Set Up DAD Credentials Verification in Oracle APEX

 

Introduction
Setting up DAD (Database Access Descriptor) credentials verification in Oracle APEX allows applications to delegate user authentication to the Oracle HTTP Server or Oracle REST Data Services. This method relies on the web server to authenticate users before passing requests to APEX, enabling seamless integration with enterprise security systems and simplifying user management. Configuring DAD credentials verification ensures that APEX trusts the authenticated identity provided by the external layer, streamlining access without requiring additional login prompts within the application.

Setting up DAD (Database Access Descriptor) credentials verification in Oracle APEX involves configuring the Oracle HTTP Server (OHS) or Oracle REST Data Services (ORDS) to handle user authentication before requests reach the APEX engine. This approach shifts the responsibility for verifying user credentials to the web server layer, allowing APEX to trust that incoming requests are from authenticated users. It is commonly used in enterprise environments that require centralized authentication and single sign-on capabilities.

To begin, ensure that your Oracle HTTP Server or ORDS is properly configured with a DAD. The DAD defines how the web server connects to the database, manages connection pooling, and handles security parameters. Configuration files such as mod_plsql.conf (for OHS) or ords.conf (for ORDS) contain the settings for the DAD, including the database service, connection details, and authentication methods.

In your DAD configuration, enable and configure the authentication method you intend to use, such as Basic Authentication, LDAP, or Kerberos. For example, in OHS, you might define an authentication realm and associate it with the DAD to require users to provide valid credentials before forwarding the request to the database.

Once the DAD is configured to verify credentials, switch to Oracle APEX. Navigate to Shared Components > Authentication Schemes and create a new scheme. Choose No Authentication (Using DAD) as the scheme type. This tells APEX not to perform its own authentication but to trust the identity verified by the DAD layer.

Set the new scheme as current for your application. Now, when users access your APEX application, the web server will prompt for credentials (if not already authenticated) and verify them according to the configured method. Once verified, the user’s session is established in APEX without requiring a second login.

Because APEX relies on the web server for authentication, you can use the server’s features to manage user roles, access control, and password policies. You can also configure Single Sign-On (SSO) solutions at this layer, providing a seamless login experience across multiple applications.

It is important to note that since APEX itself does not authenticate users in this setup, you should ensure that the web server and network environment are secured appropriately. Use HTTPS to encrypt credential transmission, and restrict access to trusted users.

For advanced scenarios, you can define a Post-Authentication Procedure in APEX to initialize session state based on the authenticated user or to log user activity. Example:

BEGIN

  apex_util.set_session_state('USER_ROLE', get_user_role(:APP_USER));

END;

Setting up DAD credentials verification enables you to leverage existing enterprise authentication infrastructure while keeping Oracle APEX applications lightweight and focused on business logic. This separation of concerns improves security, simplifies user management, and supports scalable, integrated application deployments.

DAD (Database Access Descriptor) Credentials Verification allows Oracle APEX applications to authenticate users using Oracle Database native authentication. This method is useful for small-scale applications, prototypes, or environments where database accounts are already managed separately.

How DAD Authentication Works

• Uses Oracle Database user accounts for authentication.
• The username is retrieved from the DAD configuration or prompted using basic authentication.
• APEX stores the authenticated user in the APP_USER substitution variable.
• Users only log in once per browser session unless forced to re-authenticate.

Prerequisites

Before setting up DAD authentication, ensure that:

• Each user has a valid Oracle Database account.
• A PL/SQL DAD (Database Access Descriptor) is configured for basic authentication.
• The Oracle HTTP Server (OHS) or Embedded PL/SQL Gateway is correctly set up to support authentication.

 

Step-by-Step Guide to Setting Up DAD Authentication in Oracle APEX

Step 1: Navigate to Authentication Schemes

1. Open App Builder.
2. Select the application where you want to configure authentication.
3. On the Application Home page, click Shared Components.
4. Under Security, select Authentication Schemes.

 

Step 2: Create a New Authentication Scheme

1. Click Create to add a new authentication scheme.
2. Select Based on a pre-configured scheme from the gallery, then click Next.

