APEX

Hello,
I am trying to allow the users of an existing (non apex) application to access an apex application.
So far this is what I have done:

1. Created an authentication scheme based on a DAD
* Assumption: since Apex is running out of the same database as our users, no modification to dads.conf (or marvel.conf) is necessary
* The authentication scheme 'Description' says: "Based on authentication scheme from gallery:No Authentication (using DAD)"
2. Created an authorization scheme = 'dad_scheme'
* set 'scheme type' = 'Exists sql query' - (this seemed an easy way to get going at least)
* set 'expression 1' = select 1 from all_users where username = :APP_USER;
* set Identify error message displayed when scheme violated = 'enter your username and password'
3. Created a new log in page of type 'Login Page'
* the login process sends the user to page 1
4. On page 1/security,
* set 'authorization scheme' = 'dad_scheme'
* set 'authentication' = 'page requires authentication'


However I can log in with any name and still get to page 1, (i.e. scheme is not working).
I looked at various posts to the list but could not find a 'howto' or much to follow.

I would be grateful if someone could advise:
What additional steps do I need to take to secure the apex application?
How can I allow only existing users in, and enforce password checking?

thanks
KIM
Application Express 3.0.0.00.20