Database Reference
In-Depth Information
Move Test for SSO to Separate Function
For division of labor among pieces of our code, we are going to separate the SSO process into a separate
function,
f_is_sso
. Into this function, we pass the value for application user. Traditionally,
appusr
has
been our application user, but we will pass whatever user we find registered for the application in the
t_application_registry
table. Recall that for SSO, the application user has to either be the connected
user for our session, or the proxy user. The
f_is_sso
function will return the validated SSO user ID, or an
empty string if invalid. Listing 10-3 shows just the signature of
f_is_sso
.
Listing 10-3.
Function to Test if User Passes SSO Requirements, f_is_sso
CREATE OR REPLACE FUNCTION appsec.f_is_sso( m_app_user VARCHAR2 )
RETURN VARCHAR2
AUTHID CURRENT_USER
AS
return_user VARCHAR2(40) := '';
...
Note
Procedures and functions that execute as
AUTHID CURRENT_USER
are never placed in packages, and they
are usually granted
EXECUTE
to
PUBLIC
.
Add an Oracle Package for Use Only by Application Security
We will be increasing the number of functions and procedures for use strictly by our application security
user,
appsec
, by almost an order of magnitude, so we are going to employ a package to group and
organize them. We'll call this package the
appsec_only_pkg
package. The package also allows us to secure
the code in one location - in this case, we will not grant anyone execute on
appsec_only_pkg
. We will
drop the functions
f_is_cur_cached_cd
and
f_send_2_factor
, and move them into our package as in
Listing 10-4.
Listing 10-4.
Package for Application Security Use Only
DROP FUNCTION appsec.f_is_cur_cached_cd;
DROP FUNCTION appsec.f_send_2_factor;
CREATE OR REPLACE PACKAGE appsec.appsec_only_pkg IS
FUNCTION f_is_cur_cached_cd(
just_os_user VARCHAR2,
m_application_id v_two_fact_cd_cache.application_id%TYPE,
m_two_factor_cd v_two_fact_cd_cache.two_factor_cd%TYPE )
RETURN VARCHAR2;
FUNCTION f_send_2_factor(
just_os_user VARCHAR2,
