Authentication is the process of establishing each user's identify before they can access your application. Authentication may require a user identify a user name and password or could involve the use of digital certificates or a secure key.
When you create an authentication scheme, you have the option of choosing from several preconfigured authentication schemes, copying an authentication scheme from an existing application, or creating your own custom authentication scheme.
Viewing the Authentication Scheme Associated with an Application
Changing the Authentication Scheme Associated with an Application
You determine how your application interacts with users. If all users have the same rights and privileges, they are referred to as public users. However, if your application must track each user individually, you must specify an authentication method.
Authentication establishes the identity of each user who accesses your application. Many authentication processes require that a user provide some type of credentials such as a user name and password. These credentials are then evaluated and they either pass or fail. If the credentials pass, the user has access to the application. Otherwise, access is denied.
Once a user has been identified, the Application Express engine keeps track of each user by setting the value of the built-in substitution string APP_USER
. As a user navigates from page to page, the Application Express engine sets the value of APP_USER
to identify the user. The Application Express engine uses APP_USER
as one component of a key for tracking each user's session state.
From a programming perspective, you can access APP_USER
using the following syntax:
As a bind variable from either PL/SQL or SQL:
:APP_USER
From PL/SQL packages and triggers:
V('APP_USER')
You can use APP_USER
to perform your own security checks and conditional processing. For example, suppose you created the following table:
CREATE TABLE my_security_table ( user_id VARCHAR2(30), privilege VARCHAR2(30));
Once created, you could populate this table with user privilege information and then use it to control the display of pages, tabs, navigation bars, buttons, regions, or any other control or component.
As you create your application, you must determine whether to include authentication. You can:
Choose to not require authentication. Oracle Application Express does not check any user credentials. All pages of your application are accessible to all users.
Select a built-in authentication scheme. Create an authentication method based on available preconfigured authentication schemes. Depending on which scheme you choose, you may also have to configure the corresponding components of Oracle 10giAS, Oracle Internet Directory, or other external services. See "Creating a Preconfigured Authentication Schemes" and "Changing the Authentication Scheme Associated with an Application".
Create custom authentication scheme. Create a custom authentication method to have complete control over the authentication interface. To implement this approach, you must provide a PL/SQL function the Application Express engine executes before processing each page request. This function's Boolean return value determines whether the Application Express engine processes the page normally or displays a failure page. See "Creating an Authorization Scheme".
To create an authentication scheme:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
The Authentication Schemes page appears.
You can customize the appearance the page using the Search bar at the top of the page. Available controls include:
Select columns to search - Resembles a magnifying glass. Click this icon to narrow your search. To search all columns, select All Columns.
Text area - Enter case insensitive search criteria (wildcard characters are implied) to search for items by name and then click Go.
Go button - Executes a search or applies a filter.
View Icons - Displays each scheme as a large icon. To edit a scheme, click the appropriate icon.
View Report - Displays each scheme as a line in a report. To edit a scheme, click the Edit icon.
Actions menu - Use the Actions menu to customize the report view. See "About the Actions Menu".
To create a new authentication scheme, click Create.
Specify how the scheme should be created by selecting one of the following:
Based on a pre-configured scheme from the gallery. See "Creating a Preconfigured Authentication Schemes" and "Custom Authentication".
As a copy of an existing authentication scheme.
Follow the on-screen instructions.
When you create an authentication scheme from the gallery you can select a preconfigured authentication scheme which follows a standard behavior for authentication and session management. Note that if you create a new authentication scheme, it automatically becomes the current authentication scheme for the selected application. This section describes all preconfigured authentication schemes that ship with Oracle Application Express.
Tip:
Authentication schemes support plug-ins. To learn more, see "Implementing Plug-ins".Application Express Accounts are user accounts that are created within and managed in the Oracle Application Express user repository. When you use this method, your application is authenticated against these accounts.
