Dbms_session.set_role problem

hi,
I have developed form using developer 6i having different blocks. In new form instance the role which i assigned work but when I hide this block and move to other blocks my role which I assigned in dbms_seesion.set_role does work on that block and I am getting message that table or view does not exit.
thanks

hi
check out the following links.i hope it will help u too.
http://www.amar-padhi.com/oradb_secure_app_roles.html
http://www.psoug.org/reference/dbms_session.html
https://students.kiv.zcu.cz/doc/oracle/appdev.102/b14258/d_sessio.htm
http://www.camden.rutgers.edu/HELP/Documentation/Oracle/server.815/a68001/dbms_ses.htm
http://download.oracle.com/docs/cd/B10500_01/appdev.920/a96612/d_sessi2.htm
sarah

Similar Messages

DBMS_SESSION.SET_ROLE in Forms 6

I created a role called "DATA_ENTRY" and altered it so that the DEFAULT_ROLE property set to "NO".
I have an application with a customized menu that uses roles in menu security. The role is in the list of menu roles. The application has multiple forms, only one of which is open at a time, with a Main form as the point of entry. Navigation is implemented only through the menu.
I added code to the PRE-FORM trigger that uses DBMS_SESSION.SET_ROLE to enable the role. With the code in place, the screen opens and the menu is enabled. If I comment out the code, the Menu fails when I open the Main form - which is what I'd expect.
However, when I navigate to another screen, it acts like the Main form does with the code commented out - i.e., the Menu fails (doesn't load).
Since DBMS_SESSION.SET_ROLE is a session-level command, I wouldn't think I'd have to include it in every screen.
I'd appreciate any help. Thanks.

Could it be that you are opening your other screen in SESSION_MODE=SESSION ?The forms are opened using New_Form builtin, so the SESSION_MODE doesn't apply.
In the post-form trigger of the main screen, the role that I enable in the pre-form trigger is shown as disabled. So, of
course, it's disabled in the new screen as well.
I also verified that the UNIQUE_SESSION_ID is the same in pre-form and post_form on both screens.

Can I use dbms_session.set_role within AE?

I am augmenting an existing application with AE. The existing security scheme validates the user, then enables a role (with password) that has been granted update privs for all of the tables in the system. My AE application uses database authentication so users are uniquely identified in the database (no user or password appears in the DAD entry). When I try to duplicate the security functionality in AE, I get "ORA-06565: cannot execute SET ROLE from within stored procedure". Is there a way to accomplish this?
Secondly, even without enabling the role, the application seems to work even though it should not. When using the same user to connect thru Toad, updates are not allowed. Modifications made thru the application use the "user" psuedocolumn and the user is identified correctly (not HTMLDB_PUBLIC_USER) and the user is not set in AE as a user or developer.
I'm confused.
Bob

Bob,
No, the set_role won't work within stored procedures.
The privileges required to update your tables are owned by the schema itself. This schema is your application's parsing schema and is the schema that all SQL and PL/SQL in your application is parsed as.
To control access to data based on the authenticated user (user or sys_context('userenv','session_user'), you can use the VPD feature.
Scott

