Oracle Application Express (APEX) Review

Rapidly develop public-access applications that stay stable under load

What is our primary use case?

The only feature which is useful is that it makes it easier to quickly create publicly accessible applications. We were using it to make these applications.  

We used it in addition to Forms and Report Services because Forms and Report Services at that time were client-server applications. It used to be an addition to the Oracle development environment.  

Right now I am working on two projects. One of them is using Oracle Forms and APEX.  

What is most valuable?

The valuable feature is the basic use case: it makes the process of creating publicly accessible applications easier.  

What needs improvement?

The first thing I can think of that needs to be improved with this product is that there is a problem with security. In all of the applications I saw, they stored the passwords in the configuration files. I think this is a big issue. The security module is supposed to be included in the APEX connection component, but people connect to the Oracle HTTP Server and the password goes to the HTTP server. It is using the HTTP server for the security part. We did some analysis and we figured out that we had to move to another product.  

Because security is not satisfactory, we created our own connection mechanism in ORDS. It was a better way to keep the passwords encrypted and to make access to the APEX applications a little bit more secure. But the way APEX causes applications to store the security information is a big issue and a security vulnerability. ORDS is pretty straightforward and Oracle WebLogic Server is very flexible and a very nice feature.  

Also, the Oracle application page is supposed to be able to cancel access to the application. From what we found, this is not done properly. The connection is hanging and sometimes different people who connect to the application use the same ID. This can seriously interfere with users who are already connected. These are both very bad security issues.  

There is also a disadvantage in that it is pretty hard to fix bugs in APEX. It is very tricky. Basically, the Oracle objects generate the HTML code and cast it to the HTTP server. You have to be very careful with the HTTP Syntax for the sake of compatibility. Some browsers accept the code that gets generated and some browsers not. It is very hard to debug these coding issues.  

For how long have I used the solution?

We have been using Oracle Application Express (APEX) since 2015.  

What do I think about the stability of the solution?

Applications are usually accessible by thousands of users at a time without stability issues.  

What do I think about the scalability of the solution?

You can use multiple servers and the scalability of APEX is really pretty good from an end-user standpoint.  

I do not think there is really much of a limitation on how many people can use the generated applications. This is one thing it is good at.  

Which solution did I use previously and why did I switch?

I used to work with other Oracle products like Fusion Middleware, Forms, and Reports. Since 2016, I worked less with APEX because there are other solutions that I prefer. My experience with APEX is that it is a little limited right now. Because of that we actually moved most application development to ORDS (Oracle REST [Representational State Transfer] Data Services).  

ORDS is more efficient and easier to use. APEX is compatible with ORDS as well. The problem with APEX is mostly that I do not like to use different vendors for HTTP server and Oracle WebLogic Server. ORDS is supposed to be more of a native, all-in-one solution. So we try to use ORDS for development projects because Oracle HTTP Server is not supported anymore by Oracle and this is a problem for APEX security. You have to use a Tomcat server or something else with APEX.  

How was the initial setup?

I worked with APEX to do the initial setup and I have never set up the environment fully on my own. It is complex enough that I do not think I would want to do it without their help.  

What other advice do I have?

APEX is a pretty old application and a pretty old environment. Most people are usually trying to get rid of it rather than bringing it onboard. For anyone still considering it, I strongly suggest going to the cloud application because the general strategy of Oracle Corporation is to support applications on the cloud. There are multiple other solutions to consider from Oracle or other vendors as well.  

On a scale of one to ten where one is the worst and ten is the best, I would rate Oracle Application Express depending on the task. For some tasks, it is just perfect. You can say it would be an eight or nine-out-of-ten for quickly creating an application that does not need strong security. But for some tasks, like when you try enhancing an application, the score is pretty low. In that case, I would give the product a three or a four.  

Which deployment model are you using for this solution?

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Oracle Application Express (APEX) reviews from users
...who work at a Aerospace/Defense Firm
...who compared it with Microsoft PowerApps
Learn what your peers think about Oracle Application Express (APEX). Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
457,209 professionals have used our research since 2012.
Add a Comment
1 Comment

author avatarreviewer1249362 (Consultant at a energy/utilities company with 51-200 employees)
Top 10LeaderboardConsultant

Hi reviewer1404792,

we are using Apex since 2005 and never encountered these strange security issues that you do report. Our architecture is a little bit different, though: since our clients are on Windows, we use an IIS (Kerberos) as identification server and put the ORDS (former called apex listener) on a Tomcat directly behind the IIS. A call to an apex application page goes first to the IIS. The user is automatically authenticated and the call is forewared to the Tomcat/ORDS. There are no usernames/passwords needed in the process.