Preserving User Identity in Multitiered Environments
Figure 3–2 Multitier Authentication
The following actions take place: 1.
The user logs on using a password or Secure Sockets Layer. The authentication information is passed through Oracle Application Server.
2.
Oracle Internet Directory authenticates the user, gets the roles associated with that user from the wallet, and then passes this information back to Oracle Application Server.
3.
Oracle Application Server checks the identity of the user in Oracle Database, which contains a wallet that stores this information, and then sets the role for that user.
Security for middle-tier applications must address the following key issues: ■
■
Accountability. The database server must be able to distinguish between the actions of the application and the actions an application takes on behalf of a client. It must be possible to audit both kinds of actions. Least privilege. Users and middle tiers should be given the fewest privileges necessary to perform their actions, to reduce the danger of inadvertent or malicious unauthorized activities.
Preserving User Identity in Multitiered Environments Many organizations would like to know who the user is through all tiers of an application without sacrificing the benefits of a middle tier. Oracle Database supports the following ways to preserve user identity through the middle tier of an application:
3-30
■
Using a Middle Tier Server for Proxy Authentication
■
Using Client Identifiers to Identify Application Users Not Known to the Database
Oracle Database Security Guide