Listing 2

Listing 2

Users:

create user web1 identified by webbie1;
create user web2 identified by webbie2;
create role web_group;
--example of Oracle basic role security
grant connect to web_group;
grant web_group to webbie1;
grant web_group to webbie2;

Tables:

drop table web_schema.web_page;
create table web_schema.web_page (page_id number primary key, content varchar2(4000));
--example of Oracle basic role security
grant select, update, delete on web_page to web_group;
drop table web_schema.web_editor;
-- we are not giving access to the table editors for security reasons
create table web_schema.web_editor
(id varchar2(3), page_id number,editor_code varchar2(15), 
      constraint pk_web_editor primary key(id, page_id));
-- insert some test data into the web_page table
insert into web_schema.web_page values
	(1, '<html><head><title>Main Page</title></head>
     <body>This is web1 page</body></html>');
insert into web_schema.web_page values
    (2, '<html><head><title>Main Page</title></head>
         <body>This is web2 page</body></html>');
-- insert test data into the web_editors table
insert into web_schema.web_editor values ('101', 1, 'author');
insert into web_schema.web_editor values ('102', 2, 'author');
insert into web_schema.web_editor values ('101', 2, 'editor');

Context:

--example of Oracle secure application context 
--create context and procedure that assigns it to the user
   DROP CONTEXT our_context;
CREATE CONTEXT our_context USING manager_schema.app_context;
-- create a procedure to set the context
   CREATE OR REPLACE PROCEDURE app_context (ID VARCHAR2)IS
   BEGIN
    DBMS_SESSION.SET_CONTEXT('our_context','user_id', ID);
   END app_context;
   -- assign appropriate rights
   grant execute on manager_schema.app_context to web_group;

Policy:

-- Create a function for Oracle VPD FGAC security policy
CREATE OR REPLACE FUNCTION 
   fn_page_delete (schema IN varchar2, tab IN varchar2)
  RETURN VARCHAR2 IS
-- function that creates a predicate
-- for the update statement on table web_page
-- and limits access to web pages only to authors
BEGIN
  RETURN 'page_id in '||
     '(select page_id ' ||
	'from 	web_schema.web_editor ' ||
	 'where 	editor_code = ''author'' and ' ||
	         'id = sys_context (''our_context'',''user_id''))';
END fn_page_delete;
/
-- Create and apply security policy to the table 'web_page'
BEGIN
  DBMS_RLS.ADD_POLICY(
   'WEB_SCHEMA',
   'WEB_PAGE',
   'PAGE_EDIT_POLICY',
   'MANAGER_SCHEMA',
   'FN_PAGE_DELETE',
   'DELETE', TRUE);
END;