As I understood from the documentation, the only way so far to access a database is by corresponding REST API (XData). Can I somehow connect to SQL Server or Oracle directly?
At this moment we support XData. Bob Swart also wrote an article for using Embarcadero RAD server with TMS WEB Core: https://www.tmssoftware.com/site/blog.asp?post=462
Creating a REST service for your database is exactly what TMS XData does out of the box.
Other than this, please see:
TMS Web Core generates 100% client-side applications. None of the code runs in the server, so you should not and could not connect directly to the database. It's not a limitation of TMS Web Core, but of the (nice) architecture of the app it generates. You have security issue: your database user and password will be available in the browser for everyone to see, and all SQL statements would also be available. And you have technical issue: your users will have to have network access to the database, a client installed in each computer, etc..
As it seams to me, the main problem here is that the entire application is actually a JavaScript file. Therefore, security is pretty much non-existent as the client can see everything he wants. Attacker can steal the application and sell it as it's own, analyze the application to do damage etc. And even if I use XData I don't see how the attacker is prevented to do damage as he himself can see username, password and all other relevant information about the intermediary service and manipulate it to do damage in the database itself. Please correct me if I am wrong or missing something here.
Maybe ISAPI/CGI should be offered as alternative outputs instead of pure JavaScript, even at the cost being just for Windows. At least the applications would not be so exposed. JavaScript just seams too risky for anything serious.
And as for the security regarding database connection.. I use user account impersonation and application roles, both in SQL Server. But, each would fail here as all relevant info would probably be in JavaScript file.
There is no silver bullet. If you prefer to have ISAPI/CGI, server-side generated HTML files, that's fine. That's what has been used for years until the advent of Single Page Applications.