APEX Field Notes

Learning Oracle APEX can be challenging, especially without practical guidance. These are my field notes—captured directly from hands-on development work. I’m sharing them here as a living tutorial for anyone looking to get up to speed with APEX quickly and effectively. From beginner concepts to advanced techniques, I cover the essentials: forms, reports, dynamic actions, and much more. Whether you're just starting out or aiming to refine your skills, you'll find practical insights to help you

Monday, July 7, 2025

HTTP Header Variable Authentication

Introduction
HTTP Header Variable Authentication in Oracle APEX is used when user credentials are passed through HTTP headers, typically by an external system such as a reverse proxy, single sign-on service, or identity provider. In this setup, the authentication is handled outside of APEX, and the application receives a trusted HTTP header containing the authenticated username. This method is useful in enterprise environments where centralized identity management is required and helps streamline secure access across multiple systems.

HTTP Header Variable Authentication in Oracle APEX allows your application to trust a user identity passed through an HTTP header. This method is typically used when authentication is handled externally—such as by a reverse proxy, identity provider, or load balancer—which validates the user and then passes the authenticated username to APEX through a secure HTTP header. APEX uses this value to establish a session without prompting the user for login credentials again. This setup is often used in enterprise environments that use Single Sign-On (SSO) or centralized authentication systems.

To configure HTTP Header Variable Authentication in Oracle APEX, start by going to Shared Components > Authentication Schemes. Click Create, then select Based on a Preconfigured Scheme from Gallery. Choose HTTP Header Variable and proceed through the wizard. Give your scheme a name like "SSO Header Auth" and click Next.

In the scheme settings, locate the field labeled Header Variable Name. This is where you enter the name of the HTTP header that your external system will pass to APEX. For example, if your reverse proxy is configured to pass the username in a header called X-USERNAME, then enter X-USERNAME here.

Set the Username Transformation if needed. For example, you may want to convert the value to uppercase using UPPER(:USERNAME) so that it matches user records or works consistently across your application.

If the HTTP header is present and contains a valid value, APEX will automatically log the user in using that value. The assumption is that the header is trusted and cannot be modified by the user, which is why this method should always be used in combination with a secure, validated proxy or gateway. Never expose this type of authentication on a public-facing application without proper safeguards.

You can optionally create a Post-Authentication Procedure. This PL/SQL procedure runs after the user is identified from the header. It is commonly used to load user roles, set application-level preferences, or perform logging. For example:

BEGIN

apex_util.set_session_state('CURRENT_ROLE', get_user_role(:APP_USER));

END;

To test the authentication, you must access the APEX application through the proxy or system that sets the header. APEX does not allow you to simulate HTTP headers through a browser URL or developer tools, as this would compromise the security model. Your external system must be configured to insert the correct header after successful authentication and to strip or block any unauthorized headers coming from the client.

You can still define Authorization Schemes in APEX to control access to pages or regions based on the value of :APP_USER or any session state variable initialized after login.

HTTP Header Variable Authentication is a powerful option when you need to delegate authentication to an external provider but still maintain control of user access and session behavior within Oracle APEX. It offers seamless user experience, central security control, and reduced password management inside your application, all while allowing the flexibility to tailor session setup through post-login PL/SQL logic.

Authenticate users externally by using an HTTP header variable set by the web server.

Overview:
The HTTP Header Variable authentication method allows Oracle APEX to identify users based on a value stored in an HTTP header variable. This method is useful when integrating with centralized web authentication solutions such as Oracle Access Manager, which provides Single Sign-On (SSO). These external authentication systems validate user credentials and pass the authenticated username to APEX using an HTTP header variable (e.g., "REMOTE_USER", which is the default).

Setting Up HTTP Header Variable Authentication

To configure HTTP Header Variable authentication:

Access the Authentication Schemes Page:

Open App Builder from the Workspace home page.
Select an application.
On the Application home page, go to Shared Components.
Under Security, select Authentication Schemes.