See Also:
"Managing Application Express Users" in Oracle Application Express Administration GuideApplication Express Accounts is a good solution when:
You want control of the user account repository
User name and password-based approach to security is sufficient
You do not need to integrate into a single sign-on framework
This is an especially good approach when you must get a group of users up and running on a new application quickly.
To set up Application Express Accounts:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
On the Authentication Schemes page, click Create.
Select Based on a pre-configured scheme from the gallery and click Next.
Under Name:
Name - Enter the name used to reference the authentication scheme by other application developers.
Scheme Type - Select Application Express Accounts.
Click Create.
Creating an authentication scheme from scratch gives you complete control over your authentication interface. This is the best approach for applications when any of the following is true:
Database authentication or other methods are not adequate.
You want to develop your own login form and associated methods.
You want to control security aspects of session management.
You want to record or audit activity at the user or session level.
You want to enforce session activity or expiry limits.
You want to program conditional one-way redirection logic before Oracle Application Express page processing.
You want to integrate your application with non-Oracle Application Express applications using a common session management framework.
Your application consists of multiple applications that operate seamlessly (for example, more than one application ID).
Tip:
If you are planning on using the same authentication scheme for multiple applications, consider writing a custom authentication plug-in. To learn more, see "Implementing Plug-ins".To create a custom authentication scheme:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
On the Authentication Schemes page, click Create.
Select Based on a pre-configured scheme from the gallery and click Next.
Under Name:
Name - Enter the name used to reference the authentication scheme by other application developers.
Scheme Type - Select Custom.
Fill in the appropriate fields.
To learn more about a specific field, see item Help.
When help is available, the cursor changes to an arrow and question mark when you pass the cursor over an item. See "About Field-Level Help".
Click Create.
When running custom authentication, Oracle Application Express attempts to prevent two improper situations:
Intentional attempts by a user to access session state belonging to someone else. However, users can still type in an arbitrary application session ID into the URL.
Inadvertent access to a stale session state (probably belonging to the same user from an earlier time). This would commonly result from using bookmarks to application pages.
Oracle Application Express checks that the user identity token set by the custom authentication function matches the user identity recorded when the application session was first created. If the user has not yet been authenticated and the user identity is not yet known, the session state being accessed does not belong to someone else. These checks determine whether the session ID in the request can be used. If not, the Application Express engine redirects back the same page using an appropriate session ID.
When you create an application in Oracle Application Express, a login page is created. The alias for the page is 'LOGIN'
. You can use this page as the "invalid session page" in an authentication scheme. The page is constructed with processes that call the Oracle Application Express login API to perform credentials verification and session registration.
You can also build your own login pages using the pre-built pages as models and tailoring all of the user interface and processing logic to your requirements.
To create a login page for your application:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Create Page.
Select Login Page.
Specify Login page attributes and click Create.
Deep linking refers to the ability to link to an Oracle Application Express page out of context (for example, from a hyperlink in an email or workflow notification). When you link to a page out of context and the application requires the user be authenticated, the user is taken to the login page. After credentials verification, the Application Express engine automatically displays the page that was referenced in the original link. Deep linking is supported for applications that use authentication schemes.
Database Account Credentials utilizes database schema accounts. This authentication scheme requires that a database user (schema) exist in the local database. When using this method, the user name and password of the database account is used to authenticate the user.
Database Account Credentials is a good choice if having one database account for each named user of your application is feasible and account maintenance using database tools meets your needs
To set up Database Account Credentials:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
On the Authentication Schemes page, click Create.
Select Based on a pre-configured scheme from the gallery and click Next.
Under Name:
Name - Enter the name used to reference the authentication scheme by other application developers.
Scheme Type - Select Database Accounts.
Click Create.
HTTP Header Variable supports the use of header variables to identify a user and to create an Application Express user session. Use this authentication scheme if your company employs a centralized web authentication solution like Oracle Access Manager which provides single sign-on across applications and technologies. User credential verification is performed by these systems and they pass the user's name to Oracle Application Express using a HTTP header variable such as "REMOTE_USER" (which is the default).
