| Oracle® TopLink Developer's Guide 10g (10.1.3.1.0) B28218-01 |
|
 Previous |
 Next |
| Oracle® TopLink Developer's Guide 10g (10.1.3.1.0) B28218-01 |
|
Previous |
Next |
You can configure a database login to use Oracle Database proxy authentication with an Oracle Database platform in JSE applications and JEE applications using OC4J native or managed data sources with Oracle JDBC driver release 10.1.0.2.0 or later and external connection pools only.
There is no TopLink Workbench support for this feature. To configure TopLink to use Oracle Database proxy authentication, you must use Java (see "Using Java").
For more information, see "Oracle Database Proxy Authentication".
You can use TopLink support for Oracle Database proxy authentication by doing the following:
Providing Authenticated Writes for Database Auditing Purposes With a Client Session
Providing Authenticated Writes for Database Auditing Purposes With a Client Session
Providing Authenticated Reads and Writes of Secured Data Through the Use of an Exclusive Isolated Client Session
In this configuration, the client Session is an isolated client session (see "Isolated Client Sessions") that uses an exclusive proxy connection. You must acquire the client session using a ConnectionPolicy that specifies the proxy authentication user credentials.Reads and writes of secured data are performed through the proxy-authenticated connection. Reads of nonsecured data occur through nonproxy-authenticated connections.
If you are using Oracle Private Virtual Database (VPD) (see "Isolated Client Sessions and Oracle Virtual Private Database (VPD)"), use this configuration to set up VPD support entirely in the database. That is, rather than making the isolated client session execute SQL (see "PostAcquireExclusiveConnection Event Handler" and "PreReleaseExclusiveConnection Event Handler"), the database performs the required set up in an after login trigger using the proxy session_user.
Providing Authenticated Writes for Database Auditing Purposes With a Client Session
In this configuration, isolated data or exclusive connections are not required. You must acquire client session using a ConnectionPolicy that specifies the proxy authentication user credentials.
Writes are performed through the proxy-authenticated connection. Reads occur through nonproxy-authenticated connections. This enables the database auditing process to access the user that performed the write operations.
Providing Authenticated Reads and Writes With a Database Session
In this configuration, you use a DatabaseSession object with a proxy-authenticated login. All reads and writes occur through the proxy-authenticated connection.
|
Note: Oracle recommends that you exclusively use server and client sessions in a three-tier environment.Do not use database sessions in a three-tier environment. Ensure that a database session is used by a single user and not accessed concurrently. |
You configure Oracle Database proxy authentication by customizing your session in your Java code, such as through a SessionCustomizer when using the sessions.xml file. You can wrap a configured TopLink DatasourceLogin JNDIConnector with a TopLink proxy connector instance (from oracle.toplink.platform.database.oracle) appropriate for your JDBC driver and to configure proxy authentication properties.
If you are using the Oracle JDBC OCI driver, use the OracleOCIProxyConnector and property constants defined in oracle.jdbc.pool.OracleOCIConnectionPool.
If you are using the Oracle JDBC Thin driver, use the OracleJDBC10_1_0_2ProxyConnector and the property constants defined in oracle.jdbc.OracleConnection.
The properties to set are shown in Tables a through d.
|
Note: Property constant names and values are consistent between the two classes except forPROXYTYPE_ constants (such as PROXYTYPE_USER_NAME). In OracleOCIConnectionPool these are of type String and in OracleConnection they are of type int. If you are using the Oracle JDBC Thin driver and OracleJDBC10_1_0_2ProxyConnector, you must always set these properties as a String. For example:
login.setProperty(
"proxytype", Integer.toString(OracleConnection.PROXYTYPE_USER_NAME));
|
To configure TopLink to use Oracle Database proxy authentication, do the following:
Decide on the proxy type you want to use and create appropriate users and roles.
User Name Authentication:
To authenticate a proxy user sarah by user name only, create the user account on the Oracle Database using the following:
alter user sarah grant connect through dbadminuser
with roles clerk, reports;
In this case, you will need to set the proxy properties shown in Table 83-2.
User Name and Password Authentication:
To authenticate a proxy user sarah by user name and password, create the user account on the Oracle Database using the following:
alter user sarah grant connect through dbadminuser
authenticated using password
with roles clerk, reports;
In this case, you will need to set the proxy properties shown in Table 83-3.
Distinguished Name Authentication:
To authenticate a proxy user sarah by globally unique distinguished name, create the user account on the Oracle Database using the following:
create user sarah identified globally as
'CN=sarah,OU=americas,O=oracle,L=city,ST=ca,C=us';
alter user sarah grant connect through dbadminuser
authenticated using distinguished name
with roles clerk, reports;
In this case, you will need to set the proxy properties shown in Table 83-4.
Certificate Authentication:
To authenticate a proxy user sarah by encrypted distinguished name, create the user account on the Oracle Database using the following:
alter user sarah grant connect through dbadminuser
authenticated using certificate
with roles clerk, reports;
In this case, you will need to set the proxy properties shown in Table 83-2.
Configure your session login using Java code. Do this through a SessionCustomizer when using the sessions.xml file.
The following example demonstrates how you can wrap the already specified JNDIConnector with the appropriate TopLink proxy authentication connector. You can set the server session's default connection policy to the same proxy authenticated login.
If you use Oracle VPD (ref VPD), you should set the connection policy to use exclusive connections, and the descriptor for secured data to isolated (ref isolated).
Login login = server.getDatasourceLogin(); // Make sure that external connection pooling is used login.setUsesExternalConnectionPooling(true); // Wrap JNDIConnector with either // OracleOCIProxyConnector or OracleJDBC10_1_0_2ProxyConnector login.setConnector( new OracleOCIProxyConnector( ((JNDIConnector)login.getConnector()).getName())); ConnectionPolicy policy = server.getDefaultConnectionPolicy(); policy.setPoolName(null); policy.setLogin(login); // If using Oracle VPD support,set the connection policy to exclusive policy.setShouldUseExclusiveConnection(true);
Acquire a proxy-authenticated client session through specifying a ConnectionPolicy with this user's credentials.
ConnectionPolicy policy =
(ConnectionPolicy)server.getDefaultConnectionPolicy().clone();
Login login = (Login)policy.getLogin().clone;
// Set proxy properties into connection policy's login
login.setProperty("proxytype" , OracleOCIConnectionPool.PROXYTYPE_USER_NAME);
login.setProperty(OracleOCIConnectionPool.PROXY_USER_NAME ,"sarah");
policy.setLogin(login);
Session session = server.acquireClientSession(policy);
