Chapter 6: Identification and Authentication for Web Applications

In this chapter, you’ll look at two ways of enabling database security through identity propagation. This chapter outlines the necessary steps for linking application security to database security. In the first half of the chapter, you’ll analyze a J2EE application that uses the Oracle Application Server 10g, single sign-on, proxy authentication, and database Enterprise Users. In the second half of the chapter, you’ll look at setting up database security when proxy authentication isn’t used.

Passing information about the user to the database is the most important process in designing and deploying secure database applications. If handled correctly, the result is a well-defined, easily managed environment for users, applications, and data. If done incorrectly, database security will likely be forfeited, resulting in a disconnected architecture and fragmented security. My focus here is on the intersection points necessary for connecting the application securely to the database. In this chapter, security and performance battle head-to-head, and you’ll look at ways to ensure that both can be maintained.

Application Processes for Identification and Authentication

In most web-based applications, users have to authenticate to the application before they can do anything. The application will typically use this information to differentiate what the different end users can see and mediate the actions they can perform within the application. Application security is necessary, and applications should always provide some security. However, it shouldn’t be the only layer of security. Data security should exist in the database; application security should exist within the application.

The application must work in concert with the database. You must ensure that the user’s identity doesn’t stop at the application tier. The preferred method for accomplishing this task is by using proxy authentication. In instances where proxy authentication can’t be used, you can rely on another technique utilizing PL/SQL packages and/or Client Identifiers, which are discussed later in the chapter. This basic principle of identity propagation is necessary for effective database security.

The first step in this process is application authentication. In many cases, the application server has been configured to perform the actual user authentication. That is, there is no code in the application that checks to see if the user has already authenticated. That job is left to the application server, and it does it quite well. The application is then configured to only allow authenticated and authorized users access.

There are many ways a user can authenticate to the application and/or application server. For this discussion, you really don’t care how the user authenticated as much as you care that they authenticated.