Prezi logo
Log in
Loading…

Beezapps Securing Dialogs

Button to report this contentButton to embed this content on another site
BL

Beezapps Ltd

Transcript

Established in 2011

Combined 17 years of APEX experience

Support

Consultancy

Training

Products

Oracle Application Express Specialists

Partner

Who am I ?

Requirement 3

Eoghain Anderson

Founder and Co-owner of Beezapps Ltd

Working with Oracle products for 10 years

9 years working with Oracle APEX, previously HTMLDB.

Utilise modern client script libraries like JQuery to create a rich user experience and reduce complexity.

Specifically build an interface with "central" pages with child pages opening off it as modal windows

Requirement 2

Ensure the application is as secure as possible, making full use of all Apex security features

Requirement 1

Build an Apex application with a client rich look and feel

Solution Criteria

Ensure that the check summing of URLs is performed by the server but the Navigation is handled by JQuery.

Securing Dialogs in Apex

Solution

Use all Apex's builtin functionality to generate secure URLs but "steal" the URL values from the href attributes.

Eoghain Anderson

eoghain@beezapps.com

Run a secondary process to remap URLs

1. AFTER the page has rendered with all the checksums modify the URLS

2. Run a followup process to convert checksummed urls to dialog calls.

Simple...

Modify the URLs in the HREF tags

Problem 1

Clean up the URLs so we are left with only the f?p url including any checksums.

i.e. no javascript wrapper functions

Apex uses server generated checksums on URLS to secure page linking and prevent URL tampering.

Page linking is therefore limited to client server round trips.

Wrap the cleaned URLs

Wrap the URLs in a dialog functionto run the checksummed URLs in a iframe injected Dialog window.

Problem 2

Replace the wrapped URLs

Option 1

You CANNOT generate a secure checksum

using JavaScript

Once the URLs have been wrapped in a dialog function put them back!

We do not secure our page branching....

Open Modal dialogs to other pages using standard (non checksummed) URLs

Tidy up

Report Binding.

Make sure when a report bind with all it's modified URLs that they are applied.

Functions

REJECTED!

1. JQuery selector

2. PrepareDialog()

3. showDialog()

Conclusion

Client is a defense organisation. Security is of paramount importance.

Application security and Navigation using JavaScript JQuery do not seem compatible.

Option 2

We have all regions we want to open as dialogs in regions on the same page that are initially hidden, displaying them as modal windows when needed.

Function Code

For all code used in the demo please contact

Eoghain Anderson

eoghain@beezapps.com

REJECTED!

Would cause excessive complexity on a single page.

Pushing values into session so that regions could be configured to the current user and current field values would become impractical to manage.

Number of items and regions on a single page would become very difficult to manage

Option 3

We abandon the idea of rich client navigation using dialogs and opt for a simpler, more traditional design using page to page navigation..

NO! NO! NO!

One of the primary requirements for the project is to modernise and simplify the interface.

A rich client interface using dialogs is not optional!