Problem creating Network ACL for a ROLE in Oracle 11gR2

According to Oracle Documentation when you create a new Network ACL you can add privileges to a user or role. I need to create a new ACL for the UTL_SMTP package for a specific role, but when I granted it the users who have that role are still getting the "ORA-24247: network access denied by access control list (ACL)" error when they try to send an email. If I grant the ACL privilege to the same users directly it works fine. Is there any step I'm missing? This is the test I have made on my Solaris 10 - Oracle 11gR2 (11.2.0.3) Standard Edition server:
SQL*Plus: Release 11.2.0.1.0 Production on Wed Aug 21 09:31:52 2013
Copyright (c) 1982, 2010, Oracle. All rights reserved.
SQL> CONNECT system/******@testdb
Connected.
SQL> SET LINES 1000
SQL> SELECT * FROM v$version;
BANNER
Oracle Database 11g Release 11.2.0.3.0 - 64bit Production
PL/SQL Release 11.2.0.3.0 - Production
CORE    11.2.0.3.0      Production
TNS for Solaris: Version 11.2.0.3.0 - Production
NLSRTL Version 11.2.0.3.0 - Production
SQL> COLUMN host FORMAT A20
SQL> COLUMN lower_port FORMAT 99999
SQL> COLUMN upper_port FORMAT 99999
SQL> COLUMN acl FORMAT A40
SQL> COLUMN acl FORMAT A40
SQL> COLUMN principal FORMAT A15
SQL> COLUMN privilege FORMAT A10
SQL> COLUMN is_grant FORMAT A8
SQL> COLUMN status FORMAT A10
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
no rows selected
SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
no rows selected
SQL> CREATE USER testacl IDENTIFIED BY testacl;
User created.
SQL> GRANT CONNECT TO testacl;
Grant succeeded.
SQL>
SQL> BEGIN
2     dbms_network_acl_admin.create_acl('test_smtp.xml','TEST SMTP ACL','TESTACL',true,'connect');
3     dbms_network_acl_admin.assign_acl('test_smtp.xml','localhost',25);
4     commit;
5 END;
6 /
PL/SQL procedure successfully completed.
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
HOST                 LOWER_PORT UPPER_PORT ACL
localhost                    25         25 /sys/acls/test_smtp.xml
SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
ACL                                      PRINCIPAL       PRIVILEGE IS_GRANT
/sys/acls/test_smtp.xml                  TESTACL         connect    true
After creating this ACL I test it like this:
SQL> CONNECT testacl/testacl@testdb
Connected.
SQL> SELECT host, lower_port, upper_port, privilege, status FROM user_network_acl_privileges;
HOST                 LOWER_PORT UPPER_PORT PRIVILEGE STATUS
localhost                    25         25 connect    GRANTED
SQL> DECLARE
2     c utl_smtp.connection;
3 BEGIN
4     c := utl_smtp.open_connection('localhost', 25); -- SMTP on port 25
5     utl_smtp.helo(c, 'localhost');
6     utl_smtp.mail(c, 'Oracle11.2');
7     utl_smtp.rcpt(c, '[email protected]');
8     utl_smtp.data(c,'From: Oracle'||utl_tcp.crlf||'To: [email protected]'||utl_tcp.crlf||'Subject: UTL_SMTP TEST'||utl_tcp.crlf||'');
9     utl_smtp.quit(c);
10 END;
11 /
PL/SQL procedure successfully completed.
SQL>
This works fine and I receive the email correctly. Now if I try to do the same thing for a role:
SQL> CONNECT system/******@testdb
Connected.
SQL> BEGIN
2     dbms_network_acl_admin.drop_acl('test_smtp.xml');
3     commit;
4 END;
5 /
PL/SQL procedure successfully completed.
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
no rows selected
SQL> CREATE ROLE testacl_role;
Role created.
SQL> GRANT testacl_role TO testacl;
Grant succeeded.
SQL> ALTER USER testacl DEFAULT ROLE ALL;
User altered.
SQL>
SQL> BEGIN
2     dbms_network_acl_admin.create_acl('test_smtp.xml','TEST SMTP ACL','TESTACL_ROLE',true,'connect');
3     dbms_network_acl_admin.assign_acl('test_smtp.xml','localhost',25);
4     commit;
5 END;
6 /
PL/SQL procedure successfully completed.
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
HOST                 LOWER_PORT UPPER_PORT ACL
localhost                    25         25 /sys/acls/test_smtp.xml
SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
ACL                                      PRINCIPAL       PRIVILEGE IS_GRANT
/sys/acls/test_smtp.xml                  TESTACL_ROLE    connect    true
SQL>
And now I test it again with the same user:
SQL> CONNECT testacl/testacl@testdb
Connected.
SQL>
SQL> SELECT host, lower_port, upper_port, privilege, status FROM user_network_acl_privileges;
no rows selected
SQL> DECLARE
2     c utl_smtp.connection;
3 BEGIN
4     c := utl_smtp.open_connection('localhost', 25); -- SMTP on port 25
5     utl_smtp.helo(c, 'localhost');
6     utl_smtp.mail(c, 'Oracle11.2');
7     utl_smtp.rcpt(c, '[email protected]');
8     utl_smtp.data(c,'From: Oracle'||utl_tcp.crlf||'To: [email protected]'||utl_tcp.crlf||'Subject: UTL_SMTP TEST'||utl_tcp.crlf||'');
9     utl_smtp.quit(c);
10 END;
11 /
DECLARE
ERROR at line 1:
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_TCP", line 17
ORA-06512: at "SYS.UTL_TCP", line 267
ORA-06512: at "SYS.UTL_SMTP", line 161
ORA-06512: at "SYS.UTL_SMTP", line 197
ORA-06512: at line 4
SQL>
I'm aware that role privileges doesn't apply inside procedures, functions or packages by default, but this is an anonymous block so it should use the active roles for the user. I also tried adding a "dbms_session.set_role('TESTACL_ROLE');" at the beggining of the anonymous PL/SQL block but I got the same access error.
Thanks in advance for any help you can give to me on this question, it would be very hard to grant the ACL to all the individual users as they are more than 1000, and we create more regularly.

