Oracle英文版培训课件之Security：les_09

《Oracle英文版培训课件之Security：les_09》由会员分享，可在线阅读，更多相关《Oracle英文版培训课件之Security：les_09（34页珍藏版）》请在装配图网上搜索。

1、Using Proxy AuthenticationObjectivesAfter completing this lesson,you should be able to do the following:Describe how proxy authentication worksManage users being authenticated by using proxy authenticationAudit users authenticated by proxyUser Authentication Identify the user in the following ways:B

2、asic authentication Database user identified by a password Database user identified by the operating systemStrong authenticationEnterprise User SecurityProxy authenticationSecurity Challenges ofThree-Tier ComputingWho is the real user?Can the user be reauthenticated to the database?Does the middle t

3、ier have more privileges than required?Oracle Application ServerDatabaseUserWho Is the Real User?For the following security functions,the application needs the end user,not the proxy user:Authentication Data access control AuditingIf only the application server knows the end-user ID,then:Security mu

4、st be coded in the application Security enforced in the application is expensiveUser ReauthenticationTypes of authentication in three-tier systems:Middle tier to database authenticationClient to middle tier authenticationClient reauthentication through the middle tier to the database:Does the end us

5、er need to log in multiple times?Can the end users database account information be stored in the application?Can the user be authenticated by using LDAP?Point-to-point protocols,such as SSL,can only authenticate to one nodeSingle authenticationCommon Implementations of Authentication Pass-through:Th

6、e user is unknown to the application.One big-application user:The user is unknown to the database.Other methods:The user is reauthenticated to the database.The user is identified to the database.The user is proxied.Oracle Application ServerDatabaseUserDoes the Middle Tier Have More Privileges Than R

7、equired?Middle tier connects to the database:Same database user for all application users The database user has all privileges for all application users.The database may not know the end-user ID.Application server must have limited privileges.Implementing Proxy Authentication SolutionsProxy authenti

8、cation solutions depend on the type of the end user:Known to the database:Database user and enterprise user Possible to reauthenticate to the database Auditing actions taken on behalf of the real userUnknown to the database:End user known only to the application Support for application-user models L

9、imiting the privilege of the middle tierAuthenticating Database andEnterprise UsersUse OCI or JDBC.The authentication process is as follows:1.Client authenticates to the middle tier.2.Middle tier authenticates to the database.3.Middle tier creates the end users session.4.Database verifies that the m

10、iddle tier can:Create the session for the userAssign the roles assigned to the userDatabase users can be:Authenticated to the application serverReauthenticated to the databaseUsing Proxy Authenticationfor Database UsersAuthenticate the user without a database password:Authenticate the user with a da

11、tabase password:ALTER USER phallGRANT CONNECTTHROUGH appsrv;ALTER USER phallGRANT CONNECTTHROUGH appsrvAUTHENTICATED USING PASSWORD;Using Proxy Authentication for Enterprise UsersAuthenticate the user with a distinguished name:Authenticate the user with a certificate:ALTER USER phall GRANT CONNECT T

12、HROUGH appsrv AUTHENTICATED USING DISTINGUISHED NAME;ALTER USER phallGRANT CONNECT THROUGH appsrvAUTHENTICATED USING CERTIFICATETYPE X.509 VERSION 3;Proxy Access Though SQL*PlusProxy access through SQL*Plus when:User is known to the database User is unknown to database(Enterprise User Proxy)CONNECT

13、rajeevappsrv/rajeev_pwdCONNECT connect appsrvPHALL/appsrv_pwdEnterprise User ProxyUse enterprise users with current applicationsLet the directory authenticate the usersConnect as database userCONNECT georgeappsrv/george_pwdgeorgegeorgeappsrvappsrvEnterprise User Proxy ExampleCONNECT Rajeevparts_gues

14、t/pwdCONNECT Jimparts_guest/pwdRajeevJimPARTS_DBRevoking Proxy AuthenticationRevoke proxy authentication through a middle tier:Do not include the AUTHENTICATED USING clause with REVOKE.ALTER USER phall REVOKE CONNECT THROUGH appsrv;Application-User ModelUse the OCI,thin JDBC,or thick JDBC.End-user i

15、dentity is set by the middle tier.The authentication process is as follows:1.The middle tier authenticates to the database.2.The end user authenticates to the middle tier.3.The middle tier allocates a session to the user,identifying the user with client_identifier.4.Optionally,the middle tier can en

16、able roles to restrict the privileges of the user.Examples:CertificateApplication username and passwordData Dictionary Views forProxy AuthenticationDBA_PROXIES:All proxy connectionsUSER_PROXIES:Connections that the current user is allowed to proxyPROXY_USERS:Users who can assume the identity of othe

17、r usersV$SESSION_CONNECT_INFO:Network connections for all current sessionsV$SESSION:Session-connect details:Program column shows“proxy-user”Module column shows“proxy-user”Data Dictionary Views:DBA_PROXIES and USER_PROXIES SQL SELECT proxy,client,authentication,2*authorization_constraint FROM dba_pro

18、xiesPROXY CLIENT AUTH AUTHORIZATION_CONSTRAINT-HRUSER PHALL NO PROXY MAY ACTIVATE ROLEAPPSVR PHALL NO NO CLIENT ROLES MAY BE ACTIVATEDHRUSER PFAY YES PROXY MAY ACTIVATE ALL CLIENT ROLESData Dictionary Views:V$SESSION_CONNECT_INFOSQL SELECT*FROM v$session_connect_infoWHERE sid=141;SID AUTHENTI OSUSER

19、 NETWORK_SERVICE_BANNER-141 DATABASE oracle TCP/IP NT Protocol Adapter for Linux:Version 10.1.0.3.0-Production 141 DATABASE oracle Oracle Advanced Security:encryption service for Linux:Version 10.1.0.3.0-Production 141 DATABASE oracle Oracle Advanced Security:crypto-checksumming service for Linux:Ve

20、rsion 10.1.0.3.0-ProductionAuditing Actions Taken on Behalfof the Real UserAudit SELECTs on the EMPLOYEES table that HRAPPSERVER initiates for PHALL as follows:Audit SELECTs on the EMPLOYEES table that HRAPPSERVER initiates for any user as follows:The statements in this slide audit only SELECTs init

21、iated by HRAPPSERVER.You cannot audit CONNECT ON BEHALF OF DN.AUDIT SELECT TABLE ON employees BY hrappserver ON BEHALF OF phall;AUDIT SELECT TABLE ON employees BY hrappserver ON BEHALF OF ANY;Data Dictionary Views:DBA_STMT_AUDIT_OPTSDBA_STMT_AUDIT_OPTS describes current system auditing options.USER_

22、NAME column:ANY CLIENT:Access by a proxy is audited NULL:Systemwide auditingPROXY_NAME column:The name of the proxy user performing an operation for the client NULL if the client is performing the operation directlyData Dictionary Views:DBA_AUDIT_TRAILThese views list audit-trail entries:DBA_AUDIT_T

23、RAIL USER_AUDIT_TRAILThe COMMENT_TEXT column can indicate how the user has been authenticated:DATABASE:Authentication done by the password NETWORK:Authentication done by Net8 or the Advanced Security option PROXY:Authentication by another userPractice 9 Overview:Implement Proxy AuthenticationThis practice covers the following topics:Implementing and testing database proxy authenticationImplementing EUS proxySummaryIn this lesson,you should have learned how to:Describe how proxy authentication worksManage users being authenticated by using proxy authenticationAudit users authenticated by proxy