RE: App/web login - how do you handle?

From: Kevin Lange <kgel_at_ppoone.com>
Date: Wed, 30 May 2001 14:05:37 -0700
Message-ID: <F001.00314906.20010530140706@fatcity.com>

Our method was as follows:

1. Give each user an ID on the system...... a very limited ID.
2. The ID would have roles that were given to it but were password protected . This way the user could not log into something like SQL+ and see the tables (it was secured radiation dose level information)
3. The ID was given only select access to a security table. In this table was all the information as to what security level the user actually had.
4. Based on this security level, the application would activate the appropriate roles for the user. Once these were activated then they could access the application.

You could just as easily have , based on security level, connected the user at this point to the application using a different ID.

There are, of course, some drawbacks.

The biggest is that you have to maintain the passwords for the roles. We did this via a package that had the password imbedded in it.

The plus that we needed was to NOT allow the users to see any data unless they were in the Application. This was handled very easily with the password protected roles.

Kevin
-----Original Message-----
Sent: Wednesday, May 30, 2001 4:27 PM
To: Multiple recipients of list ORACLE-L

How do you handle logins for applications that log into the database using a common login? I've seen it handled through hard-coded username/pass in the app, password file in 'secure' directories and ops$ account with remote_os_authent set to true on a server being accessed from a 3rd tier web app. Mgmt didn't seemed too thrilled when I showed them in about 2 minutes how to break into the db when remote_os_authent=true.

Just curious how you handle this. I haven't seen any particularly great way and am looking for a better solution. V7.3.4 -> 8.1.7 databases.

Thanks - Brian

---

Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Brian Wisniewski
  INET: brian_wisniewski_at_yahoo.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Kevin Lange
  INET: kgel_at_ppoone.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Wed May 30 2001 - 16:05:37 CDT