403 Forbidden Access to the procedure named: apex is denied.
Access to the procedure named: wwv_flow.accept is denied.
Failed to load resource the server responded wwv_flow.accept
Background:
Oracle APEX version 20.2 (probably same for 19.2 onwards) and ORDS 17.4 and later
Apex (version 20.2) application was running fine from last 1.5 years without any issues. Before 2 days of the incident, deployed a new apex application on the same APEX instance, it is running on ORDS (18.1) which is deployed in Weblogic application server.
Suddenly, faced above issues when tried to login in URL:port/ORDS, user also faced Error: Forbidden. When tried to login. so totally struck everything. No one know what happened! Nothing changed!
Found the Cause:
After a marathon research, we found that there was a security feature in APEX (on ORDS) kicked off - "security.requestValidationFunction">wwv_flow_epg_include_modules.authorize (This is reside in file defaults.xml on ORDS/conf location in apps server ). Learned that, this property and DB function work as whitelisting entries. Means it activates the whitelist of callable procedures which ships with Oracle Application Express and prohibits calls to other procedures.
As per Oracle, when a database
pool is configured to use the APEX_PUBLIC_USER, ORDS automatically sets or
checks the value of the property security.
<entry key="security.requestValidationFunction">wwv_flow_epg_include_modules.authorize</entry>
<entry key="security.validationFunctionType">plsql</entry>
We found that database package wwv_flow_epg_include_modules (in schema apex_200200) and function authorize is empty. So when validating this property nothing got passed to ORDS from APEX instance.
Solution:
For temporary solution,
1) we made this property empty with this below command.
u01/ords$ java -jar ords.war set-property security.requestValidationFunction ""
2) 2) and then bounce or stop/start the ORDS service deployment in Weblogic server by login in Admin console.
OR
You may remove these two lines from this above default.xml files
<entry key="security.requestValidationFunction">wwv_flow_epg_include_modules.authorize</entry>
<entry key="security.validationFunctionType">plsql</entry>
Then bounce the ORDS.
For details: An Oracle REST Data Services deployment
configuration contains several security related parameters. In a configuration
for Oracle Application Express, Oracle recommends to set the parameter security.requestValidationFunction
to wwv_flow_epg_include_modules.authorize
.
This activates the white list of callable procedures which ships with Oracle
Application Express and prohibits calls to other procedures. This can be
extended using the validation functions shipped with Oracle Application
Express. https://docs.oracle.com/en/database/oracle/application-express/19.2/htmdb/web-listener-security.html
https://joelkallman.blogspot.com/2016/07/securing-application-express-when-using_24.html
https://www.promatis.at/en/2022/07/13/lessons-learned-while-upgrading-apex-and-ords-to-22-1/
https://oracle-base.com/articles/misc/oracle-rest-data-services-ords-database-authentication