Database Reference
In-Depth Information
Sure we can say unlimited sessions, but in reality there is a limit. The hard limit is the number of
processes that the Database was created to service. The default number of processes is 150. Looking
ahead, when we create a dedicated database for application authentication in Chapter 11, we will bump
the number of processes up to 500.
The unlimited failed login attempts are a bit harder to justify, because it gives a hacker a wide open
door to use brute-force attack to guess the password. The alternative, however, is the potential for a slew
of broken applications. If a hacker, or errant application, made several attempts to log in with the wrong
password and locked out the user, all our applications that depend on this user for authorization would
fail until the account was reset.
We are going to limit this account as much as possible. There will be only a few privileges we will
give it. It will need to pass SSO, two-factor authentication, encryption, and application authorization—
the reason for its existence. A couple of the limits we will set for this user will be set through parameters
in the
appver_prof
profile. We will only allow this account a one minute connect time, and one minute of
idle time (the minimums).
Application Verification User
It's time to create our application verification user, which we will name
appver
. Listing 10-12 shows the
commands to create the appver user. We assign a password to this user, but for now, we are treating it
more like a line of code or an address. It gets people to the workplace, but doesn't do any work, itself. For
now, this password will be hard-coded into the
OracleJavaSecure
class, on the client. In Chapter 11, we
will obfuscate and encrypt the password. In any case, please assign a complex password to
appver
.
Listing 10-12.
Create Application Verification User
CREATE USER appver
IDENTIFIED BY password
QUOTA 0 ON SYSTEM
PROFILE appver_prof;
GRANT create_session_role TO appver;
Notice that we assigned the
appver_prof
profile to
appver
. We also give
appver
no space, 0 QUOTA
for storage. Finally, we grant the
create_session_role
to
appver
so that he can connect to Oracle
database.
The Application Verification Logon Trigger
We are going to create a logon trigger for the
appver
account. We have already seen database triggers, but
this one is different—it defines an action we will have Oracle database take whenever a user logs onto
the
appver
schema. Listing 10-13 shows that our logon trigger simply calls a procedure,
p_appver_logon
.
Listing 10-13.
Logon Trigger for Application Verification
CREATE OR REPLACE TRIGGER secadm.t_screen_appver_access AFTER LOGON ON appver.SCHEMA
BEGIN
appsec.
p_appver_logon
;
END;
/
