Tks for Your help but I still don't understand where I can get user and password without asking the user.
You don't necessarily need the user name and password.
You could think of the Forms application as a form of Single Sign-On - it has already authenticated the user and it passes 'something' to your APEX application to confirm the identity. Your APEX application takes that 'thing' and confirms that its valid and sets the user to whatever the Forms application determined. For example, the URL calling the APEX application might refer to a row in an accessible table which has the user details, or contain a token doing the same thing.
Tks for You suggestion but, again such "thing" where should be passed ?
Not in the DB, because I'm not authenticated nor connected to the DB.
In the url ? but I don't want to pass passwords in URL.
And after I got such infos how can I login the application in order to work with the given user authorizations ?
Just expanding on Suniti's response above.
In the database, create a table with the columns USERNAME and ACCESS_IND. When the user takes the action to launch the APEX application from the forms, merge into this table with the username and set ACCESS_IND to 'Y'
Create a function that, if the entry for the username is found, returns TRUE otherwise returns FALSE.
Create a function that updates the indicator to FALSE.
In your APEX Application, under Shared Components, in the Security section, Click Authentication Schemes. Click Create. Click Custom. Under settings, pick the function that you created as the sentry function. pick the function that sets the indicator to false for the Post Logout Procedure Name.
Here is a more expansive example by Oracle Ace Patrick Barel.
You call APEX using a URL. If you are using the same database for your Forms and APEX application you could enter the relevant details into a table and then pass a reference to that entry in your URL. APEX could then use that information as part of its authentication process.
If you are on separate databases then your URL could pass the authenticated userid along with a 'token' encrypted in a manner than proves that this is a valid URL e.g. the encryption includes a 'shared secret' known to both applications and associated with the userid - you'd produce the token on both sides in the same way and compare them as part of the APEX authentication process.