oracle security 04-using application contexts

云和恩墨成就所托 by 王朝阳 18516271611 [email protected]

Using Application Contexts

mailto:[email protected]


Objectives

After completing this lesson, you should be able to do the following:• Describe how an application context is used• Describe the sources of application context values• Implement a local context• Implement an application context that is accessed

globally



Application Context: Description

An application context is a memory container with attributes:• The container is called a namespace.• A namespace has attributes.• Each namespace is independent of others.• The namespace is populated by a package.



Namespace

Use the CREATE CONTEXT command to:• Create a context in a namespace

• Associate a package with the context

HRAPP

CREATE CONTEXT hrappUSING hr_context;

Use the SET_CONTEXT procedure to:• Create attributes

• Set values of attributesdbms_session.set_context (

'hrapp', 'emp_id', v_emp_id );



Using the Application Context

An application context:• Is read by applications• Can be used to:

– Authorize users– Limit access to data, called FGAC– Set attributes used in the application



Setting the Application Context

• The context attributes are set by a package, which:– Creates attributes in the context– Assigns values to the attributes of the context– Is usually called when a user connects

• Each application can use one or more contexts.• A context may be used by more than one

application.• USERENV is a built-in context with session

properties and is available to all applications.



Application Context Data Sources

• The built-in USERENV context contains session primitives as attributes.Example: Client IP address

• A local context uses database objects. The developer sets these attributes.Example: The EMPLOYEE_ID column in the EMPLOYEES table

• An externalized context can get values from an external source, such as Oracle Call Interface (OCI).

• A global context uses values from the directory-entry attributes.



Implementing a Local Context

1. Create an application context.2. Create a PL/SQL package that sets the context.3. Call the package to set the context attribute.4. Read the context attribute in the application.

Application context

PL/SQL package PL/SQL program

Set Read



Step 1: Create an Application Context

• Create a unique context:

– Names the context HRAPP– Associates it with an PKG_HR_CONTEXT package

• You can set the context attributes only:– In the package named in CREATE CONTEXT– In the function associated with a policy

• In the package, set attributes by calling DBMS_SESSION.SET_CONTEXT.

• Alternatively, you can use Oracle Policy Manager GUI.

CREATE CONTEXT hrapp USING pkg_hr_context;



Step 2: Create a PL/SQL PackageThat Sets the Context

Create the PKG_HR_CONTEXT.SET_EMP_ID procedure:• Use SYS_CONTEXT to get the session username:

sys_context('userenv', 'session_user');

SELECT employee_id INTO v_emp_idFROM employeesWHERE email =

sys_context('userenv', 'session_user');

dbms_session.set_context ('hrapp', 'emp_id', v_emp_id );

• Use SET_CONTEXT to set a context attribute:

• Use the session username to get the employee ID:



Step 3: Call the Package

Create a logon trigger that calls the PKG_HR_CONTEXT.SET_EMP_ID procedure:

CREATE OR REPLACE TRIGGER tgr_hr_context_logonAFTER LOGON ON DATABASE

BEGINpkg_hr_context.set_emp_id();

END;/



Step 4: Read the Context Attributein the Application

• To return an attribute value, use:

• There are two arguments:– Name of the context– Name of the attribute

• Example in SELECT:

sys_context('hrapp', 'emp_id')

SELECT *FROM departmentsWHERE manager_id =

sys_context('hrapp','emp_id');



SYS_CONTEXT PL/SQL Function

• SYS_CONTEXT returns context attributes:sys_context ('context', 'attribute')

• To return the client IP address from the built-in context, use:

• To return EMP_ID from the HRAPP context, use:

sys_context ('userenv', 'ip_address')

sys_context ('hrapp', 'emp_id')



Application Context Accessed Globally

• Shares a context across sessions• Simplifies connection pooling from a middle tier• Uses a client identifier to identify the user of a

session

PL/SQL program A PL/SQL program B

User Database Session 2User Database Session 1

SGAApplication context is EMP ID = 101



How the Application Context Accessed Globally Works

2. Logs in

6. Makes another request

8. Logs out

1. Builds connection pool

3. Establishes session4. Processes request5. Completes request

7. Processes second request

9. Clears context

USER Application Server Oracle11g



PL/SQL Packages and Procedures

DBMS_SESSION manages:• Contexts:

• Global identifiers:

dbms_session.set_context('hrapp', 'emp_id', v_emp_id );

dbms_session.set_identifier(12345);

set_context(context, attribute, value );

dbms_session.set_identifier(client_id);



Implementing the Application Context Accessed Globally

1. Create the application context accessed globally.2. Modify the program that establishes a session:

– Set the application context.– Set the session client identifier.– Clear the client identifier when the request ends.

3. Modify the application server program that handles subsequent requests in the same session:– Set the session client identifier from this session.– Clear the client identifier when the request ends.

4. Create or modify the application server program that ends a session to clear the context.



Step 1: Create the Application Context Accessed Globally

• Create the context by using:

• The ACCESSED GLOBALLY clause indicates that the context can be accessed from multiple sessions.

CREATE CONTEXT hrappUSING pkg_hr_context ACCESSED GLOBALLY;



Step 2: Establish a Session

1. Get a unique value to use as a client identifier.2. Set the application context:

3. Set the session client identifier:

4. Save the client identifier in a cookie.

dbms_session.set_context('hrapp','id','phall','APPSMGR', 12345 );

dbms_session.set_context('hrapp','dept','sales','APPSMGR', 12345 );

dbms_session.set_identifier( 12345 );

dbms_session.set_context (context, attr, value, username, client_id);



Step 3: Handle Subsequent Requests

1. Get the client identifier from the cookie.2. Set the client identifier for this session:

3. Clear the client identifier when the request ends:

dbms_session.set_identifier( 12345 );

dbms_session.clear_identifier();



Step 4: End a Session

1. Get the client identifier from the cookie.2. Clear the context:

EXEC dbms_session.clear_context('HRAPP', '12345');



Data Dictionary Views

SQL> CREATE CONTEXT hrapp USING pkg_hr_context;

Context created.

SQL> SELECT *2 FROM dba_context3 WHERE namespace = 'HRAPP';

NAMESPACE SCHEMA PACKAGE TYPE--------- ------ ---------- ----------------HRAPP SYS PKG_HR_CONTEXT ACCESSED LOCALLY

SQL>



Guidelines

• Attempting to change the context outside of its package results in the following error message:ORA-01031: insufficient privileges

• SYS_CONTEXT works much like a bind variable.• Versioning does not apply to contexts accessed

globally.• There are parallel query and RAC limitations.• Context sources must be validated.



Summary

In this lesson, you should have learned how to:• Use an application context• Access the sources of application context values• Implement a local context• Implement an application context that is accessed

globally



Q&A


oracle security 04-using application contexts

Technology