Set Up DAD Credentials Verification in Oracle APEX

 

Introduction
Setting up DAD (Database Access Descriptor) credentials verification in Oracle APEX allows applications to delegate user authentication to the Oracle HTTP Server or Oracle REST Data Services. This method relies on the web server to authenticate users before passing requests to APEX, enabling seamless integration with enterprise security systems and simplifying user management. Configuring DAD credentials verification ensures that APEX trusts the authenticated identity provided by the external layer, streamlining access without requiring additional login prompts within the application.

Setting up DAD (Database Access Descriptor) credentials verification in Oracle APEX involves configuring the Oracle HTTP Server (OHS) or Oracle REST Data Services (ORDS) to handle user authentication before requests reach the APEX engine. This approach shifts the responsibility for verifying user credentials to the web server layer, allowing APEX to trust that incoming requests are from authenticated users. It is commonly used in enterprise environments that require centralized authentication and single sign-on capabilities.

To begin, ensure that your Oracle HTTP Server or ORDS is properly configured with a DAD. The DAD defines how the web server connects to the database, manages connection pooling, and handles security parameters. Configuration files such as mod_plsql.conf (for OHS) or ords.conf (for ORDS) contain the settings for the DAD, including the database service, connection details, and authentication methods.

In your DAD configuration, enable and configure the authentication method you intend to use, such as Basic Authentication, LDAP, or Kerberos. For example, in OHS, you might define an authentication realm and associate it with the DAD to require users to provide valid credentials before forwarding the request to the database.

Once the DAD is configured to verify credentials, switch to Oracle APEX. Navigate to Shared Components > Authentication Schemes and create a new scheme. Choose No Authentication (Using DAD) as the scheme type. This tells APEX not to perform its own authentication but to trust the identity verified by the DAD layer.

Set the new scheme as current for your application. Now, when users access your APEX application, the web server will prompt for credentials (if not already authenticated) and verify them according to the configured method. Once verified, the user’s session is established in APEX without requiring a second login.

Because APEX relies on the web server for authentication, you can use the server’s features to manage user roles, access control, and password policies. You can also configure Single Sign-On (SSO) solutions at this layer, providing a seamless login experience across multiple applications.

It is important to note that since APEX itself does not authenticate users in this setup, you should ensure that the web server and network environment are secured appropriately. Use HTTPS to encrypt credential transmission, and restrict access to trusted users.

For advanced scenarios, you can define a Post-Authentication Procedure in APEX to initialize session state based on the authenticated user or to log user activity. Example:

BEGIN

  apex_util.set_session_state('USER_ROLE', get_user_role(:APP_USER));

END;

Setting up DAD credentials verification enables you to leverage existing enterprise authentication infrastructure while keeping Oracle APEX applications lightweight and focused on business logic. This separation of concerns improves security, simplifies user management, and supports scalable, integrated application deployments.

DAD (Database Access Descriptor) Credentials Verification allows Oracle APEX applications to authenticate users using Oracle Database native authentication. This method is useful for small-scale applications, prototypes, or environments where database accounts are already managed separately.

How DAD Authentication Works

• Uses Oracle Database user accounts for authentication.
• The username is retrieved from the DAD configuration or prompted using basic authentication.
• APEX stores the authenticated user in the APP_USER substitution variable.
• Users only log in once per browser session unless forced to re-authenticate.

Prerequisites

Before setting up DAD authentication, ensure that:

• Each user has a valid Oracle Database account.
• A PL/SQL DAD (Database Access Descriptor) is configured for basic authentication.
• The Oracle HTTP Server (OHS) or Embedded PL/SQL Gateway is correctly set up to support authentication.

 

Step-by-Step Guide to Setting Up DAD Authentication in Oracle APEX

Step 1: Navigate to Authentication Schemes

1. Open App Builder.
2. Select the application where you want to configure authentication.
3. On the Application Home page, click Shared Components.
4. Under Security, select Authentication Schemes.

 

Step 2: Create a New Authentication Scheme

1. Click Create to add a new authentication scheme.
2. Select Based on a pre-configured scheme from the gallery, then click Next.

 

Step 3: Configure Authentication Settings

1. Enter the Authentication Scheme Name:

• Choose a meaningful name for the scheme (e.g., DAD Credentials Verification).
1. Select the Authentication Scheme Type:
• Choose No Authentication (Using DAD).
2. Configure Username Handling:
• Username Field: Enter the username to be used in the APEX session.
• If left empty, APEX will use the database session user (usually APEX_PUBLIC_USER).

 

Step 4: Finalize and Apply the Authentication Scheme

1. Click Create Authentication Scheme to save the settings.
2. Set the newly created scheme as Current to activate it.

 

Validating the Configuration

After setting up DAD authentication:

• Access the application and verify that authentication is working correctly.
• Check the APP_USER value by creating a simple SQL report with: 

SELECT :APP_USER FROM DUAL;

• Ensure that session tracking and access control work as expected.

 

Considerations and Best Practices

When to Use DAD Authentication

• Prototyping & Internal Testing – Quick and easy authentication setup.
• Small Applications – When user accounts are limited and manageable.
• Pre-Existing Oracle Accounts – If database users are already maintained separately.

Limitations of DAD Authentication

• Not Scalable – Manually managing user accounts in the database is difficult for large applications.
• Limited Security – Credentials are sent in plain text unless SSL is enabled.
  Single Sign-On (SSO) Compatibility Issues – May not integrate well with enterprise SSO solutions. 
• rowser Session Dependency – Users must re-authenticate if the browser session expires.

 

Alternative Authentication Methods

For more secure and scalable authentication, consider:

• LDAP Authentication – Uses directory services for centralized user management.
• OAuth2 / SAML Authentication – Secure token-based authentication for modern applications. 
• ustom Authentication – Allows full control over user authentication logic.

 

DAD Credentials Verification in Oracle APEX provides a simple and lightweight authentication method, primarily useful for testing and small applications. However, it is not recommended for production environments requiring scalability and enhanced security.

For long-term solutions, consider LDAP, OAuth2, or custom authentication mechanisms.

To set up Oracle APEX Accounts:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

The Shared Components page appears.

1. Under Security, select Authentication Schemes.
2. On the Authentication Schemes page, click Create.
3. Select Based on a pre-configured scheme from the gallery and click Next.
4. Under Name:
1. Name - Enter the name used to reference the authentication scheme by other application developers.
2. Scheme Type - Select Oracle APEX Accounts.

Click Create Authentication Scheme.

Conclusion
Configuring DAD credentials verification in Oracle APEX provides a robust way to centralize authentication outside of the application while maintaining secure and controlled access. This approach leverages existing infrastructure for user validation, reduces the complexity of managing user credentials in APEX, and improves the user experience by enabling single sign-on scenarios. Proper setup of DAD credentials verification ensures that your APEX applications remain secure and integrated within your organization’s authentication ecosystem.