20.4.3.2 Custom Authentication
Creating a Custom Authentication scheme from scratch to have complete control over your authentication interface.
Parent topic: Understanding Preconfigured Authentication Schemes
20.4.3.2.1 About Custom Authentication
Custom Authentication is the best approach for applications when any of the following is true:
-
Database authentication or other methods are not adequate.
-
You want to develop your own login form and associated methods.
-
You want to control security aspects of session management.
-
You want to record or audit activity at the user or session level.
-
You want to enforce session activity or expiry limits.
-
You want to program conditional one-way redirection logic before Oracle Application Express page processing.
-
You want to integrate your application with non-Oracle Application Express applications using a common session management framework.
-
Your application consists of multiple applications that operate seamlessly (for example, more than one application ID).
Tip:
If you are planning on using the same authentication scheme for multiple applications, consider writing a custom authentication plug-in. See "Implementing Plug-ins."
Parent topic: Custom Authentication
20.4.3.2.2 Setting Up Custom Authentication
To create a custom authentication scheme:
See Also:
Parent topic: Custom Authentication
20.4.3.2.3 About Session Management Security
When running custom authentication, Oracle Application Express attempts to prevent two improper situations:
-
Intentional attempts by a user to access session state belonging to someone else. However, users can still type in an arbitrary application session ID into the URL.
-
Inadvertent access to a stale session state (probably belonging to the same user from an earlier time). This would commonly result from using bookmarks to application pages.
Oracle Application Express checks that the user identity token set by the custom authentication function matches the user identity recorded when the application session was first created. If the user has not yet been authenticated and the user identity is not yet known, the session state being accessed does not belong to someone else. These checks determine whether the session ID in the request can be used. If not, the Application Express engine redirects back the same page using an appropriate session ID.
Parent topic: Custom Authentication