Thanks for your quick reply... I don't have a problem creating the basic ACL with the privileges granted for a user. The problem appears when I try to create an ACL with privileges for a ROLE. You can see here http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_networkacl_adm.htm#BABIGEGG than the official Oracle documentation states that you can assign the ACL principal to be a user or role:
Parameter
Description
acl
Name of the ACL. Relative path will be relative to "/sys/acls".
description
Description attribute in the ACL
principal
Principal (database user or role) to whom the privilege is granted or denied. Case sensitive.
My issue is that when I try to create the ACL for a role it doesn't work.
Have you ever created an ACL for a role? if so please send me an example or let me know which step I might be missing. Cheers.

Reg: dbms_session package

Hai, Did anybody encounter this kind of problem?
I have a secured role assigned to the users that will be enforced using dbms_session.set_role package. Till date it is working fine, but when the database profile had started me giving the message - Password will expire within x days, the role is not functioning properly. Are they related with each other ?
Can anybody please help me regarding this..

Hai, Thank you for your reply,
This is implemented as follows,
1.created a secure role in the database.
2.altered the user default all except the secure role.
3.when the user logs in, the role is enabled using dbms_session.set_role.
This was working fine till date. Also working fine with the newly created users.
4.Now, the database profile had started giving the grace period when the user logs in along with the ORA-6512 sys.dbms_session. Now the role is not being enforced.
Is there any relation between this profile and secure roles?

Start OWB workflow from APEX

Hi together,
My challenge is to start an OWB workflow from an apex procedure.
Procedure:
declare
numb number;
audit_id number;
begin
numb := rtruser_blueprint.exec_api.execute('LOC_A014_OWF_MGR', 'PROCESS', 'LOAD_CALM_DELIVERY', ',', 'DELIVERY_ID_IN=6', audit_id);
end;
My problem is the following error:
ORA-06565: cannot execute SET ROLE from within stored procedure
This error occures at the following row in the execute-Procedure in the package exec_api (standard owb execution package):
dbms_session.SET_ROLE('OWB_D_rtr10201_blueprint');
dbms_session.SET_ROLE('OWB_O_rtr10201_blueprint');
If I run this script directly with sqlplus, the procedure works fine. As a result of this, I assume, the problem has to do with the grants which the apex execution user (APEX_PUBLIC_USER) doesn't have in contrast to the blueprint user (which is schema owner)
More informations about the environment setup:
The apex workspace is bound to the database - user: BLUEPRINT.
BLUEPRINT has the grant to execute the procedure 'EXECUTE' in the package 'EXEC_API'. The 'EXEC_API' package belongs to the user 'RTRUSER_BLUEPRINT'.
My concrete question is: Which rights / grants does which user need to execute the procedure directly from APEX?
Thanks for your help!
Mirco

What account were you using when you ran the 'execute_api' procedure from SqlPlus ? Also, all SQL and PL/SQL from APEX is executed as the application's parsing schema id and not the schema used by APEX to connect to the database.

