Re: Newbie - Help with Security

David

It really depends on what you are using for your JDBC driver. Very often, it's a JDBC-ODBC bridge so you can use the functionality of the ODBC driver. There is no real security module in the ODBC standard for security of this type, however, some ODBC-driver vendors (including us) have implemented some additional security in response to customer demand. Our JDBC driver (using technology available in the host-side component) will allow you to restrict access to only the calling application name (among other characteristics). Take a look at http://www.sco.com/support/ciservices/sqlr/docs/secman.html. Our Security Manager resides on UNIX, so is applicable to Windows-UNIX as JDBC-UNIX. It is also possible to tie the user being used to connect to the UNIX box to the Oracle login (e.g. Oracle's OPS$USER or 'identified by system').

OTOH, you haven't said where your Oracle RDBMS is, so if it's not UNIX, this is all irrelevant!

Allan Gould
(allang at sco dot com)
(Please remove anti-spam measures if replying) SCO SQL-Retriever: http://www.sco.com/vision/products/sqlretriever/

David Bye wrote:
>
> We are developing a Java application using JDBC to ORACLE. The client
> is WinNT.
>
> We need to secure the database so the user cannot use an ODBC connection
> to connect to the database. (i.e. The only way to access the information
> is through the application).
>
> The current situation requires the user to provide logon details (userid
> and password) for the connection. This exposes the above possibility.
>
> The security department are against having a hardcoded connection (ie.
> program supplies hardcoded userid and password.)
>
> Is there a standard technique used in this environment to provide the
> above ? Anywhere I can read up on this ?
>
> Is there a mechanism to tie the WinNT logon to the Oracle connection ?
> Without buying single signon products ?
>
> Thanks
>
> David Bye
Received on Fri Jan 15 1999 - 06:27:43 CST