Oracle security 04-using application contexts

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com

Using Application Contexts

Objectives

After completing this lesson, you should be able to do the following:• Describe how an application context is used• Describe the sources of application context values• Implement a local context• Implement an application context that is accessed

globally

Application Context: Description

An application context is a memory container with attributes:• The container is called a namespace.• A namespace has attributes.• Each namespace is independent of others.• The namespace is populated by a package.

Namespace

Use the CREATE CONTEXT command to:• Create a context in a namespace

• Associate a package with the context

CREATE CONTEXT hrappUSING hr_context;

Use the SET_CONTEXT procedure to:• Create attributes

• Set values of attributesdbms_session.set_context (

'hrapp', 'emp_id', v_emp_id );

Using the Application Context

An application context:• Is read by applications• Can be used to:

– Authorize users– Limit access to data, called FGAC– Set attributes used in the application

Setting the Application Context

• The context attributes are set by a package, which:– Creates attributes in the context– Assigns values to the attributes of the context– Is usually called when a user connects

• Each application can use one or more contexts.• A context may be used by more than one

application.• USERENV is a built-in context with session

properties and is available to all applications.

Application Context Data Sources

• The built-in USERENV context contains session primitives as attributes.Example: Client IP address

• A local context uses database objects. The developer sets these attributes.Example: The EMPLOYEE_ID column in the EMPLOYEES table

• An externalized context can get values from an external source, such as Oracle Call Interface (OCI).

• A global context uses values from the directory-entry attributes.

Implementing a Local Context

1. Create an application context.2. Create a PL/SQL package that sets the context.3. Call the package to set the context attribute.4. Read the context attribute in the application.

Application context

PL/SQL package PL/SQL program

Set Read

Step 1: Create an Application Context

• Create a unique context:

– Names the context HRAPP– Associates it with an PKG_HR_CONTEXT package

• You can set the context attributes only:– In the package named in CREATE CONTEXT– In the function associated with a policy

• In the package, set attributes by calling DBMS_SESSION.SET_CONTEXT.

• Alternatively, you can use Oracle Policy Manager GUI.

CREATE CONTEXT hrapp USING pkg_hr_context;

Step 2: Create a PL/SQL PackageThat Sets the Context

Create the PKG_HR_CONTEXT.SET_EMP_ID procedure:• Use SYS_CONTEXT to get the session username:

sys_context('userenv', 'session_user');

SELECT employee_id INTO v_emp_idFROM employeesWHERE email =

sys_context('userenv', 'session_user');

dbms_session.set_context ('hrapp', 'emp_id', v_emp_id );

• Use SET_CONTEXT to set a context attribute:

• Use the session username to get the employee ID:

Step 3: Call the Package

Create a logon trigger that calls the PKG_HR_CONTEXT.SET_EMP_ID procedure:

CREATE OR REPLACE TRIGGER tgr_hr_context_logonAFTER LOGON ON DATABASE

BEGINpkg_hr_context.set_emp_id();

Step 4: Read the Context Attributein the Application

• To return an attribute value, use:

• There are two arguments:– Name of the context– Name of the attribute

• Example in SELECT:

sys_context('hrapp', 'emp_id')

SELECT *FROM departmentsWHERE manager_id =

sys_context('hrapp','emp_id');

SYS_CONTEXT PL/SQL Function

• SYS_CONTEXT returns context attributes:sys_context ('context', 'attribute')

• To return the client IP address from the built-in context, use:

• To return EMP_ID from the HRAPP context, use:

sys_context ('userenv', 'ip_address')

sys_context ('hrapp', 'emp_id')

Application Context Accessed Globally

• Shares a context across sessions• Simplifies connection pooling from a middle tier• Uses a client identifier to identify the user of a

session

PL/SQL program A PL/SQL program B

User Database Session 2User Database Session 1

SGAApplication context is EMP ID = 101

How the Application Context Accessed Globally Works

2. Logs in

6. Makes another request

8. Logs out

1. Builds connection pool

3. Establishes session4. Processes request5. Completes request

7. Processes second request

9. Clears context

USER Application Server Oracle11g

PL/SQL Packages and Procedures

DBMS_SESSION manages:• Contexts:

• Global identifiers:

dbms_session.set_context('hrapp', 'emp_id', v_emp_id );

dbms_session.set_identifier(12345);

set_context(context, attribute, value );

dbms_session.set_identifier(client_id);

Implementing the Application Context Accessed Globally

1. Create the application context accessed globally.2. Modify the program that establishes a session:

– Set the application context.– Set the session client identifier.– Clear the client identifier when the request ends.

3. Modify the application server program that handles subsequent requests in the same session:– Set the session client identifier from this session.– Clear the client identifier when the request ends.

