| Restricting the user from logging in from SQL*PLUS [message #343850] |
Thu, 28 August 2008 06:07  |
nazbrian
Messages: 36
Registered: July 2008
|
Member |
|
|
Hi,
I have a appliation. I do not have the option to customize the application.
I want to restrict the user from logging in to DB from SQL*PLUS or SQL Developer. But, I want to enable him only from the Application.
How do I acheive this.
Is there any easier way other than Secure Application roles (like trigger...)
Brian.
|
|
|
|
|
|
|
|
|
|
| Re: Restricting the user from logging in from SQL*PLUS [message #344499 is a reply to message #343850] |
Sat, 30 August 2008 01:27  |
nazbrian
Messages: 36
Registered: July 2008
|
Member |
|
|
Hi,
I have created a test for Secure Application Role in
Oracle 9.2.0.7.
My intention is to restrict the user OWB_TARGET from logging in from specific IP through TOAD.
I'm beginner for these Secure Appl Role.
CREATE ROLE sar_role IDENTIFIED USING boidw.login_restrict ;
CREATE OR REPLACE PACKAGE login_restrict AUTHID CURRENT_USER
AS
PROCEDURE set_role;
End;
CREATE OR REPLACE PACKAGE BODY login_restrict
AS
PROCEDURE set_role AS
mod_out VARCHAR2(48);
act_out VARCHAR2(32);
BEGIN
dbms_application_info.read_module(mod_out, act_out);
IF SYS_CONTEXT('USERENV','CURRENT_USER') in ('OWB_TARGET')
and mod_out in ('T.O.A.D.')
and SYS_CONTEXT('USERENV','IP_ADDRESS') = '172.16.6.128'
Then
dbms_session.set_role('sar_role') ;
End If;
END;
END login_restrict;
What is wrong in this code ??
Thanking you in advance,
Brian.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Restricting the user from logging in from SQL*PLUS [message #347399 is a reply to message #343850] |
Thu, 11 September 2008 08:46 |
nazbrian
Messages: 36
Registered: July 2008
|
Member |
|
|
Hi Michel,
Sorry for pasting code from net.
When the user logs into the application, where the control flows in to the code block given below (Assuming the following Roles & packages etc created as given below).
Create the roles as application roles and specify the authorized package that will enable the roles. In this example, hr.hr_admin is the example authorized package.
CREATE ROLE admin_role IDENTIFIED USING hr.hr_admin;
CREATE ROLE staff_role IDENTIFIED USING hr.hr_admin;
Note:
You need to set up the following data structures for the examples in this section to work:
CREATE OR REPLACE PACKAGE hr_logon IS
PROCEDURE hr_set_responsibility;
END;
/
CREATE OR REPLACE PACKAGE BODY hr_logon IS
PROCEDURE hr_set_responsibility IS
BEGIN
DBMS_SESSION.SET_IDENTIFIER (1234);
END;
END;
/
Create an invoker's right procedure.
/* Create a dedicated authentication function for manageability so that changes in authentication policies would not affect the source code of the application - this design is up to the application developers */
/* the only policy in this function is that current user must have been authenticated using the proxy user 'SCOTT' */
CREATE OR REPLACE FUNCTION hr.MySecurityCheck RETURN BOOLEAN
AS
BEGIN
/* a simple check to see if current session is authenticated
by the proxy user 'SCOTT' */
if (sys_context('userenv','proxy_user') = 'SCOTT')
then
return TRUE;
else
return FALSE;
end IF;
END;
GRANT EXECUTE ON hr.MySecurityCheck TO PUBLIC;
/*Create the procedure*/
CREATE OR REPLACE PACKAGE hr_admin
AUTHID CURRENT_USER
IS
PROCEDURE hr_app_report;
END;
/
CREATE OR REPLACE PACKAGE BODY hr_admin IS
PROCEDURE hr_app_report IS
BEGIN
/* set application context in 'responsibility' namespace */
hr_logon.hr_set_responsibility;
/* authentication check here */
if (hr.MySecurityCheck = TRUE)
then
/* check 'responsibility' being set, then enable the roles without
supplying the password */
if (sys_context('hr','role') = 'admin' )
then
dbms_session.set_role('admin_role');
else
dbms_session.set_role('staff_role');
end if;
end if;
END;
END;
Regards,
Brian.
[Updated on: Thu, 11 September 2008 09:12] by Moderator Report message to a moderator |
|
|
|
|
|
|
|
| Re: Restricting the user from logging in from SQL*PLUS [message #348529 is a reply to message #343850] |
Wed, 17 September 2008 02:41 |
nazbrian
Messages: 36
Registered: July 2008
|
Member |
|
|
Hi,
I could not implement Secure Application Role, Basically I did not understand.
I'm Really thankful if anybody gives me a sample code for 9.2.0.7.
For example, user SCOTT should not be allowed to login to SQL Developer rather he should be allowed to login to SQL*Plus.
Thanking you in advance.
Brian.
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
