Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: New Secure Application Role features in 9i

Re: New Secure Application Role features in 9i

From: Brian Peasland <oracle_dba_at_remove_spam.peasland.com>
Date: Thu, 29 May 2003 19:29:52 GMT
Message-ID: <3ED65FB0.4136BA64@remove_spam.peasland.com> 





About the only thing you are missing is that verifing by IP is only
*one* way of testing for an authenticated user. And as you've shown,
it's not a very good way. IP numbers can be spoofed, so this doesn't
make a very secure way of authenticating the application role. 



In this method, you provide a function to perform the verification. What
you code in the PL/SQL function is up to you. You do not have to just
look at the IP number as the example provides. How about looking for a
specific context setting that your application sets before trying to
authenticate the role? Have this context setting come from a cookie, or
a userid/password combination that the user types in, etc. You are only
limited by your imagination here.



HTH,



Brian



Jeff Rimland wrote:


> 

> Hello,

> 

> I don't understand the benefits of the new Secure Application Role features

> in Oracle 9i.

> 

> The Oracle 9i Application Developer's Guide recommends AGAINST using a

> password compiled into the application itself (as commonly done in earlier

> Oracle versions & MS SQLServer.)

> 

> Instead, they recommend using a Secure Application Role with Proxy

> Authentication and a verified IP address.  To me, this seems less secure

> than the old way!

> 

> Correct me if I'm wrong, but it seems like this approach has a huge hole in

> it.  My application uses a middle tier DLL to access Oracle, so a malicious

> programmer would only have to create a DLL and run it from the same server

> as my DLL to defeat the security methods.  Since they're both DLLs, the

> "Program" in v$session would always be "dllhost.exe" and since they're

> running from the same server, the IP Address test would pass.

> 

> Am I missing something?  Is there a way to restrict access to a DLL with a

> certain ProgID?

> 

> Thanks for your help!

> 

> Jeff



-- 
===================================================================

Brian Peasland
oracle_dba_at_remove_spam.peasland.com

Remove the "remove_spam" from the email address to email me.


"I can give it to you cheap, quick, and good. Now pick two out of
 the three"


Received on Thu May 29 2003 - 14:29:52 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US