To set up HTTP Header Variable:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
On the Authentication Schemes page, click Create.
Select Based on a pre-configured scheme from the gallery and click Next.
Under Name:
Name - Enter the name used to reference the authentication scheme by other application developers.
Scheme Type - Select HTTP Header Variable.
Fill in the appropriate fields.
To learn more about a specific field, see item Help.
When help is available, the cursor changes to an arrow and question mark when you pass the cursor over an item. See "About Field-Level Help".
Click Create.
You can configure any authentication scheme that uses a login page to use Lightweight Directory Access Protocol (LDAP) to verify the user name and password submitted on the login page.
Application Builder includes wizards and edit pages that explain how to configure this option. These wizards assume that an LDAP directory accessible to your application for this purpose already exists and that it can respond to a SIMPLE_BIND_S
call for credentials verification. When you create an LDAP Credentials authentication scheme, the wizard requests and saves the LDAP host name, LDAP port, DN string, and determines whether to use SSL, exact DN, and optionally a search filter if not using exact DN. An optional preprocessing function can be specified to adjust formatting of the user name passed to the API.
To set up LDAP Directory:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
On the Authentication Schemes page, click Create.
Select Based on a pre-configured scheme from the gallery and click Next.
Under Name:
Name - Enter the name used to reference the authentication scheme by other application developers.
Scheme Type - Select LDAP Directory.
Under Settings:
Host - Enter the hostname of your LDAP directory server.
Port - Enter the port number of your LDAP directory host. The default is 389.
Use SSL - Choose whether to use SSL to bind to the LDAP directory. If SSL with Authentication is chosen, a wallet must be configured for the Application Express instance.
Distinguished Name (DN) String - Enter the pattern used to construct the fully qualified distinguished name (DN) string to DBMS_LDAP.SIMPLE_BIND_S
if using exact DN or the search base if using non-exact DN. Use %LDAP_USER%
as a placeholder for the username. For example:
Exact DN:
cn=%LDAP_USER%,l=amer,dc=yourdomain,dc=com
Non-Exact DN (Search Base):
Non-Exact DN (Search Base)
Use Distinguished Name (DN) - Choose whether the LDAP Distinguished Name (DN) String is exact or non-exact. If non-exact, LDAP Distinguished Name (DN) is the search base and you must supply a Search Filter.
LDAP Username Edit Function - You may provide additional code to be executed to transform the username into a format perfectly suited to the LDAP directory entry or LDAP username. The bind variable :USERNAME
contains the name the end user specified. For example, the following code calls a function which replaces all periods (.
) with underscores (_) in the DN string:
return apex_custom_auth.ldap_dnprep(p_username => :USERNAME);
Username Escaping - Choose how Oracle Application Express escapes special characters in %LDAP_USER%
. The correct value for this attribute depends on the used LDAP server and whether a LDAP Username Edit Function already escapes special characters.
To learn more about a specific field, see item Help.
When help is available, the cursor changes to an arrow and question mark when you pass the cursor over an item. See "About Field-Level Help".
Click Create.
Note:
If you choose SSL with Authentication as the SSL mode, a wallet must be set up using the Oracle Application Express instance settings. Additionally, the root certification from the LDAP server must be imported into that wallet as a trusted certificate. See "Configuring Wallet Information" in Oracle Application Express Administration Guide and "Using Oracle Wallet Manager" in Oracle Database Advanced Security Guide.Database Access Descriptor (DAD) database authentication uses the Oracle database native authentication and user mechanisms to authenticate users using a basic authentication scheme. This authentication scheme gets the user name from the DAD either as the value stored in the DAD configuration or, if the account information is not stored in the DAD configuration, as the user name captured using the basic authentication challenge.
To use DAD credentials verification:
Each application user must have a user account in the Oracle database.
You must configure a PL/SQL DAD for basic authentication (without account information).
This results in one user name/password challenge for browser session for your application users. The user identity token is then made available in the APP_USER
item.
