Summary

Defense in depth for database application means the application shouldn’t be the only security mechanism. To enable database security, you have to follow the simple principle of identity preservation.

In this chapter, you explored two ways of doing this. The integrated authentication approach uses a common user known to the applications, SSO, and database. The single source of truth for these entities is the LDAP server, which contains the user’s authentication and authorization information. This allows an easy way to create and manage users. This design is also natural and intuitive; the users exist and their privileges can be easily validated.

From a security perspective, this design is ideal. The user is known everywhere and changes to the user’s privilege set are immediately in effect for all applications and databases that are part of the system. If performance becomes an issue in this environment, you can use web session management to assist in database session caching, which will eliminate subsequent connection times. You looked at a sample application to illustrate how to do this.

The alternative approach uses connection pools bound to a single database schema. Many people are attracted to this design for performance reasons. With a little work, security can also become part of this solution. Using roles, PL/SQL packages, and Client Identifiers, you built a sample Java application that maintained both performance and security.

In Chapter 7, you’ll look at privileges and database roles in more detail, which will help you to understand how to effectively implement and verify access controls for the database. The access controls determine who gets access to what and how. Ultimately, the data security relies on proper enforcement of access controls. As illustrated from several examples in this chapter, roles extend security further into the database.



Effective Oracle Database 10g Security by Design
Effective Oracle Database 10g Security by Design
ISBN: 0072231300
EAN: 2147483647
Year: 2003
Pages: 111

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net