Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Invoker-rights/definer-rights response from Oracle Development

Re: Invoker-rights/definer-rights response from Oracle Development

From: Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk>
Date: Thu, 02 Jan 2003 02:28:56 -0800
Message-ID: <F001.005252E0.20030102022856@fatcity.com> 






A point that Paul Needham could have mentioned -
if an application user can execute the packaged
procedure to set the role, then a malicious user
could log in from SQL*Plus and do exactly the
same.  This is just security through obscurity.



I believe a significant driver in the concept of
an application role is that the application server
should be connecting to Oracle through an
application userid, and then using the proxy
user facility to become another userid.  In
this case, the application userid can run the
secure package, and the secure package


can check that it is the application user
running it as a proxy for the real end-user.
Hence the real end-user can't set the role
by logging in through SQL*Plus.



(There still seems to be a loophole there
for the highly competent end-user who can
write C code and read Tom Kyte's book,


of course).





Regards



Jonathan Lewis


http://www.jlcomp.demon.co.uk



Coming soon a new one-day tutorial:


Cost Based Optimisation


(see http://www.jlcomp.demon.co.uk/tutorial.html )



Next Seminar dates:


(see http://www.jlcomp.demon.co.uk/seminar.html )



____England______January 21/23




The Co-operative Oracle Users' FAQ


http://www.jlcomp.demon.co.uk/faq/ind_faq.html







-----Original Message-----


To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
Date: 02 January 2003 05:49


Development




>So I forwarded the thread to her, and here's the response from Paul

>Needham of her team (who by the way was impressed with the knowledge

>level of the list contributors).

>

>---------------------------------------------------------------------


---


>

>introduction of the invoker-rights facility.  Oracle9i introduced the

>secure application role and global application context which are

>designed for proxy architectures.  The secure application role

restricts


>enabling a role to a set role command in a named security package.

The


>security package can perform it's own security checks prior to

invoking


>the set role command.

>

>---------------------------------------------------------------------

---


>

>


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jonathan Lewis
  INET: jonathan_at_jlcomp.demon.co.uk

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Thu Jan 02 2003 - 04:28:56 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US