Oracle Patchset 10.2.0.5.0 impact on password enabled roles

Oracle Patchset 10.2.0.5.0 (as well as 11.1.0.7 according to Oracle Support note 745407.1) will affect your password enabled roles security if you grant password enabled role to a user as a DEFAULT role (this users - like firecall ids - don't have to provide password to have this role active after logon). It turns out this is the only impact contrary to Oracle Support (Metalink) note 745407.1 stating that roles granted to other roles are affected as well. After I read the note I've worked with my DBA to assess possible damage to the application I support. Below are the results that I hope might help other people to assess and fix their situation as well (Please don't do the "fix" recommended by note 745407.1 which is to "remove password protection from the role" as this will trash your application security) :
BEFORE THE PATCH:
SQL*Plus: Release 10.1.0.4.2 - Production on Mon Sep 20 14:45:13 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, Data Mining and Real Application Testing options
SQL# -- Create Ordinary Oracle Role
SQL# create role ORACLE_ROLE;
Role created.
SQL#
SQL# -- Create Password Authenticated Role
SQL# create role PASSW_AUTH_ROLE identified by xxxxxxx;
Role created.
SQL#
SQL# -- Create Another Ordinary Role to be granted to ORACLE_ROLE
SQL# create role ROLE_TO_OTHER_ROLE;
Role created.
SQL#
SQL# GRANT ROLE_TO_OTHER_ROLE TO ORACLE_ROLE;
Grant succeeded.
SQL#
SQL# -- Create Secure Application Role
SQL# create role SECURE_APP_ROLE identified using sec_roles;
Role created.
SQL# -- sec_roles procedure
SQL# CREATE OR REPLACE procedure sec_roles AUTHID CURRENT_USER
2 AS
3
4 BEGIN
5 DBMS_SESSION.SET_ROLE('secure_app_role');
6 END;
7 /
Procedure created.
SQL#
SQL# grant execute on SEC_ROLES to public;
Grant succeeded.
SQL#
SQL# SQL# -- Create User Account
SQL# CREATE USER app_user IDENTIFIED BY "xxxxxxx"
2 DEFAULT TABLESPACE "USERS01"
3 TEMPORARY TABLESPACE "TEMP01";
User created.
SQL# GRANT CONNECT, ORACLE_ROLE, PASSW_AUTH_ROLE, SECURE_APP_ROLE to app_user;
Grant succeeded.
SQL# ALTER USER app_user DEFAULT ROLE ALL;
User altered.
connect app_user@XXXXXX
Enter password: *********
Connected.
select * from session_roles;
ROLE
CONNECT
ORACLE_ROLE
ROLE_TO_OTHER_ROLE
PASSW_AUTH_ROLE
Note here that SECURE_APP_ROLE does not appear in the list of active session roles, which is in accordance with Oracle Support (Metalink) note 745407.1 saying that this is the case starting with versions 11.1.0.7 and 10.2.0.4 for Secure Application Roles.
AFTER THE PATCH APPLIED:
connect app_user@XXXXXX
Enter password: *********
Connected.
select * from v$version;
BANNER
Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bi
PL/SQL Release 10.2.0.5.0 - Production
CORE 10.2.0.5.0 Production
TNS for Solaris: Version 10.2.0.5.0 - Production
NLSRTL Version 10.2.0.5.0 - Production
SQL# show user
USER is "APP_USER"
SQL#
SQL# select * from session_roles;
ROLE
CONNECT
ORACLE_ROLE
ROLE_TO_OTHER_ROLE
As expected password enabled role PASSW_AUTH_ROLE disappeared from the list of the roles enabled by default. Contrary to the expectations ROLE_TO_OTHER_ROLE that is granted to ORACLE_ROLE but not directly to the user is still active. As it turns out that is not the last surprise.
In order to test other possible combinations of roles granted to other roles I've created two other roles:
create role role_to_other_role_2;
Role created.
SQL# create role PASSW_AUTH_ROLE_2 identified by xxxxxxxx;
Role created.
SQL# grant passw_auth_role_2 to oracle_role
Grant succeeded.
SQL# grant PASSW_AUTH_ROLE_2 to PASSW_AUTH_ROLE
Grant succeeded.
SQL# grant role_to_other_role_2 to passw_auth_role;
Grant succeeded.
Surprisingly after logon password enabled role PASSW_AUTH_ROLE_2, granted through non-password enabled role ORACLE_ROLE, is active without need to provide password to set PASSW_AUTH_ROLE_2 role, which kind of defeats the purpose of Oracle security change in the first place.
connect app_user@XXXXXX
Enter password: *********
Connected.
select * from session_roles;
ROLE
CONNECT
ORACLE_ROLE
ROLE_TO_OTHER_ROLE
PASSW_AUTH_ROLE_2
Also if we set other password enabled role PASSW_AUTH_ROLE all roles granted to that role become active roles:
set role passw_auth_role identified by xxxxxxxx;
Role set.
select * from session_roles;
ROLE
PASSW_AUTH_ROLE
PASSW_AUTH_ROLE_2
ROLE_TO_OTHER_ROLE_2
As we can see this Oracle attempt to solidify role based security leaves some holes, and documentation is confusing and misleading. I expect that there will be more interventions coming in the future and we will need to verify with Oracle if they intend to do changes with role based security in the future that might have much greater impact on applications security models, and potentially cause unwanted downtime.
Finaly the query to figure out if you are potentially affected is:
select B.grantee, A.role, B.default_role
from dba_roles A, dba_role_privs B
where A.password_required = 'YES'
and A.role = B.granted_role
and B.default_role = 'YES';

