APEX, XDB Protocol Adapter Security, Using an Apache Reverse Proxy…

If you have seen Anjo’s Kolk’s cool “Oracle Interface for Google Visualization API (external data source interface)” blog post, which partly based on the Oracle XMLDB Protocol Adapter functionality, then be aware that direct access off this functionality via the internet is at your own risk. Of course this also counts for the OTN article given here: Creating Oracle Database-backed iGoogle Gadgets.

To make life a little bit easier, Google also created the Google Secure Data Connector (Google SDC) to make your connection with the database more secure. If applicable you should add this extra security feature, at least if you have the means to do this. You need, among others, a Google App Premier account and are the owner for the domain were the database resides.

If you enable HTTP access via, for example, the XDB Protocol Server via the following DBMS_XDB call:

SQL> CALL dbms_xdb.setHttpPort(8080);

this enables, besides the HTTP functionality, also the WebDAV protocol server functionality. To get this functionality secured on the internet, you could use Apache as a reverse proxy solution that rewrites on the fly all URL’s that should be protected. As the XMLDB Dev. team go’s, this is the only acceptable secure solution to provide, on the internet, this protocol server functionality based on Oracle XMLDB.

The following is a snippet from a Apache httpd.conf configuration file that could be used for this (ssl is enabled in this example, based on using OpenSSL):

 
Listen 443
#Server name Directive#
 
<virtualhost *:443>
	#Proxy Directive#
	ProxyRequests Off	
	#Apex Redirect	
	proxypass /i http://127.0.0.1:8080/i/
	Proxypass /apex/apex_admin/ http://127.0.0.1:8080/apex
	ProxyPass /apex/apex_admin http://127.0.0.1:8080/apex
	Proxypass /apex http://127.0.0.1:8080/apex
	ProxyPassReverseCookiePath / /
	ProxyPassReverseCookieDomain / /
 
	#Certificate#
	SSLEngine ON
	SSLCertificateKeyFile conf\domain_ssl\mysslkey.KEY
	SSLCertificateFile conf\domain_ssl\mysslcertificate.cer
</virtualhost>
.

Using a reverse proxy will not be enough regarding APEX security protection, it only rewrites your URL’s. Adding SSL via OpenSSL makes the life of an intruder already a little bit more difficult, but you will have to also disable all default XMLDB servlets (except APEX off course) that you don’t need, as well.

My blog post called “APEX Lockdown: Securing the XDB Protocol Server“, shows you how you can disable the default XDB servlets like the “TestServlet“, the “DBURIServlet” and the “ReportFmwkServlet“.

Disabling the XDB Repository Event mechanism in Oracle 11g will also revoke access via triggering unwanted access methods via the default WebDAV protocol access that gets enabled when you enable the XDB HTTP Protocol Server (aka “The Local Gateway” as it is called in the APEX manuals). Disabling WebDAV while still having access to HTTP is still one of my (requested but “open” issue) enhancement requests…

Following the statement used to disable the XDB protocol / repository event mechanism.

ALTER SYSTEM SET XML_DB_EVENTS = DISABLE;

In all, don’t forget to take the standard measures to protect your database, as, for example, protect your listener with an admin password. If you need some refresh pointers, have a look add Arup’s (still) great article on Oracle OTN called “Project Lockdown

HTH

M.

Related Posts