| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: proxy authentication and passwords
On Feb 22, 1:32 pm, "Valentin Minzatu" <valentinminz..._at_yahoo.com>
wrote:
> On Feb 22, 4:20 pm, "foothillbiker" <foothillbi..._at_gmail.com> wrote:
>
>
>
>
>
> > All,
>
> > we have the standard
> > web client<==>app server<==>db
> > arrangement.
>
> > We're using fgac (or vdb if you like) to control what data is visible
> > based on who the oracle user is. The end users are created like this:
>
> > 15:53:47 system SQL> CREATE USER jblow
> > 15:54:34 2 IDENTIFIED BY unknownpassword
> > 15:54:57 3 DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp
> > 15:55:15 4 /
>
> > User created.
>
> > 15:55:17 systemSQL> GRANT CREATE SESSION TO jblow;
>
> > Grant succeeded.
>
> > 15:56:12 system SQL> ALTER USER jblow
> > 15:58:51 2 GRANT CONNECT THROUGH midtierappuser
> > 15:59:05 3 /
>
> > User altered.
>
> > That all works fine.
>
> > The app is in java, the db is 10.2.0.2
>
> > My question/comment/concern:
> > Since jblow's account is proxied through midtierappuser, jblow's
> > actual oracle password is irrelevant.
>
> > *** THE ISSUE: what's to stop
> > jblow
> > from logging in as
> > dman
> > and getting all the priv's of the dman's account?
>
> > Basically, it seems that anybody can log in under whatever id they
> > want, they just need to know the username.
>
> > We could prevent this situation by asking jblow to provide a password
> > which we validate somehow before passing the connection request off to
> > midtierappuser. But surely there's a better solution that that...
>
> > I've read the asktom posts:
> > http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1...
> > http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:9...
> > but they don't really address the issue.
>
> > Thanks for whatever help you might offer.
>
> > REgards,
> > Chas.
>
> I hope I understood properly the questions.
>
> Authorization: at the VPD/FGAC level you can handle not only user
> session related constraints, but also context related ones. So, let's
> say that you can ask the middletier to pass in for each real
> (physical) client their identity you can base VPD/FGAC rules on that
> criteria and not allow anybody to "see" more data than they are are
> entitled to.
>
> For the authentication part, you could pretty much use what you like
> as long nobody gets access to the rest of the data until they have
> passed through FGAC filters.- Hide quoted text -
>
> - Show quoted text -
Valentin/All,
VPD/FGAC works fine -- no issues there.
The issue is that since the proxy authent goes through midtierappuser (an oracle user account which logs in when the appserver starts) that means that end user passwords are irrelvant, and that (afaict) there is nothing stopping UserA from logging in to the application as UserB.
UserA just has to know the username of UserB.
If it matters, we're using jdbc thin drivers, and a product called "Hibernate" for the app.
Thanks.
REgards,
Chas.
Received on Thu Feb 22 2007 - 18:05:11 CST
 |
 |