Re: File upload using custom authentication

I would be very interested to see how you were able to secure the uploading when using DAD with credentials (i take that as meaning that a username and password are saved in the DAD and security is done on the application level).

The issue with enabling uploading using this method is that because everyone can connect to the database (because of the way the DAD is set up), anyone who knows the the URL of the upload procedure can insert anything into the document table.

This is because of the way the upload works. First, the user submits the file through a HTML form. If the user is able to connect and if the target procedure is valid then the database automatically inserts the file into the document table. Then lastly, the database calls the target procedure passing along the name of the uploaded file.

Here is where the problem with custom authentication lies. Since the upload procedure is called after the insert takes place, there is no way to block the file from being saved. I've even tried to put a trigger on the table to block any unauthorized users from inserting but raising an error within the trigger does not rollback the insert into the document table.

"Mark C. Stock" <mcstockX_at_Xenquery .com> wrote in message news:<IcydnYp6Q_4zmQHcRVn-rA_at_comcast.com>...
> "Tommy C." <tommyc77_at_gmail.com> wrote in message
> news:b54cdaf6.0411171435.1ea4210b_at_posting.google.com...
> | Hi,
> |
> | When using the steps outlined in "Oracle 9i Application Server Using
> | the PL/SQL Gateway" to enable file uploads/downloads, it seems that
> | the only way to secure the upload ability is to verify the user's
> | Oracle ID and password (ie make sure they are valid database users by
> | leaving the username and password entries blank in the DAD).
> |
> | This doesn't work for my purposes since our system uses custom
> | authentication/security and, therefore, our users don't all have
> | Oracle accounts.
> |
> | I would like to ensure that only users that have passed our custom
> | authentication/security checks have access to the DAD that provides
> | the file upload/download ability.
> |
> | One possibility I can see involves the following steps :
> | 1) create the file upload DAD using database authentication
> | 2) create a new user/password for accessing the new DAD
> | 3) redirect authenticated users from our public DAD to the file upload
> | DAD using the newly created user/password
> |
> | The problems I'm having are that I don't know how to redirect/log them
> | in transparently and I don't want the users to know the
> | username/password that is being used to login to the file upload DAD.
> |
> | Is there a way to do this securely? Are there any other ways to do
> | this apart from using iFS (which is beyond our needs for the moment)?
> |
> | Thanks, TC
>
> tommy,
>
> i don't have time for a detailed reply now, but this sounds like exactly
> what we did on my last project -- DAD with credentials, custom
> authentication, only authorized users could upload -- might not be til next
> week that i can take a look at the details, but i think custom auth should
> give you exactly what you're asking for
>
> ++ mcs
Received on Mon Nov 22 2004 - 09:54:39 CST