Tuesday, 17 September 2013

Implement Custom Authentication Scheme in Oracle Application Express - Part I


Authentication is the process of identifying an individual, usually based on a user id and password. In a web application, you implement authentication to allow access only to authorized users. Form-based authentication in the most common type of authentication where a web form is presented to the user to provide his/her id and password. To prevent hackers from intercepting this sensitive information, a secure connection is used along with an encryption algorithm to send the information to the server.

To make your application secured you need to determine the identity of the user trying to access the application. As your first line of defense, provide a login form to the users where they input their identity along with password. For additional security you may also include an SSL certificate to your login page. An SSL Certificate (Secure Sockets Layer), also called a Digital Certificate, creates a secure link between a website and a visitor's browser.

With SSL, the browser encrypts all data that's sent to the server and decrypts all data that's received from the server. Similarly, the server encrypts all data that's sent to the browser and decrypts all data that's received from the browser. By ensuring that all data passed between the two remains private and secure, SSL encryption prevents hackers from stealing private information. SSL can also determine if data has been tampered with during transit and can also verify both client and server.

A digital secure certificate can be purchased from certification authorities (CA) like VeriSign, Thawte, Instantssl, Entrust etc. Once you get the certificate, provide it to your hosting provider who will set up the certificate in your Web server so that every time a page is accessed via the https protocol, it hits the secure server. Once that is set up, you can start building your Web pages that need to be secure.

In Oracle Application Express, the provided login details are validated against the selected scheme to check whether the user credentials are correct. The user is allowed to access the application after passing these checks. In APEX, this process is implemented through the use of following Authentication Schemes:

Application Express Accounts: Recall that we opted to use this scheme for our application while creating the blank structure of the application and provided Admin/Manager_2013 credentials to access the application (see Figure 2-18 in chapter 2). The application express engine authenticates this information using its built-in repository which stores and manages user accounts.

Database Accounts: This authentication scheme requires that a database user (schema) exists in the local database. When using this method, the user name and password of the database account is used to authenticate the user.

HTTP Header Variable: Authenticate externally, where the username is stored in a HTTP Header variable set by the web server.

LDAP Directory: Authentication of user/password with an authentication request to a Lightweight Directory Access Protocol (LDAP) server.

No Authentication (using DAD): This scheme authenticates users by adopting the current database user. This can be used in combination with a mod_plsql DAD configuration that uses basic authentication to set the database user session.

Open Door Credentials: Implementing this scheme allows all users to access the application just by entering a user name in the login page.

Oracle Application Server Single Sign-On: This delegates authentication to the Oracle AS Single Sign-On (SSO) Server. To use this authentication scheme, your site must have been registered as a partner application with the SSO server.

Custom: We will use this scheme in our application. It is based on the username and password values stored in the DEMO_USERS table and uses CUSTOM_AUTH and CUSTOM_HASH functions incorporated in chapter 2 section 2.37. Following the best practice method, you'll encrypt the data before storing it in the database. That way, if a hacker gains access to the database, he will not be able to easily read the password.
Continue >>>

An excerpt from the book "Create Rapid Web Applications Using Oracle Application Express - Second Edition"

No comments:

Post a Comment