403 Forbidden Access to the procedure named: apex is denied.
Access to
the procedure named: wwv_flow.accept is denied.
Failed to load resource the server responded wwv_flow.accept
Failed to load resource: the server responded with a status
of 403 (Forbidden)
Background:
Oracle APEX version 20.2 (probably same for 19.2 onwards) and
ORDS 17.4 and later
Apex (version 20.2) application was running fine from last 1.5
years without any issues. Before 2 days of the incident, deployed a new apex application on the same APEX
instance, it is running on ORDS (18.1) which is deployed in Weblogic
application server.
Suddenly, faced above issues when tried to login in URL:port/ORDS,
user also faced Error: Forbidden. When tried to login. so totally struck
everything. No one know what happened! Nothing changed!
Found the Cause:
After a marathon research, we found that there was a
security feature in APEX (on ORDS) kicked off - "security.requestValidationFunction">wwv_flow_epg_include_modules.authorize
(This is reside in file defaults.xml on ORDS/conf location in apps server ). Learned that, this property and DB function
work as whitelisting entries. Means it activates the whitelist of callable
procedures which ships with Oracle Application Express and prohibits calls to
other procedures.
As per Oracle, when a database
pool is configured to use the APEX_PUBLIC_USER, ORDS automatically sets or
checks the value of the property security.requestValidationFunction on xml
config file (ords/conf/ords/defaults.xml) as
below.
<entry
key="security.requestValidationFunction">wwv_flow_epg_include_modules.authorize</entry>
<entry
key="security.validationFunctionType">plsql</entry>
We found that database package wwv_flow_epg_include_modules
(in schema apex_200200) and function authorize
is empty. So when validating this property nothing got passed to ORDS
from APEX instance.
Solution:
For temporary solution,
1) we made this property empty with this below
command.
u01/ords$ java -jar ords.war set-property security.requestValidationFunction ""
2) 2) and then bounce or stop/start the ORDS
service deployment in Weblogic server by login in Admin console.
OR
You may remove these two lines
from this above default.xml files
<entry
key="security.requestValidationFunction">wwv_flow_epg_include_modules.authorize</entry>
<entry
key="security.validationFunctionType">plsql</entry>
Then bounce the ORDS.
For details: An Oracle REST Data Services deployment
configuration contains several security related parameters. In a configuration
for Oracle Application Express, Oracle recommends to set the parameter security.requestValidationFunction
to wwv_flow_epg_include_modules.authorize
.
This activates the white list of callable procedures which ships with Oracle
Application Express and prohibits calls to other procedures. This can be
extended using the validation functions shipped with Oracle Application
Express. https://docs.oracle.com/en/database/oracle/application-express/19.2/htmdb/web-listener-security.html
https://joelkallman.blogspot.com/2016/07/securing-application-express-when-using_24.html
https://www.promatis.at/en/2022/07/13/lessons-learned-while-upgrading-apex-and-ords-to-22-1/
https://oracle-base.com/articles/misc/oracle-rest-data-services-ords-database-authentication
https://forums.oracle.com/ords/apexds/post/403-forbidden-access-to-the-procedure-named-wwv-flow-accept-5111