Database Reference
In-Depth Information
USING UNIXSYSTEM
If you are going to use
UnixSystem
for your clients, then you will want to assure that your clients and the
Oracle database are using the same naming services. This information is not provided by the
UnixSystem
class.
There is something you could use.
UnixSystem
provides the user identifier,
uid
, which is a numeric value
representing the user. The
uid
is not necessarily unique, but in a single naming system, a specific user
will have a specific
uid
.
To use the
uid
, your clients could transmit what they see for
uid
to Oracle database, and the database
could assure that it sees the same
uid
for that user in its naming service. The level of assurance provided
by this check is quite low, so I'm not advising it.
On the contrary, I recommend you use NAC to assure that all your UNIX and Linux clients are using the
required naming service before they can get access to the network and the Oracle Database. I like NAC!
That sounds like a campaign slogan, but that was before my time.
Case Sensitivity
You will notice in our code that we uppercase both the user name and domain. We also test the domain
using the
equalsIgnoreCase()
method. That case-insensitive test of domain is just in case someone
implements this code and neglects to type the
expectedDomain
in all caps. No matter how the domain
name is cased coming from
NTSystem
, if the spelling is the same, it is the same domain.
In Java, we can do case-insensitive tests, but in Oracle database, we are always case sensitive. In the
Windows/NT domains (Active Directory), depending on how user IDs are entered, you will find mixed
cases. Windows domains are case insensitive: the user COFFIN is the same as Coffin or coffin.
There is a possibility that you or your application developers will use an
equals()
method instead of
an
equalsIgnoreCase()
method in Java when dealing with the user ID. There is also a possibility
(especially if you follow this topic) that you will send the user ID to Oracle database and save it there or
test it for existence in a database. For these possibilities, we will assure that our data is consistently cased
where case-sensitivity is an issue. We will handle user IDs in upper case.
Access Oracle Database as Our Identified User
Oracle JDBC transmits a number of identity characteristics from the client to the server. Among these
are the OS user ID, the IP address and in certain cases the
terminal
(client computer) name. We can
query these items and use them for validation. Additionally, we can pass identity information to Oracle
database, and we can assume a valid alternate identity and use the connected identity as a proxy.
All of these aspects of identity, when appropriately set, allow us to authorize access, and as
importantly, to audit access to data. We want to know, monitor, and report who did what.
Examine the Oracle SSO Options for Programmers
Let's examine some of our options at this point. I am going to limit the options for doing single sign-on
with Oracle database to the following:
