Oracle® Database JDBC Developer's Guide and Reference 10g Release 1 (10.1) Part Number B10979-01 |
|
|
View PDF |
This chapter contains the following sections:
Middle-tier authentication allows one JDBC connection (session) to act as a proxy for other JDBC connections. An application may need proxy authentication for any of the following reasons:
The middle tier does not know the password of the proxy user. It is sometimes a security concern for the middle tier to know the passwords of all the database users.
This is done by first authenticating using:
alter user jeff grant connect through scott with roles role1, role2;
Having authenticated, your application can connect as "jeff
" using the already authenticated credentials of "scott
". Although the created session will behave as if "jeff
" was connected normally (using "jeff
"/"jeff-password
"), "jeff
" will not have to divulge its password to the middle tier. The proxy section has access to the schema of "jeff
" as well as to what is indicated in the list of roles. Therefore, if "scott
" wants "jeff
" to access its table EMP
, the following code can be used:
create role role1; grant select on EMP to role1;
The role clause can also be thought as limiting "jeff
's" access to only those database objects of "scott
" mentioned in the list of the roles. The list of roles can be empty.
Accounting purposes. The transactions made via proxy sessions can be better accounted by proxying the user ("jeff
"), under different users such as "scott
", "scott2
" assuming "scott
" and "scott2
" are authenticated. Transactions made under these different proxy sessions by "jeff
" can be logged separately.
There are three ways to create proxy sessions in the OCI driver. Roles can be associated with any of the following options:
USER NAME
: This is done by supplying the user name and/or the password. The reason why the "password" option exists is so that database operations made by the user ("jeff
"), can be accounted. The SQL clause is:
alter user jeff grant connect through scott authenticated using password;
Having no authenticated clause implies the default—authenticated using the user-name without the password requirement.
DISTINGUISHED NAME
: This is a global name in lieu of the password of the user being proxied for. So you could say "create user jeff identified globally as:
'CN=jeff,OU=americas,O=oracle,L=redwoodshores,ST=ca,C=us';
The string after the "globally as" clause is the distinguished name. It is then necessary to authenticate as:
alter user jeff grant connect through scott authenticated using distinguished name;
CERTIFICATE
: This is a more encrypted way of passing the credentials of the user (to be proxied) to the database. The certificate contains the distinguished encoded name. One way of generating it is by creating a wallet (using "runutl mkwallet
"), then decoding the wallet to get the certificate. It is then necessary to authenticate as:
alter user jeff grant connect through scott authenticated using certificate;
The following code shows signatures of the getProxyConnection()
method with information about the proxy type process:
/* * For creating a proxy connection. All macros are defined * in OracleOCIConnectionPool.java * * @param proxyType Can be one of following types PROXYTYPE_USER_NAME - This will be the normal mode of specifying the user name in proxyUser as in Oracle8i PROXYTYPE_DISTINGUISHED_NAME - This will specify the distinguished name of the user in proxyUser PROXYTYPE_CERTIFICATE - This will specify the proxy certificate The Properties (ie prop) should be set as follows. If PROXYTYPE_USER_NAME PROXY_USER_NAME and/or PROXY_USER_PASSWORD depending on how the connection-pool owner was authenticated to act as proxy for this proxy user PROXY_USER_NAME (String) = user to be proxied for PROXY_PASSWORD (String) = password of the user to be proxied for else if PROXYTYPE_DISTINGUISHED_NAME PROXY_DISTINGUISHED_NAME (String) = (global) distinguished name of the user to be proxied for else if PROXYTYPE_CERTIFICATE (byte[]) PROXY_CERTIFICATE = certficate containing the encoded distinguished name PROXY_ROLES (String[]) Set of roles which this proxy connection can use. Roles can be null, and can be associated with any of the above proxy methods. * * @return connection object * * Notes: The user and password used to create OracleOCIConnectionPool() * must be allowed to act as proxy for user 'us'. */ public synchronized OracleConnection getProxyConnection(String proxyType, Properties prop) throws SQLException