Wednesday, February 1, 2023

403 Forbidden Access to the procedure named: apex is denied or wwv_flow.accept is denied

403 Forbidden Access to the procedure named: apex is denied. 

Access to the procedure named: wwv_flow.accept is denied. 

Failed to load resource the server responded wwv_flow.accept

Failed to load resource: the server responded with a status of 403 (Forbidden) 
 

Background:

Oracle APEX version 20.2 (probably same for 19.2 onwards) and ORDS 17.4 and later

Apex (version 20.2) application was running fine from last 1.5 years without any issues. Before 2 days of the incident, deployed a new apex application on the same APEX instance, it is running on ORDS (18.1) which is deployed in Weblogic application server.  

Suddenly, faced above issues when tried to login in URL:port/ORDS,  user also faced Error: Forbidden. When tried to login. so totally struck everything. No one know what happened! Nothing changed!

 

Found the Cause:

After a marathon research, we found that there was a security feature in APEX (on ORDS) kicked off - "security.requestValidationFunction">wwv_flow_epg_include_modules.authorize (This is reside in file defaults.xml  on ORDS/conf location in apps server ).  Learned that, this property and DB function work as whitelisting entries. Means it activates the whitelist of callable procedures which ships with Oracle Application Express and prohibits calls to other procedures.

As per Oracle, when a database pool is configured to use the APEX_PUBLIC_USER, ORDS automatically sets or checks the value of the property security.requestValidationFunction on xml config file (ords/conf/ords/defaults.xml)    as below.

<entry key="security.requestValidationFunction">wwv_flow_epg_include_modules.authorize</entry>

<entry key="security.validationFunctionType">plsql</entry>

 

We found that database package wwv_flow_epg_include_modules  (in schema apex_200200) and function authorize is empty. So when validating this property nothing got passed to ORDS from APEX instance.  

 

Solution:  

For temporary solution,

       1) we made this property empty with this below command.

u01/ords$ java -jar ords.war set-property security.requestValidationFunction ""

2)        2) and then bounce or stop/start the ORDS service deployment in Weblogic server by login in Admin console.

OR

You may remove these two lines from this above default.xml files 

<entry key="security.requestValidationFunction">wwv_flow_epg_include_modules.authorize</entry>

<entry key="security.validationFunctionType">plsql</entry>

 Then bounce the ORDS.

 

For details:  An Oracle REST Data Services deployment configuration contains several security related parameters. In a configuration for Oracle Application Express, Oracle recommends to set the parameter security.requestValidationFunction to wwv_flow_epg_include_modules.authorize. This activates the white list of callable procedures which ships with Oracle Application Express and prohibits calls to other procedures. This can be extended using the validation functions shipped with Oracle Application Express. https://docs.oracle.com/en/database/oracle/application-express/19.2/htmdb/web-listener-security.html

 

 https://joelkallman.blogspot.com/2016/07/securing-application-express-when-using_24.html

https://www.promatis.at/en/2022/07/13/lessons-learned-while-upgrading-apex-and-ords-to-22-1/

https://oracle-base.com/articles/misc/oracle-rest-data-services-ords-database-authentication

https://forums.oracle.com/ords/apexds/post/403-forbidden-access-to-the-procedure-named-wwv-flow-accept-5111

 

 

No comments: