Upload
zhaoyang-wang
View
124
Download
2
Embed Size (px)
DESCRIPTION
Oracle security 04-using application contexts
Citation preview
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Objectives
After completing this lesson, you should be able to do the following:• Describe how an application context is used• Describe the sources of application context values• Implement a local context• Implement an application context that is accessed
globally
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Application Context: Description
An application context is a memory container with attributes:• The container is called a namespace.• A namespace has attributes.• Each namespace is independent of others.• The namespace is populated by a package.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Namespace
Use the CREATE CONTEXT command to:• Create a context in a namespace
• Associate a package with the context
HRAPP
CREATE CONTEXT hrappUSING hr_context;
Use the SET_CONTEXT procedure to:• Create attributes
• Set values of attributesdbms_session.set_context (
'hrapp', 'emp_id', v_emp_id );
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Using the Application Context
An application context:• Is read by applications• Can be used to:
– Authorize users– Limit access to data, called FGAC– Set attributes used in the application
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Setting the Application Context
• The context attributes are set by a package, which:– Creates attributes in the context– Assigns values to the attributes of the context– Is usually called when a user connects
• Each application can use one or more contexts.• A context may be used by more than one
application.• USERENV is a built-in context with session
properties and is available to all applications.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Application Context Data Sources
• The built-in USERENV context contains session primitives as attributes.Example: Client IP address
• A local context uses database objects. The developer sets these attributes.Example: The EMPLOYEE_ID column in the EMPLOYEES table
• An externalized context can get values from an external source, such as Oracle Call Interface (OCI).
• A global context uses values from the directory-entry attributes.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Implementing a Local Context
1. Create an application context.2. Create a PL/SQL package that sets the context.3. Call the package to set the context attribute.4. Read the context attribute in the application.
Application context
PL/SQL package PL/SQL program
Set Read
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 1: Create an Application Context
• Create a unique context:
– Names the context HRAPP– Associates it with an PKG_HR_CONTEXT package
• You can set the context attributes only:– In the package named in CREATE CONTEXT– In the function associated with a policy
• In the package, set attributes by calling DBMS_SESSION.SET_CONTEXT.
• Alternatively, you can use Oracle Policy Manager GUI.
CREATE CONTEXT hrapp USING pkg_hr_context;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 2: Create a PL/SQL PackageThat Sets the Context
Create the PKG_HR_CONTEXT.SET_EMP_ID procedure:• Use SYS_CONTEXT to get the session username:
sys_context('userenv', 'session_user');
SELECT employee_id INTO v_emp_idFROM employeesWHERE email =
sys_context('userenv', 'session_user');
dbms_session.set_context ('hrapp', 'emp_id', v_emp_id );
• Use SET_CONTEXT to set a context attribute:
• Use the session username to get the employee ID:
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 3: Call the Package
Create a logon trigger that calls the PKG_HR_CONTEXT.SET_EMP_ID procedure:
CREATE OR REPLACE TRIGGER tgr_hr_context_logonAFTER LOGON ON DATABASE
BEGINpkg_hr_context.set_emp_id();
END;/
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 4: Read the Context Attributein the Application
• To return an attribute value, use:
• There are two arguments:– Name of the context– Name of the attribute
• Example in SELECT:
sys_context('hrapp', 'emp_id')
SELECT *FROM departmentsWHERE manager_id =
sys_context('hrapp','emp_id');
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
SYS_CONTEXT PL/SQL Function
• SYS_CONTEXT returns context attributes:sys_context ('context', 'attribute')
• To return the client IP address from the built-in context, use:
• To return EMP_ID from the HRAPP context, use:
sys_context ('userenv', 'ip_address')
sys_context ('hrapp', 'emp_id')
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Application Context Accessed Globally
• Shares a context across sessions• Simplifies connection pooling from a middle tier• Uses a client identifier to identify the user of a
session
PL/SQL program A PL/SQL program B
User Database Session 2User Database Session 1
SGAApplication context is EMP ID = 101
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
How the Application Context Accessed Globally Works
2. Logs in
6. Makes another request
8. Logs out
1. Builds connection pool
3. Establishes session4. Processes request5. Completes request
7. Processes second request
9. Clears context
USER Application Server Oracle11g
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
PL/SQL Packages and Procedures
DBMS_SESSION manages:• Contexts:
• Global identifiers:
dbms_session.set_context('hrapp', 'emp_id', v_emp_id );
dbms_session.set_identifier(12345);
set_context(context, attribute, value );
dbms_session.set_identifier(client_id);
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Implementing the Application Context Accessed Globally
1. Create the application context accessed globally.2. Modify the program that establishes a session:
– Set the application context.– Set the session client identifier.– Clear the client identifier when the request ends.
3. Modify the application server program that handles subsequent requests in the same session:– Set the session client identifier from this session.– Clear the client identifier when the request ends.
4. Create or modify the application server program that ends a session to clear the context.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 1: Create the Application Context Accessed Globally
• Create the context by using:
• The ACCESSED GLOBALLY clause indicates that the context can be accessed from multiple sessions.
CREATE CONTEXT hrappUSING pkg_hr_context ACCESSED GLOBALLY;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 2: Establish a Session
1. Get a unique value to use as a client identifier.2. Set the application context:
3. Set the session client identifier:
4. Save the client identifier in a cookie.
dbms_session.set_context('hrapp','id','phall','APPSMGR', 12345 );
dbms_session.set_context('hrapp','dept','sales','APPSMGR', 12345 );
dbms_session.set_identifier( 12345 );
dbms_session.set_context (context, attr, value, username, client_id);
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 3: Handle Subsequent Requests
1. Get the client identifier from the cookie.2. Set the client identifier for this session:
3. Clear the client identifier when the request ends:
dbms_session.set_identifier( 12345 );
dbms_session.clear_identifier();
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 4: End a Session
1. Get the client identifier from the cookie.2. Clear the context:
EXEC dbms_session.clear_context('HRAPP', '12345');
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Data Dictionary Views
SQL> CREATE CONTEXT hrapp USING pkg_hr_context;
Context created.
SQL> SELECT *2 FROM dba_context3 WHERE namespace = 'HRAPP';
NAMESPACE SCHEMA PACKAGE TYPE--------- ------ ---------- ----------------HRAPP SYS PKG_HR_CONTEXT ACCESSED LOCALLY
SQL>
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Guidelines
• Attempting to change the context outside of its package results in the following error message:ORA-01031: insufficient privileges
• SYS_CONTEXT works much like a bind variable.• Versioning does not apply to contexts accessed
globally.• There are parallel query and RAC limitations.• Context sources must be validated.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Summary
In this lesson, you should have learned how to:• Use an application context• Access the sources of application context values• Implement a local context• Implement an application context that is accessed
globally