question about APEX_PUBLIC_USER
I don't know how to set the authentication scheme"for our Apex application correctly.

Our applications Apex starts from a java application or a Web Forms application. For the java application or Webforms-request a correct connection has been made. Thus, a new connection to an Apex application name is unnecessary. That's why we chose the authentication scheme '(no authentication (with the help of DAD)) database'. The user can start an application Apex for example of Web forms, without an additional connection.
In the DAD we defined for the connection to the database from the user "APEX_PUBLIC_USER"! The Apex application works very well.

When an apex application is started, the application knows the user logged into the Web Forms. The user (webforms) will appear in the application of the apex, because we put the user as "wwv_flow.g_user: =: username".
Hollow of the user (=: username) control us access to the data manipulations or pages apex (= MEV). So, when you look at enforcement apex that you think, it is a public application, but it's not!

Our problem is that the application of the apex get no session number (-> "Session-Nr. = 0"). I think that this situation is the cause of our problems:
(1.) the user cannot save reports (interactive) (= > menue save is hide)
(2.) a user can copy the url of a pc to pc anothere (= browser)

I changed the application "public user" property of "APEX_PUBLIC_USER" to another value = > I always get the session nr "0". Only when I changed the user APEX_PUBLIC_USER in the DADS.conf to another user, the apex application works without these problems!

Is there a way to authenticate our apex application correctly?
Should I change the user (= APEX_PUBLIC_USER) in the DAD?
Why the "public user" applicaton property exist?

concerning
Robert
Hi Robert,.

APEX has not yet copied the URL of the item value in the element of your application using the Sentinel and invalid session procedures. The APEX_APPLICATION package has overall tables g_arg_names and g_arg_values that contain these values, however. You can use them to get the TOKEN value in the invalid session procedure. The globals are not documented and not officially supported, but we currently have no plans to remove them. You can also use owa_util.get_cgi_env ('QUERY_STRING') to analyze the parameters of f? p, if the use of variables not supported is about you.

Forms and Java should put the correct session id in the query, to join the existing sessions rather than create new ones. Here is how I could do this. You probably already have a sessions table that is shared between APEX and forms:
```
create table MY_SESSIONS (
    id number,
    apex_session number,
    java_session number,
    token number,
    token_valid_until date,
    created_at date not null,
    constraint MY_SESSIONS_PK primary key(id),
    constraint MY_SESSIONS_UQ_APEX_SESSION unique(apex_session),
    constraint MY_SESSIONS_UQ_TOKEN unique(token)
);
```
Startup forms, you put something like this in WHEN-NEW - EXAMPLE of the first form of FORM, create a new entry:
```
insert into MY_SESSIONS ( id, created_at )
values ( sys.dbms_crypto.randomnumber, sysdate )
returning id into :global.my_session_id;
```
When forms creates a link to the APEX, it uses a kind of code like this:
```
declare
    l_app number := 12345;
    l_page number := 42;
    l_token number := sys.dbms_crypto.randomnumber;
    l_url varchar2(4000) := 'https://host:port/apex/f?p=';
begin
    for i in ( select rowid, apex_session from MY_SESSIONS where id = :global.my_session_id for update nowait ) loop
        update MY_SESSIONS set
            token=l_token,
            token_valid_until=sysdate+1/24/3600
        where rowid = i.rowid;
        commit;
        web.show_document (
            'https://host:port/apex/f?p='||
            l_app||':'||
            l_page||':'||
            nvl(i.apex_session,0)||'::::TOKEN,P42_OTHERDATA:'||
            l_token||',4711' );
    end loop;
end;
```
On the 1st request, APEX will not get a session id again. The Sentinel fails and calls the procedure of invalid session. This verifies the token and success updates MY_SESSIONS with the new session id:
```
declare
    l_my_session MY_SESSIONS%rowtype;
begin
    -- read token
    for i in 1 .. apex_application.g_arg_names.count loop
        if apex_application.g_arg_names(i) = 'TOKEN' then
            select *
            into l_my_session
            from MY_SESSIONS
            where token = apex_application.g_arg_values(i)
            for update nowait;
            exit;
        end if;
    end loop;
    -- verify token and store session id for next requests
    if l_my_session.token_valid_until >= sysdate then
        update MY_SESSIONS set
            apex_session=apex_custom_auth.get_session_id,
            token = null,
            token_valid_until = null
        where id = l_my_session.id;
        commit;
    else
        raise no_data_found;
    end if;
exception when no_data_found then
    ... redirect to some error page or an APEX login page
end;
```
All subsequent applications that come in shapes will already have the correct session id and are not still must pass the TOKEN variable, as the Sentinel already accepts the session.

