Re: hot to limit sqlldr ?

From: Maxim Demenko <mdemenko_at_gmail.com>
Date: Wed, 13 Apr 2005 22:14:14 +0200
Message-ID: <d3juih$3tp$04$1_at_news.t-online.com>

Stefan schrieb:
> ideally you are correct - however, I am hosting an application which
> requires that the application level user have the same username and
> password as the database level user, AND the database level user has to
> have insert/update/delete in order to be able to use the application's
> front end....
> I know it's a horrible design, but that's the way it is....
>
> so the only thing I've been able to think of so far is to create a
> LOGON trigger which kills sessions unless they are made via the
> appropriate client application...
>
> was wondering if there are any other ideas out there...
>

I think ,your real intention is to restrict the users to do only those things, that are allowed in your application forms, but you haven't restrict users to use only application credentials ( as they are the same as the database credentials ). If i am right in my suggestion, you can't be sure if you restrict the use of sql loader - every intermediate user can in 5 minutes write a script ( or a small java program, if you restrict the use of sqlplus ) and put all it unwanted sql in your database, that you can hard imagine. I would consider to use in that case an application context ( good start point could be http://www.oracle.com/technology/tech/windows/wp/Oracle_DB_10g_Security_WP.pdf ). For example , if your application run on the dedicated server and your end user have no access to this machine, you can indeed write an logon trigger that checks the context and then, if session comes from one certain ip address - of your appserver - (ip address is not necessary, you can set any attribute in your context for you application server ) , needed role should be enabled to allow insert/update etc, all other ip addresses should provide no permissions for dml, or somewhat like this.
Unfortunately you can not kill session through an logon trigger , in worst case - raise exception , that helps , if your end user aren't dba's ...

Nevertheless, the Noel's idea ( if password = 'TIGER' then password := substr(password,2); end if; ) i found really perfect ... ( i'll try to implement it next week)

Best regards

Maxim Received on Wed Apr 13 2005 - 22:14:14 CEST

This message: [ Message body ]
Next message: DA Morgan: "Re: Connection between Acess and Oracle"
Previous message: Ed Prochak: "Re: hot to limit sqlldr ?"
In reply to Stefan: "Re: hot to limit sqlldr ?"
Next in thread: sybrandb_at_yahoo.com: "Re: hot to limit sqlldr ?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message