Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> proxy authentication and passwords
All,
we have the standard
web client<==>app server<==>db
arrangement.
We're using fgac (or vdb if you like) to control what data is visible based on who the oracle user is. The end users are created like this:
15:53:47 system SQL> CREATE USER jblow 15:54:34 2 IDENTIFIED BY unknownpassword 15:54:57 3 DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp 15:55:15 4 / User created. 15:55:17 systemSQL> GRANT CREATE SESSION TO jblow; Grant succeeded. 15:56:12 system SQL> ALTER USER jblow 15:58:51 2 GRANT CONNECT THROUGH midtierappuser 15:59:05 3 / User altered.
That all works fine.
The app is in java, the db is 10.2.0.2
My question/comment/concern:
Since jblow's account is proxied through midtierappuser, jblow's
actual oracle password is irrelevant.
Basically, it seems that anybody can log in under whatever id they want, they just need to know the username.
We could prevent this situation by asking jblow to provide a password which we validate somehow before passing the connection request off to midtierappuser. But surely there's a better solution that that...
I've read the asktom posts:
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:13269994929803 http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:940263688159but they don't really address the issue.
Thanks for whatever help you might offer.
REgards,
Chas.
Received on Thu Feb 22 2007 - 15:20:34 CST