About Creating an Authentication Scheme from Scratch

Creating an authentication scheme from scratch gives you complete control over your authentication interface. This is the best approach for applications when any of the following is true:

Database authentication or other methods are not adequate.
You want to develop your own login form and associated methods.
You want to delegate all aspects of user authentication to external services such as Oracle 10gAS Single Sign-On.
You want to control security aspects of session management.
You want to record or audit activity at the user or session level.
You want to enforce session activity or expiry limits.
You want to program conditional one-way redirection logic before Oracle Application Express page processing.
You want to integrate your application with non-Oracle Application Express applications using a common session management framework.
Your application consists of multiple applications that operate seamlessly (for example, more than one application ID).

About Session Management Security

When running custom authentication, Oracle Application Express attempts to prevent two improper situations:

Intentional attempts by a user to access session state belonging to someone else. However, users can still type in an arbitrary application session ID into the URL.
Inadvertent access to a stale session state (probably belonging to the same user from an earlier time). This would commonly result from using bookmarks to application pages.

Oracle Application Express checks that the user identity token set by the custom authentication function matches the user identity recorded when the application session was first created. If the user has not yet been authenticated and the user identity is not yet known, the session state being accessed does not belong to someone else. These checks determine whether the session ID in the request can be used. If not, the Application Express engine redirects back the same page using an appropriate session ID.

Building a Login Page

When you create an application in Oracle Application Express, a login page is created. The alias for the page is 'LOGIN'. You can use this page as the "invalid session page" in an authentication scheme. The page is constructed with processes that call the Oracle Application Express login API to perform credentials verification and session registration.

You can also build your own login pages using the pre-built pages as models and tailoring all of the user interface and processing logic to your requirements.

To create a login page for your application:

On the Workspace home page, click the Application Builder icon.
Select an application.
Click Create Page.
Select Login Page.
Specify Login page attributes and click Create.

About Deep Linking

Deep linking refers to the ability to link to an Oracle Application Express page out of context (for example, from a hyperlink in an email or workflow notification). When you link to a page out of context and the application requires the user be authenticated, the user will be taken to the login page. After credentials verification, the Application Express engine automatically displays the page that was referenced in the original link. Deep linking is supported for applications that use authentication schemes.