DAD database authentication is useful when you must implement an authentication method that requires minimal setup for a manageable number of users. Ideally these users would have self-managed accounts in the database and your use of this authentication method would be short lived (for example, during the demonstration or prototyping stages of development).
The main drawback of this approach is burdensome account maintenance, especially if users do not administer their own passwords, or if their database accounts exist only to facilitate authentication to your application.
To set up DAD Credentials Verification:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
On the Authentication Schemes page, click Create.
Select Based on a pre-configured scheme from the gallery and click Next.
Under Name:
Name - Enter the name used to reference the authentication scheme by other application developers.
Scheme Type - Select No Authentication (using DAD).
Click Create.
Open Door Credentials enables anyone to access your application using a built-in login page that captures a user name. This authentication method is useful during application development.
To set up Open Door Credentials:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
On the Authentication Schemes page, click Create.
Select Based on a pre-configured scheme from the gallery and click Next.
Under Name:
Name - Enter the name used to reference the authentication scheme by other application developers.
Scheme Type - Select Open Door Credentials.
Click Create.
Oracle Application Server Single Sign-On verification delegates authentication to the Oracle AS Single Sign-On (SSO) Server. To use this authentication scheme, your site must have been registered as a partner application with the SSO server.
Oracle Application Express applications can operate as partner applications with Oracle Application Server's Single Sign-On (SSO) infrastructure. You must register your application (or register the Application Express engine) as the partner application by following the Oracle Application Server instructions for registering partner applications and install the Oracle 9iAS SSO Software Developer Kit (SDK).
If you choose this approach, your application will not use an integrated login page. Instead, when a user accesses your application in a new browser session, the Application Express engine redirects to the Single Sign-On login page. After the user is authentication by SSO, the SSO components redirect back to your application, passing the user identity and other information to the Application Express engine. The user can then continue to use the application until they log off, terminate their browser session, or until some other session-terminating event occurs.
To set up Oracle Application Server Single Sign-On:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
On the Authentication Schemes page, click Create.
Select Based on a pre-configured scheme from the gallery and click Next.
Under Name:
Name - Enter the name used to reference the authentication scheme by other application developers.
Scheme Type - Select Oracle Application Server Single Sign-On.
Fill in the appropriate fields.
To learn more about a specific field, see item Help.
When help is available, the cursor changes to an arrow and question mark when you pass the cursor over an item. See "About Field-Level Help".
Click Create.
Once created, available authentication schemes display in the Authentication Schemes Repository.
To navigate to the Authentication Schemes Repository:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
You can customize the appearance the page using the Search bar at the top of the page. Available controls include:
Select columns to search - Resembles a magnifying glass. Click this icon to narrow your search. To search all columns, select All Columns.
Text area - Enter case insensitive search criteria (wildcard characters are implied) to search for items by name and then click Go.
Go button - Executes a search or applies a filter.
View Icons - Displays each scheme as a large icon. To edit a scheme, click the appropriate icon.
View Report - Displays each scheme as a line in a report. To edit a scheme, click the Edit icon.
Actions menu - Use the Actions menu to customize the report view. See "About the Actions Menu".
To edit a specific authentication scheme as a report, click the Edit icon the to the left of the authentication scheme name.
The Authentication Scheme page appears.
To learn more about a specific field, see item Help.
When help is available, the cursor changes to an arrow and question mark when you pass the cursor over an item. See "About Field-Level Help".
Edit the appropriate attributes and click Apply Changes.
To view the current authentication scheme for an application:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
Under Security, click Security Attributes.
Locate the Authentication section. The current authentication scheme displays next to Authentication Scheme.
To edit the Authentication Scheme, Define Authentication Schemes.
To change the authentication scheme for an application:
Navigate to the Authentication Schemes:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authentication Schemes.
Click the Edit icon adjacent to the authentication scheme you want to activate.
The Create/Edit page appears.
Click Make Current Scheme.
To view authentication scheme reports:
On the Workspace home page, click the Application Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authorization Schemes.
Click the appropriate tab at the top of the page:
Subscription
History