Database Reference
In-Depth Information
ALTER USER coffin GRANT CONNECT THROUGH APPVER;
-- APPUSR is the account that gets access to HRVIEW_ROLE
ALTER USER coffin GRANT CONNECT THROUGH APPUSR;
Additionally, for user coffin to pass two-factor authentication, he will need entries in both
HR.EMPLOYEES
and
HR.emp_mobile_nos
.
Auditing Application Verification
It would be nice to know everything that the
appver
user does—there should only be a select number of
statements he makes. However, we anticipate he will get called many, many times, and we do not want
to audit all the legitimate calls he makes. The first clue that
appver
is doing something unofficial will
probably be when he tries to select data. So we will use the audit log, by the uncommented commands in
Listing 10-17 to watch for that.
Listing 10-1.,
Auditing Application Verification
--AUDIT ALL STATEMENTS BY appver BY ACCESS; -- WHENEVER SUCCESSFUL;
AUDIT SELECT TABLE BY appver BY ACCESS;
AUDIT EXECUTE PROCEDURE
BY appver
BY ACCESS
WHENEVER NOT SUCCESSFUL;
Also, we might catch some application errors and attempted abuse by auditing when
appver
fails to
execute procedures. So we audit when those calls are
NOT SUCCESSFUL
. We wouldn't want to audit
successful procedure calls, because we know he will be calling procedures, and we hope he succeeds.
Structures for Application Authorization
We discussed one of the tasks that
appver
accomplishes—comparing an inner class object provided by
the application with one that has been registered. Registration occurs when the inner class gets inserted
on first sight (when there is no existing registry entry for the application). That's right: the first time you
(a new application) show up, we write your name in the guest book and save the inner class you
provided. Your application had to leap several obstacles to get this far, and we give you credit for that.
However, at this point, it's not much more than a mug shot.
Your application has to come back with the same identity in order to register your connection
strings. You also have to show up with the same identity from now on to get those connection strings
returned to your application.
More Space for Application Security
Because we are committing to store a couple objects per application that use these services, we should
give a bit more space to the
appsec
schema to use for storage. Execute this
ALTER USER
command to
accomplish that:
-- Increase quota to hold app verification data
ALTER USER appsec DEFAULT TABLESPACE USERS QUOTA 10M ON USERS;
