Re: Authentication without logging in?

"fabio" <faneas_at_gmail.com> wrote in message news:1160172893.910073.113370_at_e3g2000cwe.googlegroups.com...
> Hi folks,
> I've been told that it is possible to authenticate an Oracle User using
> another session. To cut a very long story short, please have a look at
> the case bellow:
>
> User A (actually, a middleware) is logged in, and wants to execute a
> function such as DBMS_SOMETHING.AUTHENTICATE_USER ('USER_B', 'USER_B''S
> PASSWORD')
>
> The function would return true if USER_B exists in the database and the
> password is correct.
>
>>From what I know, the only way to achieve this by connecting. Can you
> refer some doc showing this is NOT possible (well, maybe I'm wrong and
> there is a way) so I can rest in peace?
>
> Thanks,
> Fabio
>

The feature you've heard about is proxy authentication - but dpesn't sound like the thing you want.

The implementation is based on the command:

alter user end_user
grant connect through app_user
;

This allows your middleware to run as a 'trusted' user against the database and then create sessions running under the end-user's schema without knowing the enduser' s password. The idea is that the end-user should identify to the middleware using an enterprise-wide method, rather than supplying their database password.

In 8i, this bit of the middleware had to be written in OCI, but from 9i you could use Java. Interestingly in 10g the app_user can do the following from SQL*Plus (the square brackets are necessary)

sqlplus app_user[end_user]/app_pw

This connects the app_user to the database, identifying them through the app_user password (app_pw), but the session runs as if end_user has connected to the database directly. Very useful for testing problems with FGAC/RLS/VPD

-- 
Regards

Jonathan Lewis

Author: Cost Based Oracle: Fundamentals
http://www.jlcomp.demon.co.uk/cbo_book/ind_book.html

The Co-operative Oracle Users' FAQ
http://www.jlcomp.demon.co.uk/faq/ind_faq.html