Re: Adding some random characters to Oracle password

Jeff wrote:

> Okay, done some reading and I still don't quite get it (docs weren't very
> helpful). Does this stuff require an application server to work?

I take it you're talking about secure application roles?

In which case, the answer is "no".

It's simply a question of:

create role blah identified USING secure_me;

create or replace procedure secure_me
is
begin
do_all_sorts_of_clever_tests;
  if tests_passed then

      dbms_ssession.set_role blah;
  endif;
end;
/

That sort of thing, anyway. Create a role. Say it is to use a procedure/package/function, then create that procedure, package or function. The piece of PL/SQL simply runs some tests -common ones are to use SYS_CONTEXT to determine an IP address, or a username. But you can create your own application contexts if you wish and test for whatever 'tokens' you've placed in that.

Either the PL/SQL tests are passed, in which case a call to dbms_session.set_role switches on the role, just as typing "SET ROLE BLAH" would in SQL*Plus, or the tests are not passed, in which case my silly example does nothing... but you could write code in which logs the attempt, or mails you a security alert, or which sets off all the alarms in the building. That sort of thing.

No application server required. But 9i or better is a must-have.

> If not, then could you give me a simple example of how I can connect to
> one account (don't want to manage 100's of accounts) in a database
> client-server from my application without using an embedded password (or
> typing one in) and have it be secure from unauthorized access (meaning
> outside the
> application). Assume that the database is on a VPN behind a firewall. A
> user's IP is probably irrelevant. No?

I feel a new demo paper coming on. It's a good topic for one.

Regards
HJR Received on Fri Oct 29 2004 - 18:21:51 CDT