oracle - Best Practices for Separating Database Security from Application Tier -

in oracle documentation, repeatedly mentioned preferable users of application database users instead of records in kind of 'user' table numerous reasons. example, @ docs.oracle.com/cd/b28359_01/network.111/b28531/… -- "where possible, should build applications in application users database users. in way, can leverage intrinsic security mechanisms of database."

i reasonably familiar call 1 big application user pattern, have been suitably convinced not best way. however, seems creating database user every web user not particularly possible either, question is, best practices keeping security definition of data separate application accesses it?

some ideas:

• a secure interface in between database , application. application never knows database.
• create views utilize application context automatically filter out rows application user cannot read, , grant application user access view.
• similarly create procedures utilize application context allow authorized data access/manipulation.

i using oracle 11g xe, , i'd avoid solutions involve additional oracle products internet directory or middleware.