I have a question regarding best practice for user creation/security within the database. When creating a new application,
should we design a table containing multiple usernames and corresponding encrypted password in the database i.e. implement application-level security for the application.
Should multiple database level users (like scott etc.) be created i.e. for each application user a corresponding database user is created and database level security be maintained.
There's no substitute for securing the data. Security programmed in the application can still be circumvented by connecting directly to the database (or attempting to). Plus, with one application user that has a superset of all privileges needed by any application user, one breach can allow access to all the database data very easily.
I would establish database accounts for each user, but actually connecting to the database with individual user accounts would eliminate the usefulness of database connection pooling. Plus, you'd incur the overhead of establishing a new database connection each time a user logs in to the application.
I'd investigate the Proxy Authentication mechanism that was created precisely to address this situation. It is not difficult to configure on the database end, but the application will have to connect differently to utilize this feature. The Oracle9i documentation for Proxy Authentication begins here: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/users.htm#17433.
Dig deeper on Oracle database security
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.