 

Step 3: Configure Authentication Settings

1. Enter the Authentication Scheme Name:

• Choose a meaningful name for the scheme (e.g., DAD Credentials Verification).
1. Select the Authentication Scheme Type:
• Choose No Authentication (Using DAD).
2. Configure Username Handling:
• Username Field: Enter the username to be used in the APEX session.
• If left empty, APEX will use the database session user (usually APEX_PUBLIC_USER).

 

Step 4: Finalize and Apply the Authentication Scheme

1. Click Create Authentication Scheme to save the settings.
2. Set the newly created scheme as Current to activate it.

 

Validating the Configuration

After setting up DAD authentication:

• Access the application and verify that authentication is working correctly.
• Check the APP_USER value by creating a simple SQL report with: 

SELECT :APP_USER FROM DUAL;

• Ensure that session tracking and access control work as expected.

 

Considerations and Best Practices

When to Use DAD Authentication

• Prototyping & Internal Testing – Quick and easy authentication setup.
• Small Applications – When user accounts are limited and manageable.
• Pre-Existing Oracle Accounts – If database users are already maintained separately.

Limitations of DAD Authentication

• Not Scalable – Manually managing user accounts in the database is difficult for large applications.
• Limited Security – Credentials are sent in plain text unless SSL is enabled.
  Single Sign-On (SSO) Compatibility Issues – May not integrate well with enterprise SSO solutions. 
• rowser Session Dependency – Users must re-authenticate if the browser session expires.

 

Alternative Authentication Methods

For more secure and scalable authentication, consider:

• LDAP Authentication – Uses directory services for centralized user management.
• OAuth2 / SAML Authentication – Secure token-based authentication for modern applications. 
• ustom Authentication – Allows full control over user authentication logic.

 

DAD Credentials Verification in Oracle APEX provides a simple and lightweight authentication method, primarily useful for testing and small applications. However, it is not recommended for production environments requiring scalability and enhanced security.

For long-term solutions, consider LDAP, OAuth2, or custom authentication mechanisms.

To set up Oracle APEX Accounts:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

The Shared Components page appears.

1. Under Security, select Authentication Schemes.
2. On the Authentication Schemes page, click Create.
3. Select Based on a pre-configured scheme from the gallery and click Next.
4. Under Name:
1. Name - Enter the name used to reference the authentication scheme by other application developers.
2. Scheme Type - Select Oracle APEX Accounts.

Click Create Authentication Scheme.

Conclusion
Configuring DAD credentials verification in Oracle APEX provides a robust way to centralize authentication outside of the application while maintaining secure and controlled access. This approach leverages existing infrastructure for user validation, reduces the complexity of managing user credentials in APEX, and improves the user experience by enabling single sign-on scenarios. Proper setup of DAD credentials verification ensures that your APEX applications remain secure and integrated within your organization’s authentication ecosystem.

 

 

No Authentication (Using DAD) in Oracle APEX

 

Introduction
No Authentication using DAD (Database Access Descriptor) in Oracle APEX allows applications to operate without prompting users for login credentials. This approach is commonly used for public-facing websites or internal applications where open access is required. When configured with a DAD, the Oracle HTTP Server or Oracle REST Data Services handles the connection and security outside of APEX, enabling seamless access while simplifying user experience by eliminating the login step.

No Authentication using DAD (Database Access Descriptor) in Oracle APEX means that the application itself does not perform any user authentication. Instead, authentication and access control are handled outside of APEX, typically by the Oracle HTTP Server (OHS) or Oracle REST Data Services (ORDS) using a DAD configuration. This setup is useful for public websites or internal tools where users do not need to log in or when a separate system manages security.

To set this up, first ensure your Oracle HTTP Server or ORDS is configured with a DAD that points to your Oracle database. A DAD defines connection details such as the database service name, connection pooling, and security settings. When a request comes through the DAD, the web server or ORDS manages the connection to the database and handles any authentication required.

In Oracle APEX, go to Shared Components > Authentication Schemes and create a new scheme. Choose No Authentication (using DAD) from the options. Give it a meaningful name such as “Public Access via DAD.” This tells APEX that it should not prompt users for credentials and will trust that the environment handles authentication or that none is needed.

With this scheme active, users accessing your application will not see a login page; instead, they will gain immediate access to the application’s pages. This is ideal for public-facing applications like product catalogs, documentation sites, or dashboards that do not require user-specific data protection.