4. Create or modify the application server program that ends a session to clear the context.

Step 1: Create the Application Context Accessed Globally

• Create the context by using:

• The ACCESSED GLOBALLY clause indicates that the context can be accessed from multiple sessions.

CREATE CONTEXT hrappUSING pkg_hr_context ACCESSED GLOBALLY;

Step 2: Establish a Session

1. Get a unique value to use as a client identifier.2. Set the application context:

3. Set the session client identifier:

4. Save the client identifier in a cookie.

dbms_session.set_context('hrapp','id','phall','APPSMGR', 12345 );

dbms_session.set_context('hrapp','dept','sales','APPSMGR', 12345 );

dbms_session.set_identifier( 12345 );

dbms_session.set_context (context, attr, value, username, client_id);

Step 3: Handle Subsequent Requests

1. Get the client identifier from the cookie.2. Set the client identifier for this session:

3. Clear the client identifier when the request ends:

dbms_session.set_identifier( 12345 );

dbms_session.clear_identifier();

Step 4: End a Session

1. Get the client identifier from the cookie.2. Clear the context:

EXEC dbms_session.clear_context('HRAPP', '12345');

Data Dictionary Views

SQL> CREATE CONTEXT hrapp USING pkg_hr_context;

Context created.

SQL> SELECT *2 FROM dba_context3 WHERE namespace = 'HRAPP';

NAMESPACE SCHEMA PACKAGE TYPE--------- ------ ---------- ----------------HRAPP SYS PKG_HR_CONTEXT ACCESSED LOCALLY

Guidelines

• Attempting to change the context outside of its package results in the following error message:ORA-01031: insufficient privileges

• SYS_CONTEXT works much like a bind variable.• Versioning does not apply to contexts accessed

globally.• There are parallel query and RAC limitations.• Context sources must be validated.

Summary

In this lesson, you should have learned how to:• Use an application context• Access the sources of application context values• Implement a local context• Implement an application context that is accessed

globally

Oracle security 04-using application contexts

Technology

Transcript of Oracle security 04-using application contexts

Oracle Database Basic Hardening and Common Exploits€¦ · · 2009-05-07Red-Database-Security GmbH Alexander Kornbrust, 26-Sep-2005 V1.00 4 X11 Security The Oracle documentation

Oracle Direct Seminar...Fine Grained Auditing Oracle Label Security Enterprise User Security Virtual Private Database (VPD) Database Encryption API Strong Authentication Native Network

Oracle security 02-administering user security

Oracle Database Security...Oracle Database Security Assessment Tool （DBSAT） ハッカーに先を越される前に、 自社のセキュリティ・プロファイルを評価する

Bài thực hành số 6 ORACLE LABEL SECURITY (1)º£o Mật Hệ Thống Thông Tin – 2013 Oracle Label Security (1) Lab 06 Quy ... (Virtual Private Database) ... đường dẫn

Enterprise Security mit LDAP und PKI - doag.org fileDOAG Konferenz 2015 1 Enterprise Security mit LDAP und PKI Varianten der zentralen Benutzerverwaltung für Oracle Datenbanken

Introduction to Oracle Security

Mapping the contexts

Arquitecturas SOA/BPM & Internet of Thingsblog.uclm.es/.../2016/03/4-avanttic_day-SMACT-20150417-SOA-BPM-I… · Oracle SOA & BPM Oracle Event Processing Oracle DB Security WebCenter,

Oracle Database 12cのセキュリティとコンプライアンス...Real Application Security 14 Oracle Database 12c のセキュリティとコンプライアンス 15 Oracle Database

High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications

Learn About the Top Oracle E-Business Suite Security Vulnerabilities

Oracle Servlet Engine 補足ドキュメント$ cd webdomains $ getgroup config contexts /red=planet /mad=mike リスト1-2. configオブジェクトのcontexts グループのプロパティ

Oracle Advanced Security Data Redactionのご紹介

Ein Überblick über die aktuellsten Security Features ... · PDF file09.06.17 DOAG Webinar –Oracle 12c R2 New Security Features DB Vault Simulationsmodus –Einschalten von DB Vault

Real Application Security (RAS) and Oracle Application Express (APEX)

Verbeteringen op het gebied van security met Oracle 12c

BSI: B 5.7 Datenbanken - Oracle Security Services by Red ... · PDF fileOrganisatorische Mängel I • G 2.22 - Fehlende Auswertung von Protokolldaten • Test, ob Oracle Auditing

1 Label Security & DB Audit for Oracle 9i DATABASE SECURITY 정보보호학과 032ISI01 김 정 수.

Oracle Database Security · Artigo Técnico da Oracle — Oracle Database Security 1 Protegendo informações confidenciais Informações que variam de segredos comerciais até dados

Oracle Database Security...Oracle Database Security Assessment Tool （DBSAT）ハッカーに先を越される前に、自社のセキュリティ・プロファイルを評価する