Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Application authorization for a database user

Re: Application authorization for a database user

From: <krichine_at_juno.com>
Date: 23 Mar 2006 20:24:32 -0800
Message-ID: <1143174272.510531.99040@j33g2000cwa.googlegroups.com> 





You can not disable local connectivity. If someone is already on your
database server, they can always use sqlplus or other client to fake
out whatever application name you are expecting and connect to the
database (assuming they would otherwise be able to connect to the
database were it not for your access control).



You can control remote connectivity by firewalling your database server
and restricting access to it only by your application server.
Effectively, you will build a fense around your database server with
the only entrance left through your application server.



You should not base your security on the assumption that users will not
figure out the checking algorithm you use or the text you are expecting
to see in their environment (or any other parameter that can be easily
faked out by the client).
Received on Thu Mar 23 2006 - 22:24:32 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US