I have the following business problem to solve in a big legacy application written in PL/SQL and Oracle Forms 6i:
Not allow users to log in using their database accounts.
The whole application has around 50 users who use their database accounts. The audit department doesn’t allow that users know their database accounts passwords.
Rewriting the application to use a new user rights logic (using a table like USERS, only 1 database user, etc.) is out of the question as it’s too much work.
I thought about the following solution to use the existing database users:
Create a table USERS with usernames and new passwords, and somehow use a proxy user. In a package the application will check if the provided password is in line with the table USERS, and then connect as 1 of the 50 database users – so all application logic and user rights can stay the same.
But there is one problem with this workaround – you can’t use „connect” in a package. So I can’t use it.
begin
IF
p_in_user == USER2 AND p_in_pass == XXX
THEN
EXECUTE IMMEDIATE 'conn USER2/Password123'; -- doesn't work, using a proxy neither
END IF;
END;
Does anyone has any ideas?
The audit department doesn’t allow that users know their database accounts passwords
You can use encripted passwords.
Oracle allow to use encripted passwords through profile settings.
You can use a function to encript a clear password:
the clear password is given to end user
and on oracle database the user account is created/changed with the encripted password.
The user use his/her clear password to login and during login Oracle conver this to a encripted password for authentication.
Please confirm is this solution is ok, so I can post an example.
Related
I am using Oracle Apex v5.1 and application is using LDAP authentication.
I have a separate 'Create new user' form in application which is inserting user details such as NT-IDs, privilege into a user table.
Whenever user is logging to application, login password is been taken care by LDAP directory.
I want to know that is there any way to get user details such as full name, email address etc from LDAP directory instead of manual insertion into my user table?
What query I can use, so that User name/Email id will automatically inserted into table once user has created in that Oracle Apex form.
Please help. Thank you.
You can connect to LDAP using PL/SQL APIs, as described by Tim
You could then construct a pipelined function around this to allow you to query using SQL.
For performance, you could create a materialised view on this query.
This technique was also described in a chapter of an APEX book co-authored with John Scott.
We are using Oracle 11gR2 [11.2.0.4] mostly, for package deployment a specific ID's password was needed and at that I put a blind guess with username and as same (password=username),
This was alarming for me, now i want to check same for other users, i have googled but found nothing but to check individual users with their password, Hopefully you got my point?
How can i check this ID's password=username? Any script of code/cursors to check username=password?
Regards,
The way you should be able to check this is by extrating a list of usernames from the database and try to initiate a session with the databases where you use the extracted username as both the username and the password you try to login with.
You could use a bash loop to do so for example.
Is it possible to grant permission for user in table, but only for a specific row in that table. I have a table named PrivateUserInfo where I store users' emails and nicknames: Granting permissions like that: r.db('dbname').table('PrivateUserInfo').grant('testuser', {read: true}); allows them to read everyones data. I want to allow them to read only the row where the id is their username. Setuping a webserver to handle this type of things will defeat the purpose. If I am going to create a webserver then I wouldn't even use permissions in first place and just handle the requests with the web app logged as admin. Which I really want to avoid. This was the main reason I want to use this database.
I'm using Laravel 5. I see Laravel uses .env to connect databases for example DB_USERNAME and DB_PASSWORD, but i want to log in and use my username and password from my form to connect with those values from withim my oracle database with a table name "dba_users" which has the user and password and some others fields
i want to do that becauses each user has their own granted permissions(roles) to certain tables, thus Oracle would managed the user login permissions and not the .env DB_USERNAME.
Any ideas?
Thanks
The real term or question title for this would be "Dynamic Laravel Database Connections" on multi-tenant application. If you google about it you will find a lot of code like this: https://laracasts.com/discuss/channels/tips/set-up-dynamic-database-connection-globally
I would like to know which is the best aproach to do the following. I have a codeignitor aplication and I need to display different views depending on the user permissions.
User authentication: the company I work uses CAS. No worries here. I just have the CAS library and the first thing the user does in order to access my application is to login through CAS. The CAS returns the username like this: "name.surname"
User authorization: We have a MySQL table with something like this:
Permissions table:
username | permission code
tim.cook | 1
adam.hook | 2
1 is admin
2 is normal user
I cannot change any of these (CAS for authentication nor table for roles) and I do not want to use a auth library for that. What would be the best approach for building my website? How about this:
User logs in and then I store his/her username to codeigniter session
Immediately look for the username in the permissions tables and store his/her role code (1 or 2) in the codeigniter session
Everytime there is a need to execute a function in a controller, check first if the session role can do that action or not.
Is there any tutorial, example or snipped of code so that I can see this in action?
Thank you!
You can definitely do it like that. In case a user permission can be changes you should also update the session permission value for critical functions.
You should also only store the hash of the password in the database. Maybe you can use the username as salt for the hashing.