Re: Web Oracle Security

From: David-Michael Lincke <dlincke_at_bandon.unisg.ch>
Date: 1996/07/30
Message-ID: <1996Jul30.205758.4609_at_sgcl1.unisg.ch>#1/1


Walker Archer (walker_at_rust.net) wrote:
: On 27 Jul 96 17:42:19 MET, dlincke_at_bandon.unisg.ch (David-Michael
: Lincke) wrote:
:
: >If that's the case and
: >you are having users input usernames and passwords first anyway then you
: >can secure the relevant directory subtree by using the http basic
: >authentication mechanism. You will then get username and password
: >information on every subsequent request in environment variables.
: >Most state of the art web servers implement this
: >through NDBM persistent hash tables nowadays. But some extensible servers
: >that feature an API will allow you to use whatever you want as a source of
: >authorization data. I just recently wrote an NSAPI module which does
: >authentication via Oracle.
:
: That's it! On the nose. We are using basic authentication via
: Netscape but want the authentication to come from the Oracle server.
: It's one thing to maintain appropriate authentication ID databases,
: but when you have multiple work groups generating projects off of the
: same data it makes more sense to us to allow the database security to
: do its job. That way users don't have to have half a dozen IDs and
: passwords scattered around on different systems.
:
: So it sounds like you have already addressed this via NSAPI? Is that
: the best way? I had hoped to find a routine already written somewhere
: on the net. I can't believe Oracle wouldn't something to address
: this.

Well, what my module actually does is use two configurable columns in in some table in a configurable user schema as the sources of usernames and passwords which to validate the information passed to the web server by the web browser via the http basic authentication mechanism. It should be easy to convert the module to validate on real oracle user information provided this information is accessible in the oracle data dictionary. The module would then probably have to connect as user system.

dave

-- 
David-Michael Lincke
Research Assistant
Institute for Information Management IWI-HSG, University of St. Gallen
EMail:	David-Michael.Lincke_at_iwi.unisg.ch, dlincke_at_sgcl1.unisg.ch
URL:	http://www-iwi.unisg.ch/about/team/dal.html
Received on Tue Jul 30 1996 - 00:00:00 CEST

Original text of this message