Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> New Secure Application Role features in 9i

New Secure Application Role features in 9i

From: Jeff Rimland <unclejcr_at_yah_REMOVE_THIS_PART_oo.com>
Date: Thu, 29 May 2003 18:38:47 GMT
Message-ID: <XssBa.1160$cp6.896253@news1.news.adelphia.net>


Hello,

I don't understand the benefits of the new Secure Application Role features in Oracle 9i.

The Oracle 9i Application Developer's Guide recommends AGAINST using a password compiled into the application itself (as commonly done in earlier Oracle versions & MS SQLServer.)

Instead, they recommend using a Secure Application Role with Proxy Authentication and a verified IP address. To me, this seems less secure than the old way!

Correct me if I'm wrong, but it seems like this approach has a huge hole in it. My application uses a middle tier DLL to access Oracle, so a malicious programmer would only have to create a DLL and run it from the same server as my DLL to defeat the security methods. Since they're both DLLs, the "Program" in v$session would always be "dllhost.exe" and since they're running from the same server, the IP Address test would pass.

Am I missing something? Is there a way to restrict access to a DLL with a certain ProgID?

Thanks for your help!

Jeff Received on Thu May 29 2003 - 13:38:47 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US