Databases Reference
In-Depth Information
node in the DIT. This node is then associated with the role and the schema,
so that when the application server accesses the database it uses
SHARED_SCHEMA and the permissions are defined based on
APP_USER_ROLE1.
Oracle proxy authentication is closely related to this usage of OID and
roles. This feature allows the application user to be communicated in addi-
tion to the database login name over a connection initiated using OCI or
thick JDBC. When using proxy authentication, the end-to-end identifica-
tion process is as follows:
1.
The user authenticates with the application server. This can be
done using a username and password or through the use of an
X.509 certificate by means of SSL.
2.
The application server uses OID to authenticate the user creden-
tials and gets the DN for the user profile.
3.
The application server connects to the database using proxy
authentication. In this process it passes not only the username
and password used to sign onto the database, but also the DN to
the database.
4.
The database verifies that the application server has the privileges
to create sessions on behalf of the user.
5.
The database gets user information from OID using the DN.
Proxy authentication is a useful feature, and you would think that a lot of
what you learned in this chapter is unnecessary given proxy authentication.
This is not true, mainly because the association between application users is
not dynamic. The first limitation is point number 4, listed previously. In
order for proxy authentication to work, you need to allow the application
server to connect on behalf of the user using GRANT CONNECT:
ALTER USER RONB
GRANT CONNECT THROUGH APPSRV;
This requirement is difficult to maintain for a large number of users,
and many of the techniques you learned earlier in this chapter are often
more scalable in the long run. The second issue is best seen by looking at
what a connection within the application code would look like (in this case
you are using a thick JDBC driver):
Search WWH ::
Custom Search