Using Proxy Authentication with SQLPlus
15 November 2006 at 11:30 CET | In Database, Features and tips, Oracle | 7 CommentsFor our web application we’re using a nice Oracle database feature: Proxy Authentication. I only managed to use it in a J2EE application, not in sqlplus or other SQL tools (like TOAD). Today I discovered how to use Proxy Authentication from any tool you like.
First let me explain a little bit about Proxy Authentication. Our application server maintains a pool of database sessions, as most application servers do. This means that each session from this pool uses the same (fixed) database user to connect to the database. Looking in V$SESSION you see tons of sessions from the same user.
This makes it difficult to distinguish the sessions for a DBA. But more importantly you loose a lot of security functionality in the database:
- SELECT USER FROM DUAL now always returns the same username. This means that views restricting the returned rows based on the currently logged on user no longer work as expected
- Journaling (writing changes to journal tables from database triggers) loses its value since all changes appear to have been made by the same user
- Auditing (insert_user/update_user columns in a table) loses its value since all changes appear to have been made by the same user
- You can no longer easily use database roles to limit access. The user being used for the database connection needs all the roles of all the application users combined. And by default all these roles are enabled when creating a new database connection, unless you add specific code to enable/disable specific roles
The answer to all of this is Proxy Authentication. This process is quite simple. The application server first establishes a connection to the database with the same fixed account. This account is configured to only allow database connections (CREATE SESSION privilege) and nothing else. Once this session is established you can open a proxy connection to another user. This other user is the actual user logged on to the web application (e.g. JSMITH). This immediately gives you all the built-in security features of the database (grants, journaling, auditing, etc).
This is all great, but to open a proxy connection you have to issue an OCI or JDBC call. You can do this from programs you code yourself, like or ADF Faces applications. But for testing and debugging, you also want access to this feature from sqlplus or other SQL tools (like TOAD).
Fortunately this feature was introduced in version 10.2. When connecting, specify “user[proxyuser]” as username. This will try to log you in as “user” and then immediately open a proxy connection to “proxyuser”:
C:\>sqlplus bigappuser[enduser]/bigappuser@dev01
SQL*Plus: Release 10.2.0.1.0 - Production on Wed Nov 15 10:18:27
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Personal Oracle Database 10g Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
ENDUSER@dev01> select user from dual;
USER
—————————————
ENDUSER
ENDUSER@dev01> select sys_context(’USERENV’,'PROXY_USER’) from dual;
SYS_CONTEXT(’USERENV’,'PROXY_USER’)
—————————————
BIGAPPUSER
The same trick also works when logging in with other tools like TOAD. Be sure to use an Oracle Net client version 10.2. If you use 10.1 or any previous version this won’t work.
Update 19 dec 2006: Jonathan Lewis blogged about this very same feature of using Proxy Authentication with SQLPlus
Using LiveHTTPHeaders with Firefox 2.0
7 November 2006 at 12:03 CET | In Other | 11 CommentsLiveHTTPHeaders was one of my most often used plug ins for Mozilla Firefox 1.5. It allows you to trace each and every HTTP request being made by your browser and includes all the HTTP headers being sent and received. This includes things like redirects and cookies being set. The plug in proved extremely valuable in debugging our Single Sign On environment. This includes a number of web servers with a user being redirected through different servers during the login process.
Recently I switched from Firefox 1.5 to Firefox 2.0 and found out that the LiveHTTPHeaders plug in wouldn’t run on Firefox 2.0 
Unfortunately the official page still doesn’t have a download that will install on Firefox 2.0. I decided to take a risk and hack the plug in myself to force it to install on Firefox 2.0. It proved to be very simple and it worked! I now have LiveHTTPHeaders running in my Mozilla Firefox 2.0.
If you also want to run LiveHTTPHeaders in Firefox 2.0 you can do one of two things; follow the hard way and make your own hacked plug in, or just download it from my server. Save the file to your local disk and drag-and-drop it from a Windows Explorer to a Firefox window.
