Custom authentication in Apex (part 1)
Another word for authentication is acces control.
Authentication is the mechanism to verify the user’s identity and
provide access to a system or application based on the credentials
entered by the user. Authorization, on the other hand, says something about the degree of access granted to resources.
authentication, different methods exist in Apex. The most basic one is
‘no authentication’, which is not desirable in most cases. No
authentication means ‘everyone can enter’. Not good.
The two other out-of-the-box authentication methods are Application Express and database authentication.
The first is a built-in mechanism which is customizable to a certain
degree. The second just uses the accounts present in the database to
authenticate. Mind you, only to authenticate. Any query or DML against
the database will go through the APEX_PUBLIC_USER and the schema
defined in your application. So you are not logged in to the underlying database with that database user!
Only in the application itself. There is another way, which uses the
OID or another LDAP mechanism. This is outside the scope of this post.
In fact, the only difference between the configuration of Apex and database authentication is the keyword in the Authentication Function field. If you enter -BUILTIN- here. Apex will be using Application Express authentication. Change it to -DBACCOUNT-
and Apex uses the database authentication. So the authentication
functions are built-in, but the schemes are not. They’re just
pre-configured, and that might be confusing.
interesting, however, is custom authentication. What you do here, is
use a database function which is called in the logon process. This
function handles the authentication for you, and returns true or false.
Because you define the function, you can be as flexible as you like:
create your own table with application users, where you store usernames
and passwords, but also the number of invalid logins, login policies,
the users’ department and any other kind of information you might need.
Need auditing? No problem! Hook on to an existing authentication
process? Can do!
By now I hope you are pretty curious how this all works in detail. I’ll tell you all about it in Part 2 of this blog. Stay tuned!