Database Reference
In-Depth Information
Have a standard connection to Oracle database as
appusr
and pass the OS user
identity for authorization (perhaps) and auditing (certainly).
•
•
Have a proxy session to Oracle database. The Oracle user will be named the same
as our OS user, and will proxy through
appusr
. This requires a minimal Oracle user
for each OS user, with the same name as the OS user. (This will be the default
approach used throughout the chapters following this one. But if you are using
another scheme at present, you will be glad to know that we can achieve SSO in
that approach as well.)
•
Have a connection pool for the app with Oracle users named the same as our OS
users, all proxying through
appusr
. We will examine both lightweight (thin)
connection pools and heavyweight (Oracle call interface, or OCI) connection
pools. We will also implement the newest connection pool technology from Oracle
database: universal connection pool (UCP).
Set a Client Identifier
The client identifier is an identity trait we can set for each Oracle connection. It can be used for a
number of things, but for our purposes, we will set it equal to the user identity we get from
NTSystem
or
UnixSystem
.
Using an
OracleConnection
class (which extends the standard
Connection
class), we can set the
client identifier using the code in Listing 8-5.
Listing 8-5.
Set the Client Identifier, doTest1()
userName = OracleJavaSecure.getOSUserID();
String
metrics
[] =
new String[
OracleConnection.
END_TO_END_STATE_INDEX_MAX
];
metrics[OracleConnection.
END_TO_END_CLIENTID_INDEX] = userName
;
conn.setEndToEndMetrics(
metrics
,
( short )
0 );
The last line is a call to set the end-to-end metrics for the connection. That call takes a
String
array,
metrics
, and an index of type
short
(a smaller integer) equal to 0—we cast the value 0 as a
short
. We set
the size of the
String
array equal to the constant member of
OracleConnection
named
END_TO_END_STATE_INDEX_MAX
, and we place the user identity in the array at the constant index
END_TO_END_CLIENTID_INDEX
.
Later, when we want to see what the client identifier is set to, we will examine it on the Oracle
database by querying
SYS_CONTEXT('USERENV','CLIENT_IDENTIFIER')
. Oracle database provides the
facility for creating and using application contexts in addition to the session context,
SYS_CONTEXT
.
Contexts are a convenience feature for storing information in the session as opposed to storing that data
in a database table. Often application contexts are mentioned along with the security topic of Fine-
Grained Access (FGA) control (See Chapter 12), but contexts by themselves do not provide security—just
another storage place for information.
Prepare to Access HR Data
In all cases, we want to access data in the
HR
schema, so we can do a couple things to prepare for that.
First, we will call the
appsec.p_check_hrview_access
procedure to acquire our secure application role,
hrview_role
. Then, we can set our current schema to the
HR
schema. This has no effect on access, but
