Re: Security Question-Reposted

There is an option in OCI in 8.1, although the documentation is far from complete.

You can:

    alter user grant connect through {proxy id} with role {list of roles}

This means that your OCI application can connect to the database using a hard-coded user id / password (the proxy id) which has no privileges other than a basic CREATE SESSION, but be allowed though to act as another ID without supplying that IDs password.

In this way, you can changed the real password as often as you like. The system can only be subverted by someone who - finds the proxy id and password from the executable, and then writes their own OCI program.

--

Jonathan Lewis
Yet another Oracle-related web site: http://www.jlcomp.demon.co.uk

Keith Boulton wrote in message
<38397417.5418001_at_read.news.globalnet.co.uk>...
>On Sun, 21 Nov 1999 16:00:00 +0530, Anurag Minocha
><anurag_at_synergy-infotech.com> wrote:
>
>>> The application always connects to the same user/schema eg: r2 . I want
>>> that users should not be able to connect to r2 schema in any way other
>>> than our application even though they know the password. i.e I want to
>>> prevent access from sql*plus, crystal reports, etc etc.
>
>You cannot. What is sometimes done to reduce the risk of problems is
>to grant access to a non-default database role with a password so that
>the role is enabled by your application e.g.:
Received on Tue Nov 23 1999 - 02:51:09 CST