Search This Blog

Monday, July 7, 2025

No Authentication (Using DAD) in Oracle APEX

 

Introduction
No Authentication using DAD (Database Access Descriptor) in Oracle APEX allows applications to operate without prompting users for login credentials. This approach is commonly used for public-facing websites or internal applications where open access is required. When configured with a DAD, the Oracle HTTP Server or Oracle REST Data Services handles the connection and security outside of APEX, enabling seamless access while simplifying user experience by eliminating the login step.

No Authentication using DAD (Database Access Descriptor) in Oracle APEX means that the application itself does not perform any user authentication. Instead, authentication and access control are handled outside of APEX, typically by the Oracle HTTP Server (OHS) or Oracle REST Data Services (ORDS) using a DAD configuration. This setup is useful for public websites or internal tools where users do not need to log in or when a separate system manages security.

To set this up, first ensure your Oracle HTTP Server or ORDS is configured with a DAD that points to your Oracle database. A DAD defines connection details such as the database service name, connection pooling, and security settings. When a request comes through the DAD, the web server or ORDS manages the connection to the database and handles any authentication required.

In Oracle APEX, go to Shared Components > Authentication Schemes and create a new scheme. Choose No Authentication (using DAD) from the options. Give it a meaningful name such as “Public Access via DAD.” This tells APEX that it should not prompt users for credentials and will trust that the environment handles authentication or that none is needed.

With this scheme active, users accessing your application will not see a login page; instead, they will gain immediate access to the application’s pages. This is ideal for public-facing applications like product catalogs, documentation sites, or dashboards that do not require user-specific data protection.

Because APEX does not manage authentication, you must rely on your web server, network security, or firewall rules to protect sensitive data. It’s important to ensure that unauthorized users cannot access data they should not see. If your environment requires any form of access control, implement it at the server or network layer.

You can still use APEX authorization schemes to control which parts of the application users can see, but these must be based on other factors since there is no authenticated username in session. For example, authorization can be based on IP addresses, tokens, or custom logic embedded in your application.

If later you want to add authentication, you can switch the authentication scheme back to one of the built-in methods or a custom authentication scheme without changing the application structure significantly.

Using No Authentication with DAD is a simple way to deliver APEX applications without login friction while offloading security responsibilities to infrastructure components. It streamlines access but requires careful planning to ensure overall system security and data protection.

DAD (Database Access Descriptor) authentication leverages Oracle Database's native authentication to verify users. This method uses basic authentication, where credentials are provided via an HTTP authentication challenge or retrieved from the DAD configuration.

DAD authentication can be useful in scenarios requiring quick setup and minimal configuration, such as prototyping, demonstrations, or small-scale applications. However, it may not be suitable for long-term use due to manual account maintenance requirements.

How DAD Authentication Works

  • User Credentials Source:
    • If user credentials are stored in the DAD configuration, APEX retrieves them automatically.
    • If credentials are not stored, the user is prompted to enter a username and password through the browser's basic authentication dialog.
  • User Identification in APEX:
    • The authenticated username is stored in APP_USER, which can be used for session tracking and authorization.
  • Session Behavior:
    • APEX prompts the user for credentials once per browser session.
    • Once authenticated, the user's identity remains valid throughout the session.

 Requirements for Using DAD Authentication

  1. Oracle Database Accounts:
    • Each application user must have a corresponding Oracle database user account.
  1. PL/SQL DAD Configuration:
    • A PL/SQL Database Access Descriptor (DAD) must be set up for basic authentication.
    • The DAD should be configured without storing user credentials, allowing authentication to occur at runtime.

 Setting Up DAD Authentication in Oracle APEX

To configure an authentication scheme using DAD Credentials Verification, follow these steps:

  1. Navigate to Authentication Schemes:
    • Open App Builder.
    • Select the target application.
    • Go to Shared Components.
    • Under Security, click Authentication Schemes.
  1. Create a New Authentication Scheme:
    • Click Create.
    • Select Based on a pre-configured scheme from the gallery, then click Next.
  2. Define Authentication Settings:
    • Name: Enter a meaningful name for the authentication scheme.
    • Scheme Type: Select No Authentication (Using DAD).
  3. Confirm and Apply Settings:
    • Click Create Authentication Scheme.
    • Set this scheme as Current to activate it.

 Advantages of DAD Authentication

  • Minimal Setup – Requires only database accounts and basic DAD configuration.
  • No Additional User Management – Authentication is handled directly by the Oracle database.
  • Quick Access – Ideal for testing, demos, and prototypes where security is not a major concern.

 

Limitations and Considerations

Manual Account Maintenance:

  • User accounts must be managed manually in the Oracle database.
  • If users cannot reset their own passwords, administrators must handle all account-related issues.

Limited Scalability:

  • Suitable for small-scale applications but not ideal for production with a large user base.

Security Risks:

  • Basic authentication sends credentials in an unencrypted format unless used with SSL/TLS.
  • Consider using OAuth2, LDAP, or SSO for more secure authentication in production environments.

 When to Use DAD Authentication in Oracle APEX

Use Case

DAD Authentication is Suitable?

Prototyping & Demos

 Yes, quick setup for testing

Small Internal Applications

Yes, if minimal users & managed accounts

Production Systems

No, not scalable or secure

Enterprise Authentication (SSO, LDAP)

No, lacks integration

Public-Facing Applications

No, insecure without encryption

DAD authentication provides a simple, lightweight authentication option in Oracle APEX, especially for testing or small applications. However, due to manual account management and security concerns, it is not recommended for large-scale production applications. For better scalability and security, consider LDAP, OAuth2, or custom authentication solutions.

Conclusion
Using No Authentication with DAD in Oracle APEX is ideal for scenarios where ease of access outweighs the need for user validation within the application itself. While it simplifies user interaction and speeds up entry, it is important to ensure that external layers provide adequate security controls. When implemented correctly, this method allows APEX applications to deliver content efficiently to public or trusted users without compromising overall system security.

 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How Do I Make a Faceted Search Map Page in Oracle APEX

Combining faceted search with a map region in Oracle APEX enables users to filter data visually and spatially at the same time. This design ...