Create a New Authentication Scheme:

Click Create.
Select Based on a pre-configured scheme from the gallery and click Next.

Configure Basic Authentication Settings:

Name: Enter a reference name for the authentication scheme.
Scheme Type: Select HTTP Header Variable.

Specify HTTP Header Variable Settings:

HTTP Header Variable Name:

Enter the name of the HTTP header variable containing the username.
If left blank, REMOTE_USER will be used as the default.

Action if Username is Empty:

Choose the action when the HTTP header variable is empty:

Redirect to Built-In URL: Redirects to /apex/apex_authentication.callback, forcing authentication via the web server.
Redirect to URL: Redirects to an external login page, which must then pass back the validated username.
Display Error: Shows an error message without attempting a login.

Verify Username:

Defines how often APEX should verify the username in the HTTP header:

Each Request (most secure): Ensures the session username matches the header value on every request. If different, the session is invalidated.
After Login: Only verifies the username once, after the initial login callback.

Logout URL of SSO Server:

(Optional) If using Oracle Access Manager or a similar SSO solution, enter the Single Sign-Out (SSO) logout URL.
Example for Oracle Access Manager:

/oamsso/logout.html?end_url=%POST_LOGOUT_URL%%POST_LOGOUT_URL% will be replaced with an encoded URL for the APEX login page.

4. Save the Authentication Scheme:

Click Create Authentication Scheme.

This setup enables secure external authentication using an HTTP header variable, ensuring seamless integration with enterprise SSO solutions like Oracle Access Manager.

Conclusion
Implementing HTTP Header Variable Authentication in Oracle APEX allows seamless integration with external authentication systems while maintaining strict access control within the application. By trusting validated headers passed by a secure intermediary, developers can reduce the need for repeated logins and ensure consistency across multiple applications. This approach is ideal for organizations looking to centralize authentication while keeping the APEX application lightweight and secure.

Set Up Database Account Credentials

Setting up database account credentials in Oracle APEX enables you to authenticate users using their Oracle database usernames and passwords. This method connects your application security directly to the database, making it suitable for administrative tools or internal systems where users already have individual database access. By using database authentication, you can take advantage of Oracle’s built-in user management and password policies without creating a separate user table or external authentication system.

Setting up database account credentials in Oracle APEX means configuring your application to authenticate users using their Oracle database usernames and passwords. This approach is best suited for internal tools or administrative applications where users already have access to the database and where tight integration with Oracle’s user management and password policies is preferred.

To begin, go to your application in Oracle APEX, then navigate to Shared Components > Authentication Schemes. Click Create, then choose Based on a Preconfigured Scheme from Gallery. From the list of available options, select Database Account and click Next. Give the scheme a name such as "DB Account Login" and finish the wizard. Once created, click on the new scheme and select Set as Current to make it active.

When this authentication scheme is active, Oracle APEX will prompt users to enter their database username and password when logging in. APEX passes these credentials to the Oracle database for validation using standard database authentication. If the login is successful, the session starts and the user is granted access to the application.

You do not need to create a custom login page when using this scheme, as APEX automatically generates a login form that accepts database credentials. However, if desired, you can still customize the login page for styling or additional messaging without altering the authentication logic.

Database user accounts must already exist in the Oracle database. To create them, a DBA can use standard SQL commands such as:

CREATE USER sample_user IDENTIFIED BY password123;

GRANT CREATE SESSION TO sample_user;

Each user must have the CREATE SESSION privilege to log in. You can also assign specific roles or object privileges based on your security model.

It’s important to note that APEX will treat the logged-in database user as the session user. If you want to restrict access to specific users, you can add authorization schemes to your pages or use PL/SQL expressions to check SYS_CONTEXT('USERENV', 'SESSION_USER').

