users@glassfish.java.net

Re: Oracle User Proxy on a database connection?

From: Jagadish Prasath Ramu <Jagadish.Ramu_at_Sun.COM>
Date: Mon, 08 Nov 2010 15:42:43 +0530

IIUC, your requirement is to have the users of application-server
security-domain mapped to Oracle database server security-domain and
whenever an application is accessed with application-server's
credentials (eg: caller-in-role), it should get mapped to Oracle
database server credentials.

eg:
When the calling component's role corresponds to app-server user "AS-1",
database access by the calling component should be through the mapped
database user for "AS-1", eg: "DB-1".
"DB-1" can/may be a proxy user to actual user "Real-DB-1" which is
transparent to application/application-server.

Such mapping (AS-1 -> DB-1) is possible for a connector-connection-pool
using "security-map", but not for jdbc-connection-pools. Please refer my
response to the other thread :
https://glassfish.dev.java.net/servlets/ReadMsg?list=users&msgNo=51172

Thanks,
-Jagadish


On Mon, 2010-11-01 at 17:11 -0700, Gregory Gerard wrote:
> I'd like to use proxy users as described here:
> http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:21575905259251
>
> This seems to solve my problem of not having strong database auditing and row-level / column-level permissions -- I'm paying for Oracle, why not leverage the database to the fullest extent assuming no concern for lock-in.
>
> So what does this look like in JEE6/GlassFish 3.x and JPA2? This discusses JPA2 but I need to know what the ramifications are with GlassFish and EJB 3.1 SessionBeans -- will they work or am I just hosed?
> http://wiki.eclipse.org/Configuring_a_EclipseLink_JPA_Application_(ELUG)
>
> It seems like I cannot use JTA transactions. :(
> http://wiki.eclipse.org/Introduction_to_Data_Access_%28ELUG%29#Authentication
>
> What else isn't going to work? Seems like a lot of this should be in appservers -- the feature has been around in Oracle for 6+ years now but the information about it sparse (and a lot of searches are bad because of the generic term "proxy")
>
> Help me Obi-Wan, you're my only hope.
>
> greg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>