只允许oracle db登录到特定的应用程序? [英] Allowing oracle db login only to specific application?
问题描述
我们只允许通过我们自己的应用程序对用户进行数据库访问(Oracle)-我们将其称为"ourTool.exe",它在用户计算机上本地安装.当前,用户每次启动我们的工具"时都必须提供用户名/密码.提供的密码密码将被解密,我们将使用用户名/解密密码最终登录到Oracle DB.这种方法可以防止用户使用第三方工具(SQLplus,Excel,Access等)直接访问我们的数据库,并且可以确保使用"ourTool"输入/编辑了数据库中的所有内容.
We want to allow DB access (Oracle) to our users only through our own application - let's call it "ourTool.exe", installed locally on the users computers. Currently, the users must provide username/password whenever they start "ourTool". The provided password password gets decrypted and we use username/decrypted-password to finally log in to the Oracle DB. This approach prevents the users from directly accessing our DB using third party tools (SQLplus, Excel, Access, ...) and everything in the DB is guaranteed to have been entered/edited using "ourTool".
现在,我们的一位客户希望允许其用户单点登录"(使用SmartCard/Oracle PKI).这样,用户每次启动我们的工具"时都可以连接到我们的数据库,而无需提供任何密码.但是对于诸如SQLplus,Excel,Access等潜在危险的工具也是如此.
Now, one of our clients wants to allow its users "single sign-on" (with SmartCards/Oracle PKI). With this, the user will be able connect to our DB without providing any password every time they start "ourTool". But the same will be true for the potentially dangerous tools like SQLplus, Excel, Access, etc.
有没有办法防止这种情况?在这种情况下,我们如何确保仅使用"ourTool"创建/编辑/删除数据库中的每条记录?
Is there a way to prevent this? How can we make sure that every record in our DB is only created/edited/deleted using "ourTool" in this scenario?
推荐答案
由于它是您的应用程序,并且可以控制源,因此可以使用密码保护的数据库角色或从ourTool.exe启用的安全应用程序角色. (请参见 http://www.oracle.com/technology/obe/obe10gdb/security/approles/approles.htm ).
Since it's your application and you have control of the source, you can use either password protected database roles or Secure Application Roles that are enabled from ourTool.exe. (see http://www.oracle.com/technology/obe/obe10gdb/security/approles/approles.htm ).
例如,使用受密码保护的数据库角色,初始连接将仅具有CREATE SESSION特权,然后ourTool.exe将使用您仅知道的密码来发出SET ROLE.其他任何应用程序都没有信息来设置角色.显然,在此配置中,特权仅授予角色,而不直接授予用户.
For example, with a password-protected database role, the initial connection would be with only the CREATE SESSION privilege, and then ourTool.exe would issue the SET ROLE with password known only to you. Any other application doesn't have the information to set the role. Obviously, the privileges are granted only to the role and not directly to the user in this configuration.
这篇关于只允许oracle db登录到特定的应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
