Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
Security,
Policies and Tips - Part 8
Use Proxy
Authentication and a Secure Application Role
To enable a role in three-tier systems, the user must
access the database through a middle-tier application that requires proxy
authentication and a secure application role.
Proxy authentication can distinguish between a middle
creating a session on behalf of a user, and the user connecting directly. Both the proxy user or the middle tier user
and the real user information are captured in the user session.
Secure application roles are implemented by a package,
which performs the desired validation before allowing a user to assume the
privileges that are granted to the role.
When an application uses proxy authentication, the secure application
role package can validate that the user session was created by proxy before
setting the role. If the user is
connecting directly then the role will not be set.
Let’s say for example that you want to restrict the use of
the Fred_admin role, to users that are accessing the database by proxy through
the middle tier FREDSERVER.
CREATE ROLE fred_admin IDENTIFIED USING fred.padmin;
The package fred.padmin performs the desired validation,
permitting the role (fred_admin) to be set only if the user is connected by
proxy.
Inside the fred.padmin package, you can make use of the
SYS_CONTEXT(‘userenv’,’proxy_userid’), and/or
SYS_CONTEXT(‘userenv’,’proxy_user’). You
will retrieve the name of the proxy server
“FREDSERVER”. If the proxy server
“system context” has the value of “FREDSERVER”, then you perform the SET ROLE
command for the fred_admin role, otherwise you don’t.
The above scenario effectively ensures that if you do not
connect through the designated middle tier server, then you will not be granted
any of the privileges in the fred_admin role, and will effectively have no
access to the data through the application.
You would have effectively prevented a potential security breach.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Income stabilizer (win-win opportunity)
Join the carefully selected and tested cash-flow generating
program below to potentially create a long-term residual or annuity type income
enhancer for yourself.
|
Traffic Wave - Free Report: The report
will give you all the information you need to start making a nice long-term
residual income stream for yourself.
|
No comments:
Post a Comment