Oracle ORDS SQL WEB setup to store app users data - oracle

I am new to development and learning through lot of youtube videos and oracle documentation. I have a question for which I was not able to find a solution online and was hoping someone could help answer it here..
I want to use oracle free tier cloud based autonomous transactional database and create the rest api on it using the below url as a reference.
https://oracle.github.io/learning-library/developer-library/rest-services-for-adb-appDevLive/workshops/freetier/?lab=secure-endpoints#Task1:SecuringtheRESTEndpoint
However my question is if I create a web app where I can get the user to create account using username and password, what is the best practice to store the data and retrive for auth in the oracle database for auth user.
Is there a credentials table where I can store all the username and password details or should I use a encypted table.
Also, Can someone please help advise how to create sql post method query to retrieve the user creds for validation.
Thank you for all your guidence.
Thank you!

In the database you have a schema - this is the collection of objects -
tables
views
stored procedures
rest apis
these are owned by a USER. A database user and schema in Oracle are largely synonymous and a user will have a password.
You then also have your application. Your application most likely also has users. These are completely different users than what you have in the database.
Now, your application COULD use database authentication, but that's highly not recommended. Why? Because then your application users could also theoretically go directly into the database.
It's not clear by your question if you're asking how to manage database usernames and passwords in general or if you mean in terms of your application.
For your application, we recommend you use either our OAuth2 workflows to secure your REST APIs, or you build your own authentication system...for example you could control access to your APIs in the Oracle Cloud using the API Gateway Service.
For managing passwords in the database, you should most definitely NOT store those in a table somewhere. THe user when they get their password, should securely manage that as they would the password to their online banking system.
The web interface we have would work just fine with online password managers like LastPass, but I'm not personally advocating or saying that would be good for your scenario.
Running SQL to find out someone's password isn't really what we do in Oracle. Either you already know it, or you change the password to something so that you definitely know it.

Related

How can people collaborate in the same Oracle DB schema?

We are a team of tens of data analysts. Our main data back-end is an Oracle database. We use personal schemas to do work where we don't need to collaborate with others and we would like to create schemas dedicated to projects where people need to collaborate.
The problem is that in Oracle, one schema is equivalent to one DB user. If we create a schema dedicated to a project, for the purpose of creating DB objects in the context of that project, there will be a single set of credentials (username + password) that needs to be shared by all team members. This has two inconveniences:
if people mistype the credentials, they can block the account for everyone;
it is no longer possible to monitor who did what for security/audit reasons, since everyone uses the same schema;
An alternative would be that only one person uses the Schema user to create objects and assigns privileges to other people in those objects, but that can become quickly cumbersome.
Another alternative is to interact with the DB through R or Python but that means the credentials will be stored in some text file, which is bad for security.
As we see it, the ideal situation is if multiple personal DB users can create objects in the same schema, and if those objects are automatically available for that set of DB users. Is this totally impossible in Oracle? Is this impossible in any major DB? Is this requirement somehow flawed and as such, there is a good reason for why it is not available?
We could compare this collaboration in a DB schema to what commonly happens with people collaborating in a folder, using R, Python or other programming language for data analytics.
Thank you for your advise!
Maybe I miss something but could you not just create a schema that will be used for all users and grant the required privileges to each individual user?
Each user authenticates with his local account and by default uses his local schema and to access the public one you just use the ALTER SESSION SET CURRENT_SCHEMA command.

Creat a new user in Obiee12c

How to create a new user account in OBIEE 12c? What is LDAP?
enter image description here
I go to Application Roles to create a role.
See: Provider Oracle Database (not LDAP)
Honest answer is "it depends".
OBI comes with a security provider which is embedded inside Weblogic where you can manage users and groups.
I say can because that's an approach which Oracle itself does not suggest for production systems. Pretty much every implementation uses some proper enterprise level LDAP or MS Active Directory which is then configured as an additional security provider for the Weblogic backend.
Best first try to understand how security works and then take your decision based on what is the most appropriate for your use case:
https://youtu.be/JUCZwQOmBn8

How to add user into database for BPM Suite

I configure store user into database (SQL Server) on bpm suite v6.4.0. How to insert user into database (don't insert by manual), i want know bpm suite v6.4.0 have library support for this doesn't. I don't find document mention this problem.
Thanks for any idea or your help
Authentication/authorization is delegated to an underlying security configuration. I assume you are configuring your security domain to retrieve login information from database? jBPM has some basic user and group mgmt UI (for creating users / groups etc.) that will push these changes to the underlying service. We do have an adapter for RH-SSO so I would recommend to configure your app server to delegate authentication/authorization to RH-SSO, which could be configured to use a database for storing users.

Prevent applications to log in on Oracle Database

Does anybody knows how could I make a trigger or anything else to prevent people to connect on my database with any kind of applications besides mine?
Note that the super-old-and-unsecure trigger to block few .exe such TOAD or watever does NOT really works, since you can just rename the EXE to MyApplication.exe.
Hints?
An easier method would be to move the security to a role that can be enabled only by your application - see a previous answer of mine here
WIth this method another application may create a session but has no other privileges since the role is not enabled.
You may wish to consider Oracle's Secure Application Roles -- it won't prevent people from logging into the database through a rogue application, but it can prevent them from accessing tables and packages if the application doesn't set the role using the password that only it knows.
You can find an tutorial on deploying it here, although to secure it, you'd have to create the role with a password, and your application would have to know the password when issuing the SET ROLE rolename IDENTIFIED BY rolepassword; statement.
I don't know that Oracle has any functionality to help with this (I could be wrong though) so the next best thing might be to write a small server app that lets you have much better control over the login process and acts as the middle-man between the client apps and the database server. That way, all connections to the database come through your server app, and you can control how your server identifies which client app is legit. This will add a bit of complexity to the system though.
If you don't trust the program name in v$session then the only options that come to mind are to have your application encode the password, so that what they type in isn't actually what's used to connect to the DB; or have your app log in with a private username/password and authenticate users against your own users table instead of having Oracle user accounts for them. Both options make management of accounts more complicated though.
When your application logs on, you call a stored procedure that associates the current oracle session as a "trusted" session. Do this by creating a trusted sessions table with a field for sessionID and trusted bit (and optionally a random hash to prevent user tampering).
Create a system wide trigger, that checks the your current session id (and random hash) to detect if it is trusted. If the session doesn't exist in the table, you don't allow the query, and log off the user.
You should also setup a shutdown trigger to clear the trusted session table on exit.

Windows Authentication to Oracle for domain group

I know that it is possible to use "OS authentication" to authenticate Windows users in Oracle database. The process is basically passing current Windows user id to Oracle for authentication.
The question is - is it possible to authenticate domain group in Oracle (as it is possible with SQL Server integrated security), so that there would be no need to create separate database user for each domain member?
It is possible.
Oracle has a whitepaper on this, and here's a tutorial,
I don't think this is possible, but I would love to be proven wrong.

Resources