1) create a new DAD hr (as user SYS or SYSTEM)

BEGIN
  DBMS_EPG.create_dad (
    dad_name => 'hr',
    path     => '/hr/*');
 
  DBMS_EPG.set_dad_attribute (
    dad_name   => 'hr',
    attr_name  => 'database-username',
    attr_value => 'HR');
        
  DBMS_EPG.authorize_dad (
    dad_name => 'hr',
    user     => 'HR');
 
  DBMS_EPG.set_dad_attribute (
    dad_name   => 'hr',
    attr_name  => 'before-procedure',
    attr_value => 'hr.validate_login');
END;
/ 

2) create a test procedure TEST (schema HR)

create or replace procedure test is
begin
  htp.p('hello world');
END;
/ 

3) create a login validation procedure called validate_login (schema HR)

CREATE OR REPLACE PROCEDURE validate_login IS
BEGIN
   HTP.p ('check authentication...');
   HTP.p ('redirect to login page if not authenticated');
END validate_login;
/ 

Now you can call the test procedure via http://127.0.0.1:8080/hr/test

When you call it, the DAD first executes the 'before-procedure' validate_login.
In there you could check a cookie whether the user has a valid session.

You could even determine which procedure / package the user wants to call and allow public access to the public pages.

If the user wants to access a protected page you would use owa_util.redirect_url to redirect him to your public login form (be aware that validate_login will executed again, please allow the access there :).

In the login form you would post the username/password to your authentication function and set up the cookies. After that you would redirect the user to the page he wanted to access originally.