A point that Paul Needham could have mentioned - if an application user can execute the packaged procedure to set the role, then a malicious user could log in from SQL*Plus and do exactly the same. This is just security through obscurity.
I believe a significant driver in the concept of an application role is that the application server should be connecting to Oracle through an application userid, and then using the proxy user facility to become another userid. In this case, the application userid can run the secure package, and the secure package can check that it is the application user running it as a proxy for the real end-user. Hence the real end-user can't set the role by logging in through SQL*Plus. (There still seems to be a loophole there for the highly competent end-user who can write C code and read Tom Kyte's book, of course). Regards Jonathan Lewis http://www.jlcomp.demon.co.uk Coming soon a new one-day tutorial: Cost Based Optimisation (see http://www.jlcomp.demon.co.uk/tutorial.html ) Next Seminar dates: (see http://www.jlcomp.demon.co.uk/seminar.html ) ____England______January 21/23 The Co-operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -----Original Message----- To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> Date: 02 January 2003 05:49 Development >So I forwarded the thread to her, and here's the response from Paul >Needham of her team (who by the way was impressed with the knowledge >level of the list contributors). > >--------------------------------------------------------------------- --- > >introduction of the invoker-rights facility. Oracle9i introduced the >secure application role and global application context which are >designed for proxy architectures. The secure application role restricts >enabling a role to a set role command in a named security package. The >security package can perform it's own security checks prior to invoking >the set role command. > >--------------------------------------------------------------------- --- > > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