This is just a very rough sketch and probably has bugs, I did not test this. For example, you can add code that prevents the unrest in dup_val_on_index because of the existing of identifiers. I would also consider to implement this as a plug-in authentication instead of a custom authentication scheme.

Kind regards
Christian

Published by: Christian Neumueller on May 14, 2013 10:36
update fixed link block generation

Privileges APEX_PUBLIC_USER
Question about the safety of the APEX.

When the workspace is created, a tablespace and user is created in the database. This is done in APEX_PUBLIC_USER.
How to APEX_PUBLIC_USER with a limited number of privileges access DBA?
We traced session and saw 'CREATE USER', "CREATE the TABLESPACE" and other statements, not of procedure calls.
The question is: how session APEX_PUBLIC_USER access DBA when apex workspace is created if none of the users of the database has access to SYS. DBMS_SYS_SQL?

When you install APEX, user APEX_xxx is created, where xxx is version APEX. This user has DBA privileges like create/edit user, create tablespace etc. This user also has a large number of packages that are available to the PUBLIC.

APEX_PUBLIC_USER and dbms_rls.add_policy
Hello.

I'm working on a project that involves the use of the dbms_rls.add_policy, which combines the users of the database and, for example, the stores he has access.
The instalation of APEX is to use Application Express listener and my APEX 4.0.1 application using database authentication, which works very well.

My problem is, all the sessions created by the APEX application get associated APEX_PUBLIC_USER, resulting in security policy does not work properly, because the user it uses is APEX_PUBLIC_USER, instead of the actual DB of the user that made the connection in the application.

How can I get around this?
Can be associated with the user of the connection instead of the APEX_PUBLIC USER sessions?

It is urgent, so if you can help me I appreciate it.
Thank you
vssantos
Hello

"app_user' in VPD-policy evaluation is the best way to handle this requirement. See the other related threads in this forum, for example {: identifier of the thread = 1041457}.
There may be approaches with third-party modules, which has been discussed in another thread: {: identifier of the thread = 679813}. But I don't know if this is a possible way to resolve the issue. In any case, if you are not allowed to change the policy in a way that is recommended by the manufacturer, I did wonder if you can get third-party modules facing up and running.

-Udo

Delete APEX_PUBLIC_USER
Hello

I want to delete APEX_PUBLIC_USER, which is display UPPER left side.

How can I do that.
Hello Maury,

I guess that you do not want to remove the user from the DB, otherwise your application not working anymore... ;-)
You must change your page template. Somewhere in this model, there is a reference to #APP_USER #. Simply remove this piece and the text 'APEX_PUBLIC_USER' will disappear from the screen.

Greetings,
Roel

http://roelhartman.blogspot.com/

APEX_PUBLIC_USER creates several newspapers-ins in the database.
Hello

Our software team is new to the APEX, and the ADMINISTRATOR noted that whenever a user connects to an APEX application, there are several connections APEX_PUBLIC_USER created in the database.

As soon as I entered the URL, he had 3 records of the APEX_PUBLIC_USER in the instance.

Is this normal, or is there something that we should have Setup differently?

Thank you
Keisha
It's normal. You see the sessions created for the modplsql connection pool. This improves performance by keeping the connections available for applications expected.

Scott

Anonymous c APEX_PUBLIC_USER
I seem to get confused about the nature of these two accounts.

ANONYMOUS - used as a login account consolidated using a screen APEX

APEX_PUBLIC_USER - effectively a container has ORACLE for nicks APEX.

APEX_PUBLIC_USER never get used to connect?

Johnnie D
They are used for the same purpose. If you use the PL/SQL built-in (EPG) 11g, ANONYMOUS gateway creates the database session used for each HTTP request. If you are using Apache + modplsql, named in the DAD should be APEX_PUBLIC_USER. Both are accounts (schemas) of the database without any right except "create session".

