Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Protecting Packages in PL/SQL Catridge (OWAS 3.0)

Re: Protecting Packages in PL/SQL Catridge (OWAS 3.0)

From: Thomas Kyte <tkyte_at_us.oracle.com>
Date: Thu, 23 Jul 1998 20:41:20 GMT
Message-ID: <35b99e73.30134400@192.86.155.100> 





A copy of this was sent to Harinder Singh <Harinder.Singh_at_blr.sni.de>
(if that email address didn't require changing)
On Thu, 23 Jul 1998 13:35:24 +0530, you wrote:



>Hi Everybody,


>


>I have written a web application using PL/SQL Catridge on OWAS 3.0. The


>application consists of several packages.


>


>The PL/SQL Cartridge enables a client to enter a URL that directly


>specifies a PL/SQL procedure to be executed by the Oracle Server. I want


>to protect the packages so that the only procedures that should be made


>available in this fashion is the one which is the entry point into the


>application.


>


>OWAS online documentation states that :


>


>The PL/SQL Cartridge lets you enforce this by protecting packages. A


>protected package can only be executed by another stored procedure, not


>directly by a URL. By default, all the OWA utilities provided with the


>Web Application Server are protected. Other packages are by default


>unprotected. To override the default, use the PL/SQL Cartridge


>configuration section of the Web Application Server Manager to change


>the package_protect parameter. A value of TRUE means the package can be


>executed from a browser.


>





the protect_owa_package is only for the OWA packages... Can't use it for your.
There are a couple of good ways to do what you want tho...



    
  
  1.   the best (IMHO) is to use >1 schema.  Put all of the application logic into
USER1.  Create a single package in USER1's schema that has all of the publically
accessible procedures in it (the body of this one package might just have all of
the procedures call procedures in other packages or you might implement all of
the publically accessible procedures in one package).  Grant execute on this one
package of procedures to USER2.  Create your DAD and point it to USER2, not
USER1.  USER2 needs only the priveleges: 
- create session
- execute on user1.package






that way, the DAD can only access that one single package (and all PUBLIC
packages)....



2) only code procedures when you want to call them from the web, make EVERYTHING
else you don't want called from the web a function.  Functions cannot be called
from a URL using the pl/sql cartridge....



3) use virtual paths to protect packages and/or procedures you don't want to be
executed from the web.  For example, create a user/password and realm, then, if
you don't want anything in pkg1 to be executed and feel that pkg2.some_procedure
shouldn't be exeucted, protect the virtual paths:



/your-plsql-agent/plsql/pkg1.*


/your-plsql-agent/plsql/pkg2.some_procedure



that way, people get asked for username/passwords (which they won't have cause
you won't give them out...) if they attempt to run anything else...





>I tried with the value of package_protect parameter set to both TRUE &


>FALSE, but my packages where not protected and I could invoke them


>specifying a URL in the browser.


>


>Has anybody tried protecting packages or knows where I could get more


>information. Please let me know.


>


>Thanks in advance.


>


>Harinder



 


Thomas Kyte


tkyte_at_us.oracle.com


Oracle Government


Herndon VA
 


http://govt.us.oracle.com/    -- downloadable utilities
 




Opinions are mine and do not necessarily reflect those of Oracle Corporation
 


Anti-Anti Spam Msg: if you want an answer emailed to you, 
you have to make it easy to get email to you.  Any bounced
email will be treated the same way i treat SPAM-- I delete it.
Received on Thu Jul 23 1998 - 15:41:20 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US