HTMLDB?
A reader, January 03, 2005 - 5:11 pm UTC
How about when using HTMLDB? The browser "knows" the os_user, does HTMLDB make it available to me so I can take decisions based on it in the HTMLDB app?
Thanks
January 03, 2005 - 10:32 pm UTC
does the BROWSER tell the WEB SERVER "who" the OS user is, that -- that is the question....
Browser
A reader, January 03, 2005 - 10:56 pm UTC
Well, the browser just knows, doesnt it? In a Windows environment, every app just knows who the OS user is, I think. Doesnt NTLM, Active Directory and all that stuff kick in here? Not exactly sure, but all ASP/.NET pages against IIS I have seen simply call some builtin function to get the os user.
Can HTMLDB do something similar?
January 03, 2005 - 11:06 pm UTC
does it? does firefox know or CARE? how about things that are not "windows only".
while they might *know*, do they TELL. therein lies my real question to you.
IIS and IE are proprietary software -- run on exactly one OS (with 50 flavors, each slightly incompatible with the other... but that is besides the point), me -- I use firefox -- not on windows mostly. Now what? Who am I :) You think NTLM is running on Linux? Mac? or that most of the rest of the browsers care enough?
do you really want "web site X" to just "know" who you are? I'm pretty sure I don't.
Works perfectly
Shane, January 04, 2005 - 8:43 am UTC
I was unable to use3 the V$SESSION so this works perfectly. Exactly what I needed. The middleware sofware (WEBLOGIC) does not push the LAN user ID through, so it was up to Oracel to perform this task for me.
Thanks
To Shane
A reader, January 05, 2005 - 9:48 am UTC
What worked perfectly? What solution did you end up using? Thanks
Exactly what I was looking for
Steve, January 11, 2005 - 7:22 am UTC
I needed to store the OSUSER who changed certain columns on a table since everybody uses the same DB login. I used your code in a DB trigger. This was perfect.
Needed OS_user from Oracle
A reader, January 24, 2005 - 12:16 pm UTC
Gave me exactly the info I needed
User level
abdul, January 02, 2006 - 6:01 am UTC
Hello tom,
I am not a developer, i am just a dba but unfortunatkey i landed my self in to building application using html db. I created a application from spread sheet for recording tasks done by employees.Say i have 4 employees:1.smith
2.john
3.mary
4.scott
in hierarchial order. Their username in html db is also same. If smith logs in he should be able to see tasks of all the other three in the table.If john logs in he should be able to see mary and scott only and like wise.
Can you tell me how to accomplish this in html db ?
thanks in advance
January 02, 2006 - 10:05 am UTC
"I am just a DBA" :) Thanks for that laugh...
This sounds like VPD - Virtual Private Database - also known as FGAC - Fine Grained Access Control.
</code>
http://asktom.oracle.com/~tkyte/article2/index.html <code>
Alternatively, you could just query for data using a query such as this:
select *
from emp
where empno in ( select empno
from emp
start with ENAME = :BIND_USER_NAME_HERE
connect by prior empno = mgr)
User level
Abdul, January 03, 2006 - 1:39 am UTC
Hello Tom,
Sorry Tom i didnt get the complete answer from your last update.The query you gave is excellent but it depends on fields in the table. The main issue here is working in HTML db. I don't know where and what code to write here . In forms with PL/SQL editors/triggers etc. where is it here?
Its not practical to have the user duly fill up his empno or his mgr no every time he creates a task. So how can i automate this update to few fields in HTML DB?
If mgr and emp no gets updated automatically based on user then it will make sence.
tahnk you tom.Its always good to see teacher laugh!
January 03, 2006 - 7:29 am UTC
You got a complete answer???
did you read the article on fine grained access control? it turns "select * from emp" into that query above (assuming you use that predicate in the security policy)
Or, just create a view and have htmldb go after that...
User level
Abdul, January 03, 2006 - 8:20 am UTC
Hi again Tom,
Create view like what? the probelm is when i am logged in htmldb i want to user :APP_USER to return me result according to the user? How should i refer APP_USER of html into database view?
Or just tell me this.. suppose i have to text fields on my html page text1 and text2. I enter SCOTT in text1.Now tell me where to write what code in the html attributes so that it populates the text2 with mgr no(hard coded logic).
If i know this much i will work around my requirement! Thanks for spending time on my problem tom.