Scott

exec as procedure analysis schema, not APEX_PUBLIC_USER
We have a package with a procedure:

CREATE OR REPLACE PACKAGE XGN4.xgn_generator$ pck
DEFINE ACE AUTHID
PROCEDURE cr_tab (tab_id in NUMBER);
END;

CREATE OR REPLACE XGN4.xgn_generator$ pck BODY of PACKAGE
PROCEDURE cr_tab (tab_id in NUMBER)
IS
BEGIN
immediately execute ('CREATE TABLE test (...)');
END;
END;

When I call this procedure of apex, it is always executed as 'APEX_PUBLIC_USER', but it takes the analysis scheme 'XGN4 '.

I thought "AUTHID DEFINE" should do the trick (it is standard when you are not using AUTHID), but it seems that there is no effect on the APEX...

Anyone?
Object must be granted to the patterns from the analysis of your application and system privileges he needs using "direct" subsidies, does not grant through roles.

Scott

apex_public_user how to get out
The user does not want to see apex_public_user, how do it empty
Go to the definition of the pages in your application. On the right where it says model, select the Page template (tabs, tabs No., etc.).
In the footer section remove the & USER. from the line that looks like this:

& USER.

403 random after new ApEx 4.2 installation

Hi guys,.
I got a new ApEx 4.2.6 installation which is served by an OHS.
At random, but often I get a 403 Forbidden error when you try to access it.
I added the PlsqlErrorStyle DebugStyle param in configuration to see the details and the error is:
Journal of the database failed
A name of user and password invalid caused, connect you to the database fails.
Check that the name of user and password you provided is correct.
ORA-01017: name of user and password invalid. connection refused error-Code: 1017 error TimeStamp:Fri, February 19, 2016 14:13:47 GMT
It's really confusing, because:
(a) the credentials for APEX_PUBLIC_USER are correct
(b) I think that such an error would be constant and not randomly.
Here is my configuration:
< /apex location >
SetHandler pls_handler
Order deny, allow
Allow all the
Docs PlsqlDocumentPath
PlsqlDocumentProcedure wwv_flow_file_manager.process_download
PlsqlDatabaseConnectString db.europisti.gr:1521:sun
PlsqlNLSLanguage AMERICAN_AMERICA. AL32UTF8
PlsqlAuthenticationMode Basic
PlsqlDocumentTablename wwv_flow_file_objects$
PlsqlDatabaseUsername APEX_PUBLIC_USER
PlsqlDatabasePassword password
Apex PlsqlDefaultPage
PlsqlRequestValidationFunction wwv_flow_epg_include_modules.authorize
PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER
PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER_GROUPS
PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER_EMAIL
PlsqlErrorStyle DebugStyle
< / location >
I'm really open to suggestions! :-)

A valid, albeit off-topic, question :-)

This has to do with another environment for which we wanted a second instance and did not want to go through the upgrade.

So, I seem to have found the reason for this strange behavior, although the reason is also a bit strange for me:

ESO was serving another instance of ApEx, another virtual host. It seems that the various bodies were mix and the connection error was given when he was using the wrong connection details...

As I said, I do not understand why it was to mixed up even though they are in different virtual servers...

Public User - Configuration vs request attribute

ADR 3.0, APEX 5.0.2
Most of our APEX applications have been there since earlier versions, so the application User Public attribute is set to HTMLDB_PUBLIC_USER. The configuration file apex/apex/conf/apex.xml ADR specifies the HTMLDB_PUBLIC_USER and the password. But our database audit trail (sys.aud$) displays connections made by APEX_PUBLIC_USER from the server running ADR. I checked, and I see some newer applications with the set of attributes User Public to APEX_PUBLIC_USER but that is what causes the database connections? I thought that all database connections have been made under the user name specified in the config apex.xml ADR file. I even blocked the apex_public_user account and the app worked fine.
This who/what connects as apex_public_user and why? What is the link between the user of the DAD in apex.xml and the application User Publicattribute?
Thank you

Hi VANJ.

Well, the good news is, that you have set up users rest (with the apex_rest_config.sql script) correctly.

