Skip to Main Content
  • Questions

  • running application with an app_user instead of schema owner user

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Oussema.

Asked: October 19, 2016 - 8:21 am UTC

Last updated: October 20, 2016 - 1:19 am UTC

Version: 11.2.0.3

Viewed 1000+ times

You Asked


Hi

I have a java application that requires access to oracle database with an app_user instead of schema owner user and this is for security purposes.

- The schema owner user is the user that owns oracle objects that need to be accessed from java application.
- The app_user is the user that the application is connecting with database and having EXECUTE privilege on schema owner objects.

There are 2 approaches that can be used :

1. Synonyms Approach : create synonyms owned by app_user that are pointing to schema owner objects.

2. CURRENT_SCHEMA approach: this approach consists of setting the current_schema ( in app_user sessions ) to the schema owner

e.g : in app_user oracle sessions ; run following SQL :
alter session set current_schema= [schema_owner_user];

Knowing that i'm using a java application using JDBC for database connection, and my application is using OracleDataSource to manage connections with database app_user schema.

and my aim is to set current_schema of those ( OracleDataSource sessions with database app_user schema) with the schema_owner .

and the idea is to setup the current_schema (by running : alter session set current_schema= [schema_owner_user]) for physical connections before being added to the pool.

- this purpose of setup current_schema can be achieved by a dedicated java method in JDBC ?
knowing that i have the option to use JDBC's ( oracle-ojdbc6-11.2.0.3.0.jar / oracle-ojdbc7-12.1.0.2.jar) on my application .

- does oracle.jdbc.driver.OracleConnection.setSchema Java method , can setup current_schema for physical connections of Oracle Datasource before being added to the pool ?

- There is possibility of running SQL statement when physical connection is created and before being added to the pool ?
- Does oracle.jdbc.pool.OracleDataSource can be setup with property "initSQL" ?
- does oracle.jdbc.driver.OracleConnection.setSchema method is going over the network to oracle Database
for each physical or logical connection ?

Thanks
Oussema



and Chris said...

I'm not familiar enough with JDBC to say how to set the current_schema using this.

But there is another way!

Create an "after logon on schema" trigger. This sets the current_schema:

grant create session to app_user identified by app_user;
create user schema_owner identified by schema_owner;

create or replace trigger app_user.logon_t 
after logon on app_user.schema  
begin
  execute immediate 'alter session set current_schema = schema_owner';
end;
/

conn app_user/app_user

select sys_context('USERENV', 'CURRENT_SCHEMA') from dual;

SYS_CONTEXT('USERENV','CURRENT_SCHEMA')  
SCHEMA_OWNER


Any new connections to app_user will have their current_schema set appropriately.

Rating

  (3 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Privs

A reader, October 19, 2016 - 10:58 am UTC

..and what if user app needs to select delete insert truncate ...The tables of SCHEMA_OWNER??
Do app user have rights on SCHEMA_OWNER' objects?
Chris Saxon
October 19, 2016 - 12:44 pm UTC

You need to grant the privileges from schema_owner to app_user. This applies whether you're using set current_schema or synonyms.

Chuck Jolley, October 19, 2016 - 2:59 pm UTC

Why not just use fully qualified object names in the application?
One way or another the grants have to be made to the app_user anyway.

More generally, what is set current_schema used for?
Chris Saxon
October 19, 2016 - 3:27 pm UTC

Fully qualifying is a better solution.

More generally, what is set current_schema used for?

So you don't need to fully qualify the schema! Besides laziness, it's potentially useful if you have an app which you'd like to regularly switch between schemas that have the same tables. Or want to maintain schema independence for some reason.

Chuck Jolley, October 19, 2016 - 4:49 pm UTC

"So you don't need to fully qualify the schema!"
For some reason this reminds me of the question "How can I get a sorted result without using an order by clause?"
Connor McDonald
October 20, 2016 - 1:19 am UTC

There is in fact a (very small) overhead to resolving things via synonyms - public is worse than private and private is worse than none.

So if you're looking to squeeze every ounce of scalability out of your server/apps, then its possibly worth a mention. I prefer 'alter session set current_schema' not just for that reason - it just means less clutter, ie, less stuff to manage.


more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library