I think, we are also facing this problem. Please let me know if any one has got any kind of FIX for this ?
we have just migrated from 10.2.0.4.0 to 10.2.0.5.0. All of a sudden set of code stopped working.
Query runs before setting up ROLE and similer query gives error after setting up the ROLE. If we don’t set the ROLE, both queries work fine.
======= Code =====
SELECT granted_role
FROM DBA_ROLE_PRIVS
WHERE grantee = '501280629'
AND granted_role IN ('PICAMG','PICAUS', 'PICAVW', 'PICAOP', 'PICADB')
AND ROWNUM = 1 ----> this query works before setting up ROLE
SET ROLE PICADB IDENTIFIED BY XXXXX ----> setting up ROLE
SELECT granted_role
FROM DBA_ROLE_PRIVS
WHERE GRANTEE = '501280629'
AND granted_role IN ('PICAMG','PICAUS', 'PICAVW', 'PICAOP', 'PICADB') ----> this query does work after setting up ROLE
Thanks
Suraj

REP-1247: Report contains uncompiled PL/SQ

hi,
i have a report with a FORMULA COLUMN
when run my report i get this error REP-1247: Report contains uncompiled PL/SQ
when i remove FORMULA COLUMN then run with out any problem,
plz help me.

1-I create a report emp that use 3 table t1,t2 and in formula t3
2- i created role emp_role and grant 3 table (t1,t2,3) to this
3- i assined emp_role to emp report (role name)
4- i used BeforeReport (DBMS_SESSION.SET_ROLE('EMP_ROLE');
5- compile all ,compile all ,ctl+shift+k ,ctl+shift+k
6- create user co20001 and grant EMP_ROLE to this user
7- when open this report from form with user co20001 i get error (unable to run report)
and when run on browser as
http://192.168.0.128:7778/reports/rwservlet?report=c:\erp\emp.jsp+server=rep_formsrv_BI+userid=co20001/co20001@nilper+MIMETYPE=REPORTS+destype=cache+desformat=spreadsheet+desname=hamid.htm
i get error REP-1247: Report contains uncompiled PL/SQL.
8- when grant table t3 as directly to co20001 my report run sucsses. why???????
plz helpppppppppppp