Everything works correctly, the following occurs:
1. To download the static files in APEX 5 they had put in place a mechanism to support relative paths. With ADR, they use the APEX rest Webservices by the users APEX_LISTENER and APEX_REST_PUBLIC_USER. With mod_plsql they use PlsqlPathAliasProcedure wwv_flow.resolve_friendly_url ( https://docs.oracle.com/cd/E59726_01/install.50/e39144/http_server.htm#HTMIG29263 )
2. With ADR, the following sequence occurs when you use a static file:
  1. a connection is established using APEX_LISTENER to search for the required RESTful webservice definition.
  2. is a connection using APEX_REST_PUBLIC_USER and a proxy connect via the user APEX_PUBLIC_USER that happens in the database itself. The apex_public_user session is not connected directly from the outside, but with apex_rest_public_user and then the identity of the user is enabled.
You can see the definition here:

So what is happening is perfectly normal, and you can even watch behind the scenes.

I created a web service by using the following query:

Select ' AUTHENTICATED_IDENTITY: ' | sys_context ('USERENV', 'AUTHENTICATED_IDENTITY'),

"CURRENT_SCHEMA...: ' |" sys_context ('USERENV', 'CURRENT_SCHEMA'),

"CURRENT_SCHEMAID...: ' |" sys_context ('USERENV', 'CURRENT_SCHEMAID'),

"ENTERPRISE_IDENTITY...: ' |" sys_context ('USERENV', 'ENTERPRISE_IDENTITY'),

"IDENTIFICATION_TYPE...: ' |" sys_context ('USERENV', 'IDENTIFICATION_TYPE'),

"OS_USER...: ' |" sys_context ('USERENV', 'OS_USER'),

"PROXY_USER...: ' |" sys_context ('USERENV', 'PROXY_USER'),

"PROXY_USERID...: ' |" sys_context ('USERENV', 'PROXY_USERID'),

"SESSION_USER...: ' | '. sys_context ('USERENV', 'SESSION_USER'),

"SESSION_USERID...: ' |" sys_context ('USERENV', 'SESSION_USERID'),

"SESSIONID...: ' | '. sys_context ('USERENV', 'SESSIONID'),

'SID...................: '|| sys_context ('USERENV', 'SID'),

user

of the double

In fact, this will reveal the different identities:

In this example, the user executing the statement is 'TRAINING', but the proxy connection to the database user is "APEX_REST_PUBLIC_USER". This proxy authentication is really cool because she seems to be a separate direct connection using the schema of analysis... and everything in the context (even select user to twice) works very well. This is different from the way in which APEX implements the schema of analysis using dbms_sys_sql.parse_as_user which sometimes causes headaches.

in any case, everything looks good,

~ Dietmar.

Question about upgrading a database using Experienced/IMPDB

Hi all.
Now that we have the opportunity to virtualized environments, i´ll perform some tests on the upgrade of a production environment, always on 10g (10.2.0.4 64-bit) to 11g Rel2 (11.2.0.4) on 64-bit Linux.
Although my preferred method would use DBUA, I know you can use Oracle Datapump for the same purpose. Before the test, I would like to clarify something:
Oracle Enterprise Manager repository will be excluded from the exp file?. I mean, even if I need an expfull of the database, whereas I m excluding the following diagrams (those that come pre created on the original database):
USERNAME
------------------------------
DBSNMP
SYSMAN
MGMT_VIEW
SYSTEM
FLOWS_FILES
MDSYS
ORDSYS
EXFSYS
SCOTT
WMSYS
ORACLE_OCM
APPQOSSYS
XS$ NULL
APEX_030200
OWBSYS_AUDIT
MDDATA
ORDDATA
CTXSYS
ANONYMOUS
OUTLN
DIP
APEX_PUBLIC_USER
XDB
So, technically this won´t an EXPFULL, but that's what I really need. For example, I Don t want to APEX, FLOW_FILES patterns, nor DBSNMP and SYSMAN, etc..
In short, using this syntax will solve my problem: exclude = pattern: '("USER1", "User2") IN'?
Best regards, Luis.

A full export does not, by default, the system schemas that contain metadata export and data managed by Oracle. Examples of system schemas that are not exported by default include SYS , ORDSYS , and MDSYS .

http://docs.Oracle.com/database/121/Sutil/GUID-BA07401C-6261-4B07-AD2C-06CD0A6E0BE9.htm#SUTIL851

This means that you don't need to worry about excluding these patterns related to the system.

