Ask the Expert

Best practices for secure user creation

I have a question regarding best practice for user creation/security within the database. When creating a new application, should we design a table containing multiple usernames and corresponding encrypted password in the database i.e. implement application-level security for the application.

OR

Should multiple database level users (like scott etc.) be created i.e. for each application user a corresponding database user is created and database level security be maintained.

    Requires Free Membership to View

There's no substitute for securing the data. Security programmed in the application can still be circumvented by connecting directly to the database (or attempting to). Plus, with one application user that has a superset of all privileges needed by any application user, one breach can allow access to all the database data very easily.

I would establish database accounts for each user, but actually connecting to the database with individual user accounts would eliminate the usefulness of database connection pooling. Plus, you'd incur the overhead of establishing a new database connection each time a user logs in to the application.

I'd investigate the Proxy Authentication mechanism that was created precisely to address this situation. It is not difficult to configure on the database end, but the application will have to connect differently to utilize this feature. The Oracle9i documentation for Proxy Authentication begins here: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/users.htm#17433.

This was first published in April 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: