Re: Validating alternative username/password on Oracle DB
Date: 28 Oct 1999 17:06:11 -0400
Message-ID: <uln8n19h8.fsf_at_us.oracle.com>
"Mike Jones" <Mike_at_mikejones.fsnet.co.uk> writes:
> I'm currently woking on a project to connect an Oracle DB to an Intranet.
>
> The intranet sever connects in via an ODBC DSN and so has a username and
> password specified for it. However any one accessing the page should have a
> normal Oracle log in to the DB and I need to validate this so that the web
> page can decide what Info to give the user.
>
> Due to the newness of all this (I've never done web based stuff before) we
> are trying to limit the web page to only issuing SELECT statements.
>
> As such I was going to create a stored function that took in a
> username/password and returned true or fale depending on wether that was
> allowed. This seems sensible to me.
>
> However, although I can get the encryted password from DBA_USERS I don't
> know how I can encrypt the password given to check against the one in
> DBA_USERS. I though I might be able to create a new user with the same
> password given and then check it that way, but oracle seems to use the
> usrename in the encryption algorithm and so I'm stuffed there too.
>
> Can anyone help me?
I can try, although since I don't know the version of the database that you're
using, I can only guess.
Rather than using that method, I suggesting using a feature in Oracle8 8i that allows middle-tier servers to authenticate the client and then connect to the database as the client.
A document at http://govt.oracle.com/~tkyte/Misc/OCI-N-Tier.html describes how this is done. Since you want to use the database password to authenticate the user, just supply the client password (usually none needs to be supplied).
If you have any questions, please e-mail me. This feature is not well documented in 8i 8.1.5.
-- Rick Rick Wessman Security and Directory Technologies Server Technologies Oracle Corporation rwessman_at_us.oracle.com The statements and opinions expressed here are my own and do not necessarily represent those of Oracle Corporation.Received on Thu Oct 28 1999 - 23:06:11 CEST