If you want to do it the hard way, here are the steps to do it yourself:
- Go to the LiveHTTPHeaders download page
- Right click the “download it” link of the latest version and select “Save Link As…”
- Save the livehttpheaders-0.12.xpi file on your disk
- Rename livehttpheaders-0.12.xpi to livehttpheaders-0.12.zip
- Unzip the file
- Edit install.rdf that is in the unzipped folder
- Replace
<em:maxVersion>1.5+</em:maxVersion>
by
<em:maxVersion>2.0.*</em:maxVersion> - ZIP all files again in livehttpheaders-0.12-firefox2.0.zip
- Rename livehttpheaders-0.12-firefox2.0.zip to livehttpheaders-0.12-firefox2.0.xpi
- Drag and drop the .xpi file from a Windows Explorer to a Firefox 2.0 window
- The LiveHTTPHeaders Add On will be installed
- After restarting Firefox 2.0 you have a working LiveHTPHeaders plug in!
Categories:
- Oracle (113)
- AppServer (12)
- Database (14)
- Bugs and issues (2)
- Features and tips (4)
- Other (3)
- Patches and upgrades (3)
- PL/SQL programming (2)
- Designer (5)
- Forms (47)
- 6i to 10g upgrade (4)
- Bugs and issues (5)
- Features and tips (4)
- Other (3)
- Patches and upgrades (4)
- Signing and certificates (3)
- SUN JPI/JVM (9)
- Web components (17)
- Workshops and demos (4)
- JDeveloper (30)
- Demos (4)
- Designer to JDeveloper (3)
- Features and tips (8)
- Other (2)
- Upgrades and versions (5)
- Workshops & trainings (7)
- JHeadstart (6)
- ODTUG 2007 (6)
- ODTUG 2008 (5)
- OpenWorld 2007 (15)
- Reports (2)
- SOA (3)
- BPEL (1)
- XML Publisher (2)
- Other (36)
- Blogging (15)
- Personal (14)
- Software development (6)
- Uncategorized (3)
Archives:
- October 2008 (1)
- September 2008 (3)
- June 2008 (6)
- May 2008 (1)
- April 2008 (3)
- February 2008 (2)
- January 2008 (1)
- December 2007 (1)
- November 2007 (5)
- October 2007 (4)
- August 2007 (1)
- July 2007 (2)
- June 2007 (12)
- May 2007 (6)
- March 2007 (1)
- February 2007 (3)
- January 2007 (5)
- December 2006 (2)
- November 2006 (2)
- August 2006 (2)
- July 2006 (2)
- June 2006 (5)
- May 2006 (2)
- April 2006 (2)
- March 2006 (3)
- February 2006 (1)
- January 2006 (5)
- December 2005 (1)
- November 2005 (4)
- October 2005 (1)
- September 2005 (14)
- August 2005 (6)
- July 2005 (11)
- June 2005 (8)
- May 2005 (9)
- April 2005 (2)
Links
- Andrej Koelewijn - IT-Eye
- Commit Consulting - Me as an independent consult
- Eurotransplant - Employer
- Fascino Design - My Wife’s Site
- Forms JDAPI
- Grant Ronald - Oracle
- Jaap Poot - Blog of our DBA
- Metalink
- OraBlogs
- Oracle TechNet
- Sue Harper - Oracle
Recent Comments:
china phone: Love this post! Cool WP template list here. I will used them in my personal blog. Thank you for sharing...
Tim Daniell: Hi Srivatsa, We use a Form for our menu in GUI as we did in Character mode. We ended up re-writing our...
Alleinunterhalter: thank you for the great help
srivatsa: @ Tim, We are migrating oracle froms from 4.5 to 6i both based on window and character mode. We have...
Teknoloji: Thanks for articles
Eğitim: Thanks for articles
selenagame: thanks very nice post
Recent Posts:
Meta:
RSS feed
-
Unless otherwise stated, all original material created by Wilfred van der Deijl and included on this blog and any related pages, including the archives is licensed under a Creative Commons License.
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.