Database Reference
In-Depth Information
Proxy from Users IDENTIFIED EXTERNALLY
Perhaps your organization already uses the Oracle Internet directory (OID) and/or enterprise user
security, if so it is possible to create individual person users who do not have schemas on each instance
of Oracle Database, and can be used in proxy sessions. Those users would be
IDENTIFIED GLOBALLY
.
Perhaps, you trust another directory service or the operating system to identify your users. In that
case, you would still have a unique schema for each user, but the authentication (ID and password)
would be retained externally. For instance, you might set an
OS_AUTHENT_PREFIX
like “OPS$” (typical) for
your database, and create an Oracle user named
OPS$OSUSER
. The
OSUSER
user would not provide a
password when connecting to Oracle database, but would gain access by virtue of being authenticated to
the operating system as
OSUSER
. There are steps required to set this up, including gaining access to your
directory or domain server from the Oracle database. This is a form of single sign-on.
However, what we are doing is intentionally different. We are creating individual users in Oracle
Database that have no authentication. They have no password, and the IDENTIFIED EXTERNALLY
modifier simply tells Oracle Database that the user is not authenticated by the database.
Another way to have done this would be to create the users identified by a random password that
not even the administrator retains. If no one knows the password, no one can authenticate with it. The
problem with that is that any password that exists needs to be managed and at least periodically
changed (to another random password).
Establish a Proxy Session
To establish a proxy session, we do 2 things. First we create a
Properties
class (basically a hash table
with keys and values, e.g., key=PROXY_USER_NAME and value=OSUSER). Then we pass this
Properties
class to the
openProxySession()
method of the
OracleConnection
class, as shown in Listing 8-9. This code
is from the
doTest2()
method of the
OraSSOTests
class. Also see the
main()
method.
Note
Find the test code in the file named
Chapter8/OraSSOTests.java.
Note that we already have an existing connection at this point. We are connected to Oracle database
as our application user. The goal here is to have our OS user account proxy through the application user.
Listing 8-9.
Open a Proxy Session,
doTest2()
userName = OracleJavaSecure.
getOSUserID
();
Properties prop = new Properties();
prop.setProperty( OracleConnection.PROXY_USER_NAME, userName )
;
conn.
openProxySession
(OracleConnection.
PROXYTYPE_USER_NAME
, prop);
String metrics[] =
new String[OracleConnection.END_TO_END_STATE_INDEX_MAX];
metrics[OracleConnection.END_TO_END_CLIENTID_INDEX] = userName;
conn.setEndToEndMetrics( metrics, ( short )0 );
Notice we get the OS user identity into
userName
from
NTSystem
or
UnixSystem
and set it as the
PROXY_USER_NAME
. When we open the session, we tell it we are basing the proxy on user name,
PROXYTYPE_USER_NAME
.
