Oracle Database

Page 83

Preserving User Identity in Multitiered Environments

must provide, as a minimum, a globally unique name for the user. The database uses this name to look up the user in Oracle Internet Directory. To pass over the distinguished name of the client, the application server would call the Oracle Call Interface method OCIAttrSet() with the following pseudo interface. OCIAttrSet(OCISession *session_handle, OCI_HTYPE_SESSION, lxstp *distinguished_name, (ub4) 0, OCI_ATTR_DISTINGUISHED_NAME, OCIError *error_handle);

To pass over the entire certificate, the middle tier would use the following pseudo interface: OCIAttrSet(OCISession *session_handle, OCI_HTYPE_SESSION, ub1 *certificate, ub4 certificate_length, OCI_ATTR_CERTIFICATE, OCIError *error_handle);

If the type is not specified, then the database uses its default certificate type of X.509. Note: â– â–

OCI_ATTR_CERTIFICATE is DER encoded. Certificate based proxy authentication using OCI_ATTR_ CERTIFICATE will not be supported in future Oracle Database releases. Use the OCI_ATTR_DISTINGUISHED_NAME or OCI_ ATTR_USERNAME attribute instead

If you are using proxy authentication for password-authenticated enterprise users, then use the same OCI attributes as for database users authenticated by password (OCI_ATTR_USERNAME). Oracle Database first checks the user name against the database. If it finds no user, then the database checks the user name in the directory. This user name must be globally unique.

Auditing Actions Taken on Behalf of the Real User The proxy authentication features of Oracle Database enable you to audit actions that a middle tier performs on behalf of a user. For example, suppose an application server hrappserver creates multiple sessions for users Ajit and Jane. A database administrator could enable auditing for SELECT statements performed on the bonus table that hrappserver initiates for Jane as follows: AUDIT SELECT TABLE BY hrappserver ON BEHALF OF Jane;

Alternatively, you could enable auditing on behalf of multiple users (in this case, both Jane and Ajit) connecting through a middle tier as follows: AUDIT SELECT TABLE BY hrappserver ON BEHALF OF ANY;

This auditing option only audits SELECT statements being initiated by hrappserver on behalf of other users. You can enable separate auditing options to capture SELECT statements against the bonus table from clients connecting directly to the database: AUDIT SELECT TABLE;

Configuring Authentication 3-37

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.