For logout behavior, APEX ends the session but does not invalidate the database account, as the authentication is handled outside of APEX. You may want to configure a logout URL in the authentication scheme to redirect users to the login page or another screen.

Be cautious when using this method in public or internet-facing applications. Since it depends on Oracle database credentials, exposing this form outside of a trusted network could pose security risks. Always enforce HTTPS and strong password policies when using database account authentication.

Setting up database account credentials in Oracle APEX is a straightforward way to connect application access to existing Oracle user management. It is most useful for internal environments where users are trusted, technically capable, and already have individual accounts in the Oracle database.

Follow these steps to configure Database Account Credentials authentication for your application:

1. Navigate to the Workspace home page.

2. Open App Builder.

3. Select an application.

4. On the Application home page, go to Shared Components.

5. Under Security, select Authentication Schemes.

6. On the Authentication Schemes page, click Create.

7. Choose Based on a pre-configured scheme from the gallery and click Next.

8. Under Name:

· Name: Enter a reference name for the authentication scheme.

· Scheme Type: Select Database Accounts.

9. Click Create Authentication Scheme.

This setup allows users to authenticate using their database account credentials.

Configuring database account credentials in Oracle APEX provides a direct and efficient way to secure access to applications in environments where users are already managed at the database level. It ensures that authentication is handled by Oracle’s proven security mechanisms and eliminates the need for redundant user systems. While this approach may not be ideal for all applications, it is a reliable choice for internal tools and technical user groups who already maintain Oracle database credentials.

Database Accounts

Introduction

Database accounts in Oracle APEX allow users to authenticate directly using their Oracle database credentials. This method connects application access to the underlying database user management system, which can be useful in administrative tools, internal dashboards, or secure environments where user identities are managed at the database level. While less common for public-facing applications, using database accounts can simplify security administration for small teams or technical users already familiar with Oracle authentication.

Database Account Credentials authentication relies on database schema accounts to authenticate users.

Database Account Credentials

This method requires each user to have a corresponding database account (schema) in the local database. Users log in using their database username and password, which are validated against the database.

Choose Database Account Credentials authentication if:

Each named user can have a separate database account.
Managing user accounts through database tools aligns with your requirements.

This approach is best suited for environments where database-level user management is practical.

Conclusion
Using database accounts for authentication in Oracle APEX provides a straightforward way to control access when database-level security is already in place. It leverages existing Oracle user structures, reduces the need for duplicate user management, and can be effective in controlled, internal environments. However, for broader applications or non-technical audiences, it's important to consider other authentication schemes that offer more flexibility and user-friendly management options.

Session Management Security

Introduction
Session management security in Oracle APEX plays a critical role in protecting your application and user data. When users log in, a session is created to track their activity and maintain state across pages. Without proper controls, these sessions can become a target for unauthorized access, session hijacking, or misuse. Implementing strong session security measures ensures that sessions are valid, time-bound, and tied to the correct user context, reducing the risk of security breaches in both internal and public-facing applications.

Learn how Oracle APEX handles session management security, especially when using custom authentication.

APEX prevents two potential security risks:

Unauthorized Access to Another User’s Session State: While APEX restricts direct access, users can still attempt to manually enter a different session ID in the URL.
Access to a Stale Session: Users may inadvertently access an outdated session by using browser bookmarks.

To ensure security, APEX validates that the user identity token set by the custom authentication function matches the original user identity recorded when the session was created.

If the user is not yet authenticated, session state access is allowed only if it does not belong to another user.
If the session ID in the request does not pass validation, APEX redirects the request to the same page using the correct session ID.

This process helps maintain secure and consistent session management.

Conclusion
Effective session management is essential for maintaining application integrity and user trust in Oracle APEX. By configuring session timeouts, enabling session validation, and handling logout behavior carefully, developers can prevent unauthorized access and reduce exposure to security threats. A secure session framework not only safeguards user data but also ensures compliance with security policies and best practices across the application lifecycle.