January 03, 2006 - 8:41 am UTC
pop it into an application context - using the same technique as VPD would.
so your application calls a procedure that can set "my_ctx" and puts the app_user in there, a view:
select *
from emp
where empno in ( select empno
from emp
start with ENAME = sys_context( 'my_ctx', 'app_user' )
connect by prior empno = mgr)
will either return
o nothing when the context is not set
o data you are allowed to see when it is set
user level
abdul, January 04, 2006 - 12:35 am UTC
Hello Tom,
Ok getting required data issue solved, what about another question regarding html db? how to populate one text field automatically based on the value entered in another text field on the page? In forms i can put code in pl/sql editor as
If :text1:='SCOTT' then :text2:='1732' ...
So how to trigger a code on items in html db? where should i code such condition?
Thank you
January 04, 2006 - 8:49 am UTC
that sounds like "user written javascript" to me perhaps.
OS_USER; credential or envvar?
Mark Brady, March 01, 2012 - 10:10 am UTC
Tom,
Should the OS_USER be considered a credential or an environment variable? From what I've seen from security analysis, OS_USER is a value passed from the client and can be set to any value. To me, this sounds like the purpose is for some auditing or such but NOT for security.
This is my advice to some colleagues here. Their next question was, is this still a vulnerability in 11g. To which I replied, It's not a vulnerability, it's by design.
Do you find fault with my statements?
March 01, 2012 - 1:34 pm UTC
the OS_USER is pushed by the client. It is good for auditing.
Finding Original OSUser
Shimmy, September 18, 2015 - 1:45 pm UTC
I am log on to Linux using my userid and then su to another user. This user then runs
sqlplus /
When I execute
select sys_context( 'userenv', 'os_user' ) from dual;
It's giving me the su user.
In Linux, if I run logname, I do see my username.
Is there a way to find the original username/id from sqlplus?
September 18, 2015 - 11:47 pm UTC
I dont think this is possible, because once you make a database connection, its a new process, running as that of the database owner. It's not as if we are still in the shell you created.
Gotcha
A reader, March 02, 2018 - 12:52 pm UTC
This ist exactly what i was looking for.
Works like a charm.
Big thanks :)
SYS_CONTEXT ('USERENV', 'OS_USER');
sanket, June 29, 2018 - 2:27 pm UTC
I have a very simple javascript code in oracle procedure which us used for fetching the Username for Active Directory as my application don't have any user interface.
htp.p('function disp_alert()');
htp.p('{');
htp.p('var WinNetwork = new ActiveXObject("WScript.Network")');
htp.p(' WinNetwork = WinNetwork.UserName');
htp.p('alert(WinNetwork)');
htp.p('}');
It throws exception ActiveXObject creation error: Automation server can't create object
I tried changing browser setting script ActiveX controls marked safe for scripting to enable and it worked.
But in my case the application is accessed by users in client network and we can't tweak security settings as its security breach.
We have 3 tier architecture OHS- Weblogic- Application Server with SYS_CONTEXT ('USERENV', 'OS_USER') control got pass to Schema user..Could you please advise, how to achieve Client userid who hit the application url ??
June 30, 2018 - 7:36 am UTC
There's a good reason why most framework do not allow to grab information about the client...its a big security risk, hence the reason most of these things are blocked by browsers.
The better option (in my opinion) is single sign on, so people login to your application with their windows credentials, and hence you now have the username directly in your application
Fetching user name from AD.
sanket, July 12, 2018 - 6:58 am UTC
Ref. to above my application is Open application, Anyone in a domain Network can access it and don't have user interface. So their is no authentication as such. The motive is got the Lan User id from AD of user hit the application url. Application all page html coding is done at Oracle Package and procedure level.When user hit the url its invokes the Oracle Package and load html content from the package (and this time control passes to Su user).
Application Architecture
Browser - > OHS -> Application Servier (Sun Solaris) - >DB server
Could you please guide how SSO will help in this case or any Other alternative how to fetch the AD userid details and store in DB.?
July 12, 2018 - 10:13 am UTC
"So there is no authentication as such."
but you want to track who is using the application. That strikes me as being a contradiction.
Anyway, a friend Niels did a nice set of slides on SSO for Apex applications, which gives a good starting point on SSO via http and the like.
https://www.slideshare.net/nielsdb/single-signon-for-apex-apps