Custom authentication in Apex (part 1)

6

Another word for authentication is acces control.
Authentication is the mechanism to verify the user’s identity and
provide access to a system or application based on the credentials
entered by the user. Authorization, on the other hand, says something about the degree of access granted to resources.

For
authentication, different methods exist in Apex. The most basic one is
‘no authentication’,  which is not desirable in most cases. No
authentication means ‘everyone can enter’. Not good.

The two other out-of-the-box authentication methods are Application Express and database authentication.
The first is a built-in mechanism which is customizable to a certain
degree. The second just uses the accounts present in the database to
authenticate. Mind you, only to authenticate. Any query or DML against
the database will go through the APEX_PUBLIC_USER and the schema
defined in your application. So you are not logged in to the underlying database with that database user!
Only in the application itself. There is another way, which uses the
OID or another LDAP mechanism. This is outside the scope of this post.

In fact, the only difference between the configuration of Apex and database authentication is the keyword in the Authentication Function field. If you enter -BUILTIN- here. Apex will be using Application Express authentication. Change it to -DBACCOUNT-
and Apex uses the database authentication. So the authentication
functions are built-in, but the schemes are not. They’re just
pre-configured, and that might be confusing.

More
interesting, however, is custom authentication. What you do here, is
use a database function which is called in the logon process. This
function handles the authentication for you, and returns true or false.
Because you define the function, you can be as flexible as you like: 
create your own table with application users, where you store usernames
and passwords, but also the number of invalid logins, login policies,
the users’ department and any other kind of information you might need.
Need auditing? No problem! Hook on to an existing authentication
process? Can do!

 
By now I hope you are pretty curious how this all works in detail. I’ll tell you all about it in Part 2 of this blog. Stay tuned!

Share.

About Author

6 Comments

  1. I get requests for the part 2 now and then, which was never published here. Please email me if you want some sample code (which I already did for some people). email is [ atb2623 apetail psinke dot nl ].

  2. Oscar Palacios on

    Hi, interesting but what’s the name of the custom function? Or where can I get an example?
    I need to build a custom login with user, passwords etc stored in a table, now i know the process but an example would be great!

    Thanks

  3. how to make an application without any authentication
    I want to make my application to all without any login page

    Thanks in Advance