ODP Proxy Authentication

I am trying to use Proxy authentication through the latest version of ODP. I am able to connect but I cannot gain access to the roles available on the Proxy user. Please help determine how this is supposed to work.
I have a schema owner, owner1, that has a table, test_table, created and access is granted through a role, owner1_crud.
I have a generic user, gen_user, that has access to the role owner1_crud. gen_user does not have any problem accessing data in owner1.test_table.
Now I want to create a specific user, user1, that connects through gen_user and has the same access to owner1.test_table that gen_user has, but only when user1 connects via the proxy user.
CREATE USER user1 IDENTIFIED BY user1_password;
GRANT CREATE SESSION TO user1;
ALTER USER user1 GRANT CONNECT THROUGH gen_user WITH ROLES owner1_crud;
Then with ODP.NET I try the following:
try
OracleConnection cn = new OracleConnection("Data Source=db;User Id=user1;Proxy User Id=gen_user;Proxy Password=gen_user_password";Pooling=true);
cn.Open();
Console.WriteLine("Connected");
OracleCommand cmd = new OracleCommand("select user, sys_context('USERENV','PROXY_USER') proxy_user from dual", cn);
OracleDataReader dr = cmd.ExecuteReader();
dr.Read();
Console.WriteLine(dr["USER"].ToString() + " " + dr["PROXY_USER"].ToString());
// Up to this point, everything seems to work fine.
cmd = new OracleCommand("select count(0) cnt from owner1.test_table", cn);
dr = cmd.ExecuteReader();
dr.Read();
Console.WriteLine(dr["CNT"].ToString());
catch (OracleException ex)
Console.WriteLine(ex.Message);
Console.Read();
OUTPUT
=================================
Connected
USER1 GEN_USER
ORA-00942: table or view does not exist
I want to leave user1 only with CREATE SESSION privilege to make sure user1 can only get meaningful access through the proxy connection. Is there something I need to do to ACTIVATE owner1_crud for user1 when I connect? I have tried SET ROLE ALL, SET ROLE owner1_crud, and DBMS_SESSION.SET_ROLE('OWNER1_CRUD') and nothing works. Is my only alternative to add the owner1_crud role to user1 and keep the password private to prevent user1 from "backdoor" access.
Thank you in advance.

If owner1_crud has to be on user1 already, what does the WITH ROLES portion of this statement really do,
ALTER USER user1 GRANT CONNECT THROUGH gen_user WITH ROLES owner1_crud;
I am guessing it does the following:
Assuming user1 has roles owner1_crud and owner2_crud and made a normal connection to the database, user1 would have access to all that owner1_crud and owner2_crud granted.
Assuming user1 has roles owner1_crud and owner2_crud and made a proxy connection as gen_user to the database, user1 would only have access to all that owner1_crud granted, since that is the only role specified in the above WITH ROLES portion.
Is that how it works?

Application Module connection

Hallo,
I have problem finding where db connection is already started. Following Steve Muench example of Dynamic JDBC credentials I have registered DynamicJdbcBindingFilter with code like that:
session.setAttribute(Configuration.DB_USERNAME_PROPERTY, usrName);
session.setAttribute(Configuration.DB_PASSWORD_PROPERTY, pswd);
if (jdbcURL != null) {
session.setAttribute(Configuration.DB_CONNECT_STRING_PROPERTY,jdbcURL);
super.doFilter(request, response, chain);
session.setAttribute(LOGGEDIN_ATTR,NON_NULL_VALUE);
Just after successful logon I need to call db procedure which sets some application role to logging user (dbms_session.set_role). Where I have to put this code? Where is the first class where I can obtain db connection to do that?

In the article "How to support dynamic JDBC credentials" on the last page you describe to we have to register the SessionCookie factory with the AM pool.
Do I have to configure each AM in our application? We have about ~30 AMs ....

Set Role

I am trying to Set a Role for the session using
DBMS_Session.Set_Role via a stored procedure command object
Not having any joy system error returned anyone have any ideas?

What's your command obj and SQL stmt looks like?
2 generic problems I usually see here:
- Parameters are "bind by position" by default
- Watch out for the return value also (position '0' if you "bind by position").
Arnold

Hard-coded username/password in Dev10g Forms PL/SQL code...

Hi ,
I have developed an application which some logouts as the current user and logon to a new user is required.....
For this reason i have written the simple pattern:
logout;
logon('X','X'||'@'||tns_var,FALSE);
assuming that db-user user X does have the password X , for example.
The end-users do not have direct access to this db-user... only via this piece of code and only in Forms web app.
However , i wonder what may be another option for setting the passwd and where...?????
I have considered to create a table - called db_users_passwd , for example- which would store both the names/passwords of db users...- maybe in encrypted format.
This table would reside in the SYS or SYSTEM dataschema , with a strong password....
I have also read , somewhere , that a wrapped packaged procedure which would return the passwd of the username passed as parameter ...is an option as well...
Thanks....
Sim

That is more developed than our application. The one here was developed in Oracle 7.
It just calls
DBMS_SESSION.SET_ROLE(ROLE_1 ||' IDENTIFIED BY '|| PW);The above enables the process to select roles and role passwords from a table, which it uses to build a string used in this statement:
DBMS_SESSION.SET_ROLE(roles_to_enable);You could do the above in a database package that your form or forms call. Seems like if the security process was only executed from the package, you could produce a very secure system.

