tags:

views:

334

answers:

4
+4  Q: 

Allowing oracle db login only to specific application?

We want to allow DB access (Oracle) to our users only through our own application - let's call it "ourTool.exe", installed locally on the users computers. Currently, the users must provide username/password whenever they start "ourTool". The provided password password gets decrypted and we use username/decrypted-password to finally log in to the Oracle DB. This approach prevents the users from directly accessing our DB using third party tools (SQLplus, Excel, Access, ...) and everything in the DB is guaranteed to have been entered/edited using "ourTool".

Now, one of our clients wants to allow its users "single sign-on" (with SmartCards/Oracle PKI). With this, the user will be able connect to our DB without providing any password every time they start "ourTool". But the same will be true for the potentially dangerous tools like SQLplus, Excel, Access, etc.

Is there a way to prevent this? How can we make sure that every record in our DB is only created/edited/deleted using "ourTool" in this scenario?

+2  A: 

By default, OCI transmits the calling application EXE name and you can access it by querying v$session:

SELECT  program
FROM    V$SESSION

, which you can do in an AFTER LOGON trigger.

But this can be easily overriden and should not be relied upon.

Quassnoi  2009-06-17 14:20:30
+1 - it will prevent accidental login via sql tools.
Vincent Malgrat  2009-06-17 14:26:47
+2  A: 

Since it's your application and you have control of the source, you can use either password protected database roles or Secure Application Roles that are enabled from ourTool.exe. (see http://www.oracle.com/technology/obe/obe10gdb/security/approles/approles.htm ).

For example, with a password-protected database role, the initial connection would be with only the CREATE SESSION privilege, and then ourTool.exe would issue the SET ROLE with password known only to you. Any other application doesn't have the information to set the role. Obviously, the privileges are granted only to the role and not directly to the user in this configuration.

dpbradley  2009-06-17 14:36:23
Be careful about embedding the PW in the source - there are many tools to allow you to see the embedded ASCII strings in an executable.
DCookie  2009-06-17 14:42:43
good point - yes, you do have to come up with some way of obfuscating the string in the .exe
dpbradley  2009-06-17 14:47:53
Unless you are securing the network traffic, they could still pick up the text being passed from the PC to the database. I think SQL*net encryption is part of one of the extra cost options for Enterprise edition.
Gary  2009-06-17 22:23:29
Yes, SQL*Net encryption is still part of the extra cost Advanced Security Option. Both you and DCookie have valid points for the fringe case of someone determined to connect to the database and gain privileges, but I believe the spirit of the original question was how to deal with the average desktop user who has SQL*Plus or ODBC connectivity. I hope Oracle eventually rolls the Adv. Sec. option into the Enterprise Edition - it seems wrong to pay extra for securing a company's product.
dpbradley  2009-06-18 11:46:57
We are going to use the ideas presented here, and we might also include a query on v$session (see answer of Quassnoi). Thanks everyone!
ToastedSoul  2009-06-26 12:06:44
A: 

Can't you use SSO as an authentication method for your application and the rest would be just like before? I'm not sure the way it works (encryption/decryption of oracle password) but you should be able to use SSO as alternative to your current application authentication method (users login/password). Maybe if you can post some more details...?

buddy  2009-06-17 14:36:45
A: 

I can not comment (why?) but in addition to Quassnoi:

I renamed my sqlplus.exe to myTool.exe and after making a connection with myTool.exe

SELECT  program
FROM    V$SESSION
where username = 'SYSTEM';

Returns: myTool.exe

So be aware, as Quassnoi said: although usable in some circumstances it's certainly not bullit proof.

Robert Merkwürdigeliebe  2009-06-18 15:06:33

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security