I think that the OEM schema is exported because it is just another scheme.

Page Designer, it takes time to save page almost 15 seconds. !

Hello..
My problem is:
Page Designer, it takes time to save page almost 15 seconds. Or when save creator of the Page after you edit something, I found slow down to save the process, taking more than 15 seconds to save the changes to the page.
It was not before to install the new OS for my PC, its not normal before.
Components of the OS:
OS Linux
Core i5
8G of RAM
Apex 5.0.2
Java 8
listener ADR v2.0.9
Server glassFish 4.1
I looked inside the Google I find no matter what topic, discuss or resolve the problem around APEX framework of work, but all topics tALC on how to speed up, more performance for server GlassFish.
Note "APEX_PUBLIC_USER to unlock."
I want to help me.

Hi Amr Abdeen,

AMR Abdeen wrote:

Chubby Kiran fac586

Please help me

First of all I would like to you to use the tools of development of the browser and check under the tab "Console" when the page designer is responsible for checking if there are JS errors after loading page designer. Also check the 'Network' tab to investigate on what goes wrong.

As the code-behind Page Designer is designed by "Oracle APEX Development Team", it is difficult to know where is the problem, why it behaves like that and what should be the solution. Yes, better you can drop an email from retail [email protected] on the problem you are experiencing OR if you have support contracts with Oracle, then raise this issue on My Oracle Support (MOS).

Looping in Patrick Wolf-Oracle, John Snyders-Oracle and Christian Neumueller-Oracle to Oracle APEX development team.

Kind regards

Kiran

Other necessary permission for apex_util to APEX 5 vs 4.2

Hello
APEX 4.2 against APEX 5.0
Using the EPG for the test.
Accounts of the APEX
I have a small procedure that retrieves the information of users with APEX_UTIL. FETCH_USER of a session not authenticated (the user did not connect to the app yet).
APEX 4.2 I got it works by the granting of the APEX_ADMINISTRATOR_ROLE for the owner of the schema of the application.
If I use the same configuration to the APEX 5 I get the below error:
The nobody user requires ADMINISTRATOR privileges to perform this operation.
Contact your administrator for the application.
I also tried the grant execute rights on APEX_UTIL directly to the owner of the schema but no luck. In another installation with the ADR program I also tried to give the role and run rights to APEX_PUBLIC_USER, but it does not work.
If I execute direct SQL procedure * more connected as the owner of the schema it works without problem so the change is probably the user executing the statement of APEX (in a configuration of ADR, it should be APEX_PUBLIC_USER).
Can someone explain the difference of rights required between en 4.2, 5.0 or the user who is running the APEX session during the execution of APEX_UTIL procedures or point me in the direction of a solution?
Kind regards
Bottom

Down de Klerk wrote:

APEX 4.2 against APEX 5.0

Using the EPG for the test.

Accounts of the APEX

I have a small procedure that retrieves the information of users with APEX_UTIL. FETCH_USER of a session not authenticated (the user did not connect to the app yet).

APEX 4.2 I got it works by the granting of the APEX_ADMINISTRATOR_ROLE for the owner of the schema of the application.

If I use the same configuration to the APEX 5 I get the below error:

The nobody user requires ADMINISTRATOR privileges to perform this operation.

Contact your administrator for the application.

I also tried the grant execute rights on APEX_UTIL directly to the owner of the schema but no luck. In another installation with the ADR program I also tried to give the role and run rights to APEX_PUBLIC_USER, but it does not work.

If I execute direct SQL procedure * more connected as the owner of the schema it works without problem so the change is probably the user executing the statement of APEX (in a configuration of ADR, it should be APEX_PUBLIC_USER).

Can someone explain the difference of rights required between en 4.2, 5.0 or the user who is running the APEX session during the execution of APEX_UTIL procedures or point me in the direction of a solution?

It is due to changes without papers to security restrictions in the APEX 5.0. See:
It seems that the only way in which a 5.0 APEX session which is not authenticated as an administrator of the workspace can access user details using the apex_util.fetch_user is done by a convoluted workaround involving a scheduled job.

APEX_PUBLIC_USER

Similar Questions

Hello

The nobody user requires ADMINISTRATOR privileges to perform this operation.

Maybe you are looking for