Hi,
> Does that mean that the number of open connections always equals the> number
> of signed in users?
Not necessarily - it depends on the way that you build it - using oracle proxy
users
(http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/authentication.htm#sthref402)
means that user A could use the connection of user B i.e. - you can still have
the benefits of connection pooling and the database will be aware of who is
logged in.
But actually I've used a feature called connection labelling
(http://download.oracle.com/docs/cd/E11882_01/java.112/e12265/label.htm#BABGJEEA)
which means that yes, the number of opened connections will equal the number
of signed in users.
At runtime, you could issue the following query to see who is connected at any
given time:
select * from v$session
> So if you want to determine whether user X can see button Y, you have> to
> query the database for particular role membership?
I've designed my app such that the session object extends
org.apache.wicket.authentication.AuthenticatedWebSession. A successful login
causes a list of roles to be stored in the session, Wicket can then enforce
security at the application level as normal, using the @AuthorizeInstantiation
annotations. I don't have anything against application enforced security - in
fact I think that it is absolutely necessary.
In Oracle, you can see what roles have been granted to a given user with:
select grantee your_user, granted_role from dba_role_privs where grantee =
'EELCO';
There is a report section in my template app, and a report called "User
Privileges" which lists the roles granted (& object privileges are conferred by
those roles) to a given user.
...
One of the motivations behind this was to find out what was involved in
creating an application broadly consistent with the recommendations of the
Oracle Security Guide ( see
http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/app_devs.htm#DBSEG133)
- mainly because I've been hamstrung many times by applications not following
this sort of advice, and because colleagues have told me that it was too much
trouble.
Thanks,
Andrew.
> From: eelco.hillen...@gmail.com
> Date: Tue, 21 Dec 2010 16:12:55 -0800
> Subject: Re: Oracle & Wicket Starter Application Project
> To: users@wicket.apache.org
>
> > - using individual database users to represent real users - giving
> > end-to-end authentication & allowing the use of features such as SQL Trace
> > & fine grained auditing
>
> Does that mean that the number of open connections always equals the
> number of signed in users?
>
> > - using database roles to restrict access to data, and not relying wholly
> > on application enforced security
>
> So if you want to determine whether user X can see button Y, you have
> to query the database for particular role membership?
>
> Cheers,
>
> Eelco
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
