| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> proxy authentication and passwords
All,
we have the standard
web client<==>app server<==>db
arrangement.
We're using fgac (or vdb if you like) to control what data is visible based on who the oracle user is. The end users are created like this:
15:53:47 system SQL> CREATE USER jblow
15:54:34 2 IDENTIFIED BY unknownpassword
15:54:57 3 DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp
15:55:15 4 /
User created.
15:55:17 systemSQL> GRANT CREATE SESSION TO jblow;
Grant succeeded.
15:56:12 system SQL> ALTER USER jblow
15:58:51 2 GRANT CONNECT THROUGH midtierappuser
15:59:05 3 /
User altered.
That all works fine.
The app is in java, the db is 10.2.0.2
My question/comment/concern:
Since jblow's account is proxied through midtierappuser, jblow's
actual oracle password is irrelevant.
Basically, it seems that anybody can log in under whatever id they want, they just need to know the username.
We could prevent this situation by asking jblow to provide a password which we validate somehow before passing the connection request off to midtierappuser. But surely there's a better solution that that...
I've read the asktom posts:
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:13269994929803
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:940263688159
but they don't really address the issue.
Thanks for whatever help you might offer.
REgards,
Chas.
Received on Thu Feb 22 2007 - 15:20:34 CST
 |
 |