Because APEX does not manage authentication, you must rely on your web server, network security, or firewall rules to protect sensitive data. It’s important to ensure that unauthorized users cannot access data they should not see. If your environment requires any form of access control, implement it at the server or network layer.

You can still use APEX authorization schemes to control which parts of the application users can see, but these must be based on other factors since there is no authenticated username in session. For example, authorization can be based on IP addresses, tokens, or custom logic embedded in your application.

If later you want to add authentication, you can switch the authentication scheme back to one of the built-in methods or a custom authentication scheme without changing the application structure significantly.

Using No Authentication with DAD is a simple way to deliver APEX applications without login friction while offloading security responsibilities to infrastructure components. It streamlines access but requires careful planning to ensure overall system security and data protection.

DAD (Database Access Descriptor) authentication leverages Oracle Database's native authentication to verify users. This method uses basic authentication, where credentials are provided via an HTTP authentication challenge or retrieved from the DAD configuration.

DAD authentication can be useful in scenarios requiring quick setup and minimal configuration, such as prototyping, demonstrations, or small-scale applications. However, it may not be suitable for long-term use due to manual account maintenance requirements.

How DAD Authentication Works

• User Credentials Source:

• If user credentials are stored in the DAD configuration, APEX retrieves them automatically.
• If credentials are not stored, the user is prompted to enter a username and password through the browser's basic authentication dialog.
• User Identification in APEX:
• The authenticated username is stored in APP_USER, which can be used for session tracking and authorization.
• Session Behavior:
• APEX prompts the user for credentials once per browser session.
• Once authenticated, the user's identity remains valid throughout the session.

 Requirements for Using DAD Authentication

1. Oracle Database Accounts:

• Each application user must have a corresponding Oracle database user account.
1. PL/SQL DAD Configuration:
• A PL/SQL Database Access Descriptor (DAD) must be set up for basic authentication.
• The DAD should be configured without storing user credentials, allowing authentication to occur at runtime.

 Setting Up DAD Authentication in Oracle APEX

To configure an authentication scheme using DAD Credentials Verification, follow these steps:

1. Navigate to Authentication Schemes:

• Open App Builder.
• Select the target application.
• Go to Shared Components.
• Under Security, click Authentication Schemes.
1. Create a New Authentication Scheme:
• Click Create.
• Select Based on a pre-configured scheme from the gallery, then click Next.
2. Define Authentication Settings:
• Name: Enter a meaningful name for the authentication scheme.
• Scheme Type: Select No Authentication (Using DAD).
3. Confirm and Apply Settings:
• Click Create Authentication Scheme.
• Set this scheme as Current to activate it.

 Advantages of DAD Authentication

• Minimal Setup – Requires only database accounts and basic DAD configuration.
• No Additional User Management – Authentication is handled directly by the Oracle database.
• Quick Access – Ideal for testing, demos, and prototypes where security is not a major concern.

 

Limitations and Considerations

Manual Account Maintenance:

• User accounts must be managed manually in the Oracle database.
• If users cannot reset their own passwords, administrators must handle all account-related issues.

Limited Scalability:

• Suitable for small-scale applications but not ideal for production with a large user base.

Security Risks:

• Basic authentication sends credentials in an unencrypted format unless used with SSL/TLS.
• Consider using OAuth2, LDAP, or SSO for more secure authentication in production environments.

 When to Use DAD Authentication in Oracle APEX

Use Case	DAD Authentication is Suitable?
Prototyping & Demos	Yes, quick setup for testing
Small Internal Applications	Yes, if minimal users & managed accounts
Production Systems	No, not scalable or secure
Enterprise Authentication (SSO, LDAP)	No, lacks integration
Public-Facing Applications	No, insecure without encryption

DAD authentication provides a simple, lightweight authentication option in Oracle APEX, especially for testing or small applications. However, due to manual account management and security concerns, it is not recommended for large-scale production applications. For better scalability and security, consider LDAP, OAuth2, or custom authentication solutions.

Conclusion
Using No Authentication with DAD in Oracle APEX is ideal for scenarios where ease of access outweighs the need for user validation within the application itself. While it simplifies user interaction and speeds up entry, it is important to ensure that external layers provide adequate security controls. When implemented correctly, this method allows APEX applications to deliver content efficiently to public or trusted users without compromising overall system security.