Default USERENV Context

The Oracle Database provides a default application context for each database session. It has the namespace of “USERENV”. Most of the attributes in USERENV are predefined by the database. This namespace is the replacement for the USERENV function provided in earlier versions of the Oracle Database.

As you have seen by the countless USERENV context examples used in this book, there are many useful USERENV attributes that help provide information about the user’s environment. The USERENV attributes give many important details about the database session, such as the client’s IP Address, the session identifier, the name of the proxy user if using proxy authentication, the protocol used to connect to the database, and even how the user authenticated. For a complete listing, see the Oracle Database Security Guide 10g.

Many of the USERENV attributes are instrumental in enforcing specific database security policies. For example, the user’s IP address and authentication mode are available and can be used to govern what a user has access to. The Client Identifier, also an attribute of the default context, can be set by an application and is the only application context value that is audited.

All of the application context attributes are referenced via the SYS_CONTEXT function. The SYS_CONTEXT function takes the namespace as the first parameter and the attribute name as the second parameter and returns the value of the associated attribute. It also takes an optional length value as a third parameter, which truncates the returned value to the number provided.

A useful technique for displaying the attributes you’ll use most often is to create a view consisting of the results of the SYS_CONTEXT function. This requires less typing when checking multiple values, and a DESCRIBE conveniently lists all the attributes.

sec_mgr@KNOX10g>  CREATE OR REPLACE VIEW env     2  AS    3    SELECT SYS_CONTEXT ('userenv', 'session_user')    4                                      session_user,    5           SYS_CONTEXT ('userenv', 'current_user')     6                                      CURRENT_USER,    7           SYS_CONTEXT ('userenv', 'current_schema')    8                                      current_schema,   9            NVL (SYS_CONTEXT ('userenv',   10                             'external_name'),   11                'NULL') external_name,   12           NVL (SYS_CONTEXT ('userenv',   13                             'client_identifier'),   14                'NULL') client_identifier,   15           NVL (SYS_CONTEXT ('userenv',   16                             'client_info'),   17                'NULL') client_info,   18           NVL (SYS_CONTEXT ('userenv',   19                             'proxy_user'),   20                'NULL') proxy_user,   21           SYS_CONTEXT ('userenv',   22                        'audited_cursorid')   23                                   audited_cursorid,   24           SYS_CONTEXT ('userenv', 'entryid')   25                                             entryid,    26           NVL (SYS_CONTEXT ('userenv', 'sessionid'),   27                'NULL') sessionid,   28           SYS_CONTEXT ('userenv', 'isdba') isdba,   29           NVL (SYS_CONTEXT ('userenv',   30                             'ip_address'),   31                'NULL') ip_address,   32           SYS_CONTEXT ('userenv', 'db_name')   33                                            db_name,   34           SYS_CONTEXT ('userenv', 'host') HOST,   35           NVL (SYS_CONTEXT ('userenv',   36                             'network_protocol'),   37               'NULL') network_protocol,   38           NVL (SYS_CONTEXT ('userenv',   39                             'authentication_type'),   40                'NULL') authentication_type,   41           SYS_CONTEXT ('userenv', 'policy_invoker')   42                                      policy_invoker,   43           NVL (SYS_CONTEXT ('userenv',   44                             'current_sql'),   45                'NULL') current_sql   46  FROM DUAL;     View created.    sec_mgr@KNOX10g> GRANT SELECT ON env TO PUBLIC;    Grant succeeded.    sec_mgr@KNOX10g> CREATE PUBLIC SYNONYM env FOR env;    Synonym created.   

A DESCRIBE on the view also has the benefit of allowing you to see what attributes are available:

sec_mgr@KNOX10g> DESC env   Name                         Null?     Type  ----------------------------------------------- -------- -- SESSION_USER                           VARCHAR2(256)  CURRENT_USER                           VARCHAR2(256)  CURRENT_SCHEMA                         VARCHAR2(256)  EXTERNAL_NAME                          VARCHAR2(256)  CLIENT_IDENTIFIER                      VARCHAR2(256)  CLIENT_INFO                            VARCHAR2(256)  PROXY_USER                             VARCHAR2(256)  AUDITED_CURSORID                       VARCHAR2(256)  ENTRYID                                VARCHAR2(256)  SESSIONID                              VARCHAR2(256)  ISDBA                                  VARCHAR2(256)  IP_ADDRESS                             VARCHAR2(256)   DB_NAME                                VARCHAR2(256)  HOST                                   VARCHAR2(256)  NETWORK_PROTOCOL                       VARCHAR2(256)  AUTHENTICATION_TYPE                    VARCHAR2(256)  POLICY_INVOKER                         VARCHAR2(256)  CURRENT_SQL                            VARCHAR2(256)    sec_mgr@KNOX10g> COL session_user format a10  sec_mgr@KNOX10g> COL network_protocol format a10  sec_mgr@KNOX10g> COL authentication_type format a20  sec_mgr@KNOX10g> SELECT session_user, authentication_type, ip_address     2     FROM env;    SESSION_US  AUTHENTICATION_TYPE  IP_ADDRESS  ----------------------- -------------------- -- SEC_MGR     DATABASE              192.168.0.100   

You should view the above attributes and the values they return on your database when connected through various applications. You’ll see the USERENV application context provides useful information that can be used in implementing your security policies.



Effective Oracle Database 10g Security by Design
Effective Oracle Database 10g Security by Design
ISBN: 0072231300
EAN: 2147483647
Year: 2003
Pages: 111

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net