Re: The Trojan Horse and Client-Server

From: Michael Reviakin <misha_at_percombank.kiev.ua>
Date: 1995/08/09
Message-ID: <AAfECAmyJ8_at_percombank.kiev.ua>#1/1

> Q1: Is there any way I can safely use Novell Netware to safely
> identify my users to Oracle so that they don't have to identify
> themselves twice - once to the network and once to the database?
> Will getting the Netware for Sequent add-on help?

Check "Oracle7 Server for NetWare Installation and User's Guide" Chapter 4, Authomatic Authorisation Accounts, page 4-21, but note that it supported only from DOS and OS/2 clients using SPX/IPX. Using Windows you may start it with /s switch in standatd mode, loading DOS SQLSPX driver, it probably will work.

> Q2: How do I know that a user is running the Oracle Form he is
> supposed to be. For example, I allow a database user to have insert
> permission on a table but I write a Form to verify that the inserts.
> But the user writes and installs his own version of the form without
> the verifications - How will I know?

The simplest way is to use triggers, that verify all modifications made under important table, but sometimes this is not the best choice, mostly of efficiency reasons, and some procedural limitations inherent to triggers.

The general idea of this method is: if you don't beleive user application enough, you should involve safe mediator.

CREATE OR REPLACE PACKAGE BODY guard_context AS important_table_open BOOLEAN DEFAULT FALSE;

  ............................

END guard_context;
//
CREATE OR REPLACE PACKAGE guard_context AS BEGIN
  NULL;
END guard_context;
//
CREATE OR REPLACE TRIGGER important_table_guard   BEFORE DELETE OR UPDATE OR INSERT ON important_table BEGIN
  IF NOT important_table_open THEN
    RAISE_APPLICATION_ERROR(-20000, 'Improper access to important_table')   ENDIF;
END;
//
CREATE OR REPLACE PROCEDURE important_table_insert(...) AS BEGIN

  ............................

  guard_context.important_table_open:=TRUE;   INSERT INTO important_table (...)
  VALUES (...);
  guard_context.important_table_open:=FALSE;

  ............................

EXCEPTIONS

  ............................

WHEN OTHERS THEN
guard_context.important_table_open:=FALSE; END;
//

You may control "guard_context.important_table_open" variable anywhere in your application. This work wery well in single-user applications, in multy-user applications you should improve this approach (for instance use table with single column instead of set of variables of package "guard_context", locking it properly you will be quite safe).

> [Q2 is like the Trojan Horse problem except, because you are in a client-
> server environment, you do not even have to wheel the horse inside the
> gates of your City for it to cause harm!]

If you need Horses in your City, keep all doors inside closed, and let your people have keys.

Regards,

Michael Reviakin Received on Wed Aug 09 1995 - 00:00:00 CEST

This message: [ Message body ]
Next message: Robert Manieri: "Re: Data warehousing products"
Previous message: Chetan Jujuneja: "Re: HELP - How to use widgets in Forms 4.5"
In reply to: Paul Beardsell: "The Trojan Horse and Client-Server"
In reply to Michel Lalonde: "Re: The Trojan Horse and Client-Server"
Next in thread: Robert Manieri: "Re: Data warehousing products"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message