Most WEB applications today require at least some basic security policy. For example, websites that provide password-protected content, websites with only the Administrator backend, blog and personal magazines, e-commerce sites, enterprise intranet, and so on.
The most common design method for building these types of Web applications is to consolidate security policies into the business logic of a Web application, where the application determines whether a user has access to a data in the database. In this case, the role of the database is to store data and provide data on request. In other words, if the WEB Application command database provides specific information, the database executes the command directly without checking the user's permissions.
In this article, you'll learn how to leverage Oracle's built-in security features to enforce application security rules at the database level to improve the overall security of your application. As a side benefit, implementing data access security directly in the database will not only help improve the security of your application, but also help reduce complexity.
Requirements for database-side security
What happens when you control data access from a WEB application? In most cases there is no problem; This is a good solution, especially when the data involved are non-mission critical or top secret. This method is used in many books and online resources. In fact, there is a popular php/mysql book that explicitly opposes the creation of more than one database user account per application because "additional users or complex permissions can slow down MySQL execution by checking for more information before an operation continues". This is true, but there are a few things you might consider before abandoning the idea of consolidating security into your database logic. Let's look at the following example.
Assume that you create a content governance system (CMS). It uses a database to store content published on the site. Most of the data is public and promises to be read by anonymous Web users, but only promises to edit the change data. Use a single database account to access and modify records in the database, and to control security with PHP code by using passwords to protect access to pages that only the administrator can access.
If the public side of the WEB application suffers an attack of SQL injection on a public search form (that is, a form that is not well-coded), the intruder may be able to execute arbitrary SQL statements against the database objects that the public account can access. Of course, in this case, the execution of the SELECT statement does not pose a major problem, because the data is inherently public. However, because public and governance permissions use the same database account, intruders can also execute UPDATE and DELETE statements, or even delete tables from the database.
How can we prevent the situation from happening? The simplest approach is to completely limit the permissions of the public database account to modify data. Let's take a look at how Oracle solves this problem.
Oracle Security Essentials Overview
Oracle Database provides WEB developers with a number of ways to control data access, from managing access to specific database objects, such as tables, views, and procedures, to data that controls individual rows or columns. It is clear that the discussion of each Oracle security feature or Available option is beyond the scope of this article. Here, we will not cover too much detail, but only the most basic aspects of Oracle data Access security:
Authentication and user accounts
Permissions
Role
Authentication and user accounts. As with other databases, each user requesting access to Oracle (the database account) must pass validation. Validation work can be done by a database, operating system, or network service. In addition to Basic authentication (password Authentication), Oracle supports strong authentication mechanisms such as Kerberos, CyberSafe, RADIUS, and so on.
Role. An Oracle role is a well-known set of permissions. Although you can grant user account permissions directly, using roles can greatly simplify user governance, especially when you need to govern a large number of users. Creating a small, manageable role and then granting users one or more roles based on the security level of the user is highly efficient. Not to mention how easy it is to modify permissions.
http://www.bkjia.com/PHPjc/630916.html www.bkjia.com true http://www.bkjia.com/PHPjc/630916.html techarticle Most WEB applications today require at least some basic security policy. For example, a website that provides password-protected content, a Web site with only the administrator's backend, a blog, and a ...
