Security: Writing Custom Authentication Schemes for Application Express

Raj Mattamal has put up an interesting topic for a presentation at Oracle Open World 2008, it’s about Writing Custom Authentication Schemes for Application Express. The presentation is not just the basic stuff you will find in the manual or the tutorial, it goes way further. For example it covers SSO over multiple workspaces.

In case if you are not interested in the topic, it’s still always fun to watch Raj doing a presentation/see him talking (fast). This guy has way to much energy or is drinking to much Red Bull ;-)

So people, vote for him that he is able to present that topic at Oracle Open World 2008!

And don’t forget about the other great Oracle APEX sessions!

2 thoughts on “Security: Writing Custom Authentication Schemes for Application Express

  1. Raj’s technique is intriguing. So much so that I attempted to implement Raj’s article (as posted in May/June 09 Oracle Magazine). I could not get this working. In the article, he says to place “#OWNER#.login_page?p_app_id=&APP_ID.” in the SESSION NOT VALID URL field for both the login and auxillary authentication schemes. Yet his login plsql procedure does not take parameters at all. And so, I’m not sure if this is just a typo in the article or did Raj really intend to pass in the APP_ID, in which case his login procedure is not coded correctly (or at least its not posted correctly in the article), I’m not sure which. Also, shouldn’t we be placing the name of the cookie NS_SESSION in the cookie name field of each authentication scheme (login and auxillary)? This also is missing from the article.

    I created in Apex 3.2 two apps, app_id 700 (Alias=LOGIN) and app_id 587 (Alias=ASSETS). The former contains my login authentication function, annotated with the items Raj says to do. The latter contains my auxillary authentication function, similarly annotated as per Raj’s article. When I attempt to run app 700, I end up with a “Page Not Found” error. Not sure where to go from here.

    My fear is that Raj has simply forgotten to include several key things in his article. In any case, I am unable to get his technique working.

    I wish there was a posting somewhere of his actual Apex apps so that I (and others) could actually paace our hands on them and see our he is implementing his technique.



  2. hi elie–

    glad you at least found the article interesting. the technique described in the article certainly works, and pretty darn well at that. regarding the two issues you noted, your first observation’s correct, and the second one i believe is just the result of a forgotten grant. re the first issue, the article originally talked about deep linking, and that’s why the Login procedure needed to know the &APP_ID. of the calling application. we ended up dropping this deep linking concept from article for space reasons, but it looks like that procedure call still matched the old signature. assuming you corrected that call in your app, then my guess for the the Page Not Found error is a missing grant to the DAD user. the article says to do this on page 57 of the print edition, fwiw. anyhow, please feel free to contact me at if you have further questions or comments about the set-up.

    kind regards,

Comments are closed.