25 Proxy Authentication

This chapter contains the following sections:

• Middle-Tier Authentication Through Proxy Connections

Middle-Tier Authentication Through Proxy Connections

Middle-tier authentication allows one JDBC connection (session) to act as a proxy for other JDBC connections. An application may need proxy authentication for any of the following reasons:

• The middle tier does not know the password of the proxy user. It is sometimes a security concern for the middle tier to know the passwords of all the database users.

  This is done by first authenticating using:

  alter user jeff grant connect through scott with roles role1, role2;
  
  

  Having authenticated, your application can connect as "jeff" using the already authenticated credentials of "scott". Although the created session will behave as if "jeff" was connected normally (using "jeff"/"jeff-password"), "jeff" will not have to divulge its password to the middle tier. The proxy section has access to the schema of "jeff" as well as to what is indicated in the list of roles. Therefore, if "scott" wants "jeff" to access its table EMP, the following code can be used:

  create role role1; 
  grant select on EMP to role1; 
  
  

  The role clause can also be thought as limiting "jeff's" access to only those database objects of "scott" mentioned in the list of the roles. The list of roles can be empty.

• Accounting purposes. The transactions made via proxy sessions can be better accounted by proxying the user ("jeff"), under different users such as "scott", "scott2" assuming "scott" and "scott2" are authenticated. Transactions made under these different proxy sessions by "jeff" can be logged separately.

There are three ways to create proxy sessions in the OCI driver. Roles can be associated with any of the following options:

• USER NAME: This is done by supplying the user name and/or the password. The reason why the "password" option exists is so that database operations made by the user ("jeff"), can be accounted. The SQL clause is:

  alter user jeff grant connect through scott authenticated using password;
  
  

  Having no authenticated clause implies the default—authenticated using the user-name without the password requirement.

• DISTINGUISHED NAME: This is a global name in lieu of the password of the user being proxied for. So you could say "create user jeff identified globally as:

  'CN=jeff,OU=americas,O=oracle,L=redwoodshores,ST=ca,C=us';
  
  

  The string after the "globally as" clause is the distinguished name. It is then necessary to authenticate as:

  alter user jeff grant connect through scott authenticated using distinguished name;
  
  

• CERTIFICATE: This is a more encrypted way of passing the credentials of the user (to be proxied) to the database. The certificate contains the distinguished encoded name. One way of generating it is by creating a wallet (using "runutl mkwallet"), then decoding the wallet to get the certificate. It is then necessary to authenticate as:

  alter user jeff grant connect through scott authenticated using certificate;
  
  

The following code shows signatures of the getProxyConnection() method with information about the proxy type process:

/* 
   * For creating a proxy connection. All macros are defined 
   * in OracleOCIConnectionPool.java 
   * 
   * @param proxyType  Can be one of following types 
               PROXYTYPE_USER_NAME 
                        - This will be the normal mode of specifying the user
                          name in proxyUser as in Oracle8i 

               PROXYTYPE_DISTINGUISHED_NAME 
                        - This will specify the distinguished name of the user
                          in proxyUser 

              PROXYTYPE_CERTIFICATE 
                        - This will specify the proxy certificate 

     The Properties (ie prop) should be set as follows. 

     If PROXYTYPE_USER_NAME 
        PROXY_USER_NAME and/or PROXY_USER_PASSWORD depending 
           on how the connection-pool owner was authenticated 
           to act as proxy for this proxy user 
           PROXY_USER_NAME (String) = user to be proxied for 
           PROXY_PASSWORD (String) = password of the user to be proxied for 

    else if PROXYTYPE_DISTINGUISHED_NAME 
         PROXY_DISTINGUISHED_NAME (String) = (global) distinguished name of the user to be proxied for 
    else if PROXYTYPE_CERTIFICATE (byte[]) 
         PROXY_CERTIFICATE = certficate containing the encoded 
                                  distinguished name 



    PROXY_ROLES (String[])  Set of roles which this proxy connection can use. Roles can be null, and can be associated 
with any of the above proxy methods. 

   * 
   * @return   connection object 
   * 
   * Notes: The user and password used to create OracleOCIConnectionPool() 
   *        must be allowed to act as proxy for user 'us'. 
   */ 
   public synchronized OracleConnection getProxyConnection(String proxyType,
     Properties prop) 
     throws SQLException