How to use the OCI N-Tier Authentication Feature

Oracle8i, release 8.1, added the ability for users to 'become' another user -- given the appropriate priveleges. This allows for a middle tier application to connect as some user other then themself using their own credentials. In other words, if SCOTT has been granted the ability to 'become' MARY, Scott can login to the database using SCOTT/TIGER -- AS MARY. Scott does not need to be aware of Mary's password, Scott only needs his credentials. The database will behave as if Mary logged in (although audit trails will reflect that is was scott working on Mary's behalf that did the work).

This feature is described briefly in the getting to know Oracle8i guide as follows:

Multi-Tier Authentication and Authorization
Oracle8i also offers security to multi-tier architectures. In some systems, the middle
tier is super-privileged to perform any action on behalf of any user, and the identity
of the real client is not preserved through the middle tier. Middle tiers, especially
Web servers or application servers, often sit on or outside a firewall, so limiting
their access and auditing their actions is especially important.
Oracle8i provides the ability to preserve the real client identity through the middle
tier and limit the users on whose behalf a middle tier can connect. The server can
also audit actions taken by the middle tier on behalf of a particular user.
To support this feature, syntax changes have been made to the ALTER USER and
AUDIT statement. For more information, see Oracle8i SQL Reference.

Unfortunately -- that is about the extent of the documentation available for this feature as of the 8.1.5 release (to be corrected with the 8.1.6 documentation). In light of this, we've made available the attached white paper which describes this feature in some more depth and offers an OCI example of how to make use of this feature.

This paper was developed by

Debashish Chatterjee, Oracle Corporation
Rick Wessman, Oracle Corporation

and presented at Oracle Open World.

All information and materials provided here are provided "as-is"; Oracle disclaims all express and implied warranties, including, the implied warranties of merchantability or fitness for a particular use. Oracle shall not be liable for any damages, including, direct, indirect, incidental, special or consequential damages for loss of profits, revenue, data or data use, incurred by you or any third party in connection with the use of this information or these materials.