| N-Tier Authentication (Oracle 8i) [message #61357] |
Fri, 16 April 2004 04:47 |
Patrick Tahiri
Messages: 119
Registered: January 2004
|
Senior Member |
|
|
Hi,
I have some questions about N-Tier Authentication:
Let's say that I'm in a 3-tier environment:
Browser <---[>] Web Server <---[>] Oracle Database.
The Web server (the application runing on it) is passing the user name and the password to connect to the Oracle database. This represent a potential security risk: the user name and the password can be "stolen" on the Web Server (if someone is hacking and come through the Web Server) or can be grabbed when transmitted over the network...
I was then thinking about N-Tier Authentication: so if somebody can hack the web server he cannot get no database username and password!
1. Is not OS authentication working a bit in the same way as N-tier Authentication in the way that a hacker on the web server can't get no database username and password?
2. I have few documentation about N-tier Authentication but I could read that there is no database username and password that is passed to the database BUT I always see that a connection is made in this fashion:
>cdemo2 app_name/app_password db_username CONNECT
But then we do see the database username in this string: db_username!!??
3. If a user hack in the web server he can, even without to know the db_username and password deploy a new application and delete or drop tables through it?!?
I feel that I'm missing something here...
Could someone help me with this?
Many thanks!
Regards,
Patrick Tahiri.
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
