This discussion is archived
4 Replies Latest reply: Dec 10, 2012 7:35 AM by 85592 RSS

Identification of access method

85592 Newbie
Currently Being Moderated
We have a third-party package built on top of Oracle RDBMS.

The security in the package more or less assumes that people are coming
in via the application server with it's forms and accoutrements.

We would like to know of good methods for determining what
alternative access method a user might be using (SQL Plus, ODBC, JDBC)
and how to limit users to only the application front end.

User profile was looked at long ago, maybe it has improved? It got
us part way but really didn't fill the holes.
  • 1. Re: Identification of access method
    sb92075 Guru
    Currently Being Moderated
    es3960 wrote:
    We have a third-party package built on top of Oracle RDBMS.

    The security in the package more or less assumes that people are coming
    in via the application server with it's forms and accoutrements.

    We would like to know of good methods for determining what
    alternative access method a user might be using (SQL Plus, ODBC, JDBC)
    and how to limit users to only the application front end.

    User profile was looked at long ago, maybe it has improved? It got
    us part way but really didn't fill the holes.
    Oracle does not know or care about the "flavor" (OCI, jdbc, odbc, etc) of remote client;
    and has no way to determine it; but V$SESSION.PROGRAM might be partial solution.
  • 2. Re: Identification of access method
    Hoek Guru
    Currently Being Moderated
    User profile was looked at long ago, maybe it has improved?
    Consult/search the docs @ http://www.oracle.com/pls/db112/homepage and find out yourself.

    Furthermore you might want to check the Database Security Forum @ https://forums.oracle.com/forums/category.jspa?categoryID=510

    Be clear about 'the holes' and also make a habit out of posting your database version.
    See: {message:id=9360002}
  • 3. Re: Identification of access method
    85592 Newbie
    Currently Being Moderated
    So, you are saying there may be a solution depending on my database version?

    I am using 10 and moving into 11.
  • 4. Re: Identification of access method
    6363 Guru
    Currently Being Moderated
    es3960 wrote:
    We have a third-party package built on top of Oracle RDBMS.

    The security in the package more or less assumes that people are coming
    in via the application server with it's forms and accoutrements.
    This means there is no security implemented in the application.
    We would like to know of good methods for determining what
    alternative access method a user might be using (SQL Plus, ODBC, JDBC)
    and how to limit users to only the application front end.
    There aren't any good methods for this.
    User profile was looked at long ago, maybe it has improved? It got
    us part way but really didn't fill the holes.
    Unfortunately all the holes are in the application so you won't be able to fill them in the database.

    The vendor should fix the application or you should look for an application that is secure if security is a requirement.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points