Authentication and Authorization
Authentication and authorization are fundamental components to ensure the security of web and mobile applications. They play a crucial role in verifying users’ identities and managing their access to resources within the system. Authentication serves as the initial gatekeeper by confirming users’ identities, while authorization establishes the permissions and restrictions for accessing specific resources. This tutorial aims to provide insight into various authentication methods and guide users in implementing authentication schemes within Oracle APEX.
How to Secure an APEX Application?
- After you create an application, we generally need to ensure that only authorized users can access it and that unauthorized users are restricted.
- To build a secure web application, it is essential to first identify the accessing user. The login page with the username and password is used as an access entry to an application. Only if the login succeeds is the user allowed to access the application. Confirming user identity before allowing access to the application is known as Authentication.
- After successfully logging into the application, the next consideration is determining the actions permitted for the logged-in user. Can users get access to a page or page component? So authorization covers this aspect of implementing security in an application. Authorization refers to access to specific pages and components based on user privileges.
User Identity Through Authentication
- Authentication is used to identify each user’s credentials before they can be allowed into an application
- It may require credentials like username and password, which could involve the use of digital certificates or a secure key
- Public users have the same rights and privileges to access an application
- Oracle APEX engine uses APP_USER to store each user login name in the session state
- Many authentication schemes require credentials such as username and password. These credentials are going to be evaluated either pass to allow access to an application or fail to deny access to an application
Choosing an Authentication Method
In APEX, the following are the different Authentication methods:
- Selecting a built-in authentication scheme
- Creating a custom authentication scheme
- Choose to not need authentication
Preconfigured Authentication Schemes
Creating an Oracle APEX Account
- The following URL is used to sign up Oracle APEX account
https://apex.oracle.com/en/learn/getting-started/
- After signing up for the account, it redirects to the Oracle APEX login page
How to Create an Authentication Scheme
- Create an application in the AppBuilder component.
- After Successfully creating an application while running the application, it defaults to render the login page.
- Required to pass an Oracle APEX account username and password for application access because the default scheme is Oracle APEX accounts as displayed below
- To create a new Authentication scheme, click the Create button. There are two approaches to this: selecting based on Pre-configured from the gallery or copying an existing scheme.
- Input essential details such as name, authentication scheme type, etc. to create a pre-configured template from the gallery.
- PL/SQL source code for custom authentication
FUNCTION custom_auth (p_username in varchar2 , p_password in varchar2)
return Boolean
as
my_user NUMBER := 0;
BEGIN
SELECT 1 INTO my_user from “db_users”
where “email” = :P9999_USERNAME
and (“current_pwd”) = (:P9999_PASSWORD);
return true;
exception
when NO_DATA_FOUND then
RETURN false;
- Select Custom Authentication scheme as a current scheme
- Now we need to log in with custom authentication credentials
Conclusion
To ensure the security of an Oracle APEX application, authentication confirms users’ identities, while authorization manages access to pages or components based on user roles. APEX offers built-in and custom authentication options, allowing developers to choose the best method for restricting access to only authorized application users.