Set role in a form

Hi,
If I use DBMS_SESSION.SET_ROLE in a form to set a role with password protected, I must put the role password in my form. That what I do not want.
Any idea to prevent this from happen?
Thanks a lot
Stephen

A solution (which we used in the past within a application) is to put the role and password in a database table. The password should be stored encrypted (use e.g. dbms_obfuscation_toolkit to perform the encryption/descryption).
At start up of the form you query the database table and set the role. The logged-in user should of course have select access to the table. The query of the database table can also be done by calling a database (package) procedure in which the query is done.
Hope this will give you an idea how to proceed.

How to find the "role" in forms 6i

I need to find what roles does a user has from forms (roles such as "admin, reguser...etc...roles that i created"
For example, i can find the following but i don't how to get the "roles"
DECLARE
UN VARCHAR2(80);
PW VARCHAR2(80);
CN VARCHAR2(80);
BEGIN
:global.UN := GET_APPLICATION_PROPERTY(USERNAME);
:global.PW := GET_APPLICATION_PROPERTY(PASSWORD);
:global.CN := GET_APPLICATION_PROPERTY(CONNECT_STRING);
End;
Thank you in advance.

Hello,
I made it in the following way:
I have several roles that are granted to the user but
are not default_roles. That means they must be enabled
with the application.
declare
cursor c1 is select
GRANTED_ROLE from user_role_privs
where default_role = 'NO';
rolen_name varchar2(30);
rolen_alle varchar2(2000);
i number := 0;
BEGIN
open c1;
loop
     fetch c1 into rolen_name;
     exit when c1%NOTFOUND;
     i := i+1;
     if i = 1 then
     rolen_alle := rolen_alle || rolen_name;
     else
     rolen_alle := rolen_alle || ',' || rolen_name;
     end if;
end loop;
close c1;
if i >= 1 then
DBMS_SESSION.SET_ROLE(rolen_alle);
end if;
END;

Forms login security

Hi Friends,
How do I make our 3rd party appl forms login more secure?
Currently, the appl program uses a primitive database authentication method
by providing the username and password of the database in clear text inside
a .ini file. Changing the database user and password will be useless due to
password being exposed literally. Users of the application are registered in a table in the database with the password of the user exposed in clear text. An administrator or anybody with database access will be able see a user's password in clear text thus user authentication is compromised.
Can I change the username to point to the database username and not a table?
Can I incrypt the password table entry itself?
Can I incrypt the .ini file so as not to show literal passwords?
Can I use the form to get the userid/passwd from LDAP active directory server?
Please help ....thanks a lot

Are you sure that this is a Forms application and no JAVA-program ?
It seems that a JAVA programmer tried some forms development :p
The application may need some redesign.
My suggestion :
- the schema owner (database user holding the table objects) creates database
roles implementing reader roles, insert role update roles and so on
- each user will be created as a database user
- grant the required role(s) to the user, but dont set those roles as default_role
(ALTER USER xy DEFAULT_ROLE CONNECT, ...;
- rebuild the login procedure authenticating now against the database account
and not against the password in the application user-table
- let the user password expire whilst using the existing user-table (implement a password expiration date) or use the database account for that
- after successful login issue : DBMS_SESSION.SET_ROLE(...); for each
role of the user, the created session has now the roles enabled
- database roles should be password protected...
If this is too much effort, it is possible to encrypt the table entries using oracle's Obfuscation Packages (depends on RDBMS-version).
If your are using Oracle Forms > 6i :
In addition to that all above it is possible at least to authentify against the Oracle Portal (not sure if this works against a different OID)...
Message was edited by:
user434854

Dbms_session.set_role problem

Similar Messages

Maybe you are looking for