Database Reference
In-Depth Information
Application Login Screen
What do we mean by application login? Because we are using single sign-on, we don't actually have the
users enter a user name and password, but we do have them enter the two-factor authentication code.
Our plan will be to remain on the Login screen until they have entered the correct two-factor code or
they have exited the program. We need to handle several cases:
•
When their account cannot do SSO, we need to tell them
•
When they enter the wrong or an old two-factor authentication code, we need to
tell them
•
When they enter the correct code we need to continue
Behind the scenes, a lot is happening. Before the user has an opportunity to enter the two-factor
authentication code, the Login screen will get the user identity from the OS and attempt to do SSO and
then proxy using that OS user ID to the
apver
instance as the
appver
user. Remember the lengths we
went to in order to obfuscate the
appver
password and the Java code that decodes it—all that is part of
the process here.
Once a proxy session is established, the Oracle database determines if the user has entered a two-
factor authentication code; if not, it generates and sends one to the user's mobile devices. To find out
where to send the authentication code, Oracle database looks across a database link from the
apver
instance to the
orcl
instance, to the
HR
schema
EMPLOYEE,
and
emp_mobile_nos
tables to find out what
devices are available for this specific user. Sending the authentication code to each device and returning
to the Login screen are the next steps.
Note
We are going to build this administrative interface for two Oracle database instances,
orcl
and
apver
. If
you have not created the
apver
instance, you will need to use the code that is modified to run on a single instance,
in the
Chapter12/single
directory.
Then, when the user receives the two-factor authentication code on their devices, and enters the
code on the Login screen, a slew of additional steps are taken. The first step that the Login screen takes is
to pass certain data and objects to the Oracle database. It passes the two-factor code, an inner class
instance specific to this application, and an application identification string. Additionally, an RSA
public/private key pair is generated on the client, and the modulus and exponent artifacts are also
passed to the database.
Oracle database first assures that the two-factor authentication code the user entered matches what
was sent to the user within the last ten minutes for this particular application, from this particular client
network address. Then, if it is the correct code, the database assures the inner class instance matches
what is stored for the application in question, and then retrieves the list of connection strings that is
associated with it. Recall that the list of connection strings is stored in encrypted form on the database,
and the code to encrypt and decrypt has been “wrapped” using the Oracle database
wrap
utility.
The Oracle database builds a RSA public key using the artifacts provided by the client, and generates
a DES secret password key. Artifacts of the DES key are encrypted using the RSA public key to return to
the client.
The list of connection strings for this specific application is encrypted with the secret password key,
and that encrypted list is also returned to the client. At this point, the Login screen is about finished.
