Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> New Secure Application Role features in 9i
Hello,
I don't understand the benefits of the new Secure Application Role features in Oracle 9i.
The Oracle 9i Application Developer's Guide recommends AGAINST using a password compiled into the application itself (as commonly done in earlier Oracle versions & MS SQLServer.)
Instead, they recommend using a Secure Application Role with Proxy Authentication and a verified IP address. To me, this seems less secure than the old way!
Correct me if I'm wrong, but it seems like this approach has a huge hole in it. My application uses a middle tier DLL to access Oracle, so a malicious programmer would only have to create a DLL and run it from the same server as my DLL to defeat the security methods. Since they're both DLLs, the "Program" in v$session would always be "dllhost.exe" and since they're running from the same server, the IP Address test would pass.
Am I missing something? Is there a way to restrict access to a DLL with a certain ProgID?
Thanks for your help!
Jeff Received on Thu May 29 2003 - 13:38:47 CDT