Re: Web Oracle Security

Walker Archer (walker_at_rust.net) wrote:
: I'm trying to secure a web application with an Oracle back-end. I'd
: like to use Oracle security but cannot find a secure way to have the
: user input name and password at the web level and transport it to the
: Oracle server.

There is an encrypting version of SQL*Net available from Oracle that will give you security between your web server and the database. For security between the web server and the user's browser SSL might be the best option.

: Is there some way to do this without using hidden form fields?

You might want to elaborate on this a little. You definitely don't need hidden fields just to transport data securely through to oracle. Are you trying to maintain state throughout a user session? If that's the case and you are having users input usernames and passwords first anyway then you can secure the relevant directory subtree by using the http basic authentication mechanism. You will then get username and password information on every subsequent request in environment variables. Most state of the art web servers implement this through NDBM persistent hash tables nowadays. But some extensible servers that feature an API will allow you to use whatever you want as a source of authorization data. I just recently wrote an NSAPI module which does authentication via Oracle.

dave

-- 
David-Michael Lincke
Research Assistant
Institute for Information Management IWI-HSG, University of St. Gallen
EMail:	David-Michael.Lincke_at_iwi.unisg.ch, dlincke_at_sgcl1.unisg.ch
URL:	http://www-iwi.unisg.ch/about/team/dal.html