今天在做看OCP的时候有道题是关于应用安全角色的,不是很明白,在网上找了个例子按照步骤验证了下.

QUESTION 48

You want to create a role to meet these requirements:

1. The role is to be protected from unauthorized usage.

2. The password of the role is not to be embedded in the application source code or stored in a table.

Which method would you use to restrict enabling of such roles?

A. Create the role with external authentication.

B. Create the role as a secure application role.

C. Create the role as a password-protected role.

D. Create a role and use Fine-Grained Access Control (FGAC) to secure the role.

Correct Answer: B

Section: (none)

Explanation

有点:启用角色时通过包，而不是通过密码。

1.建立一个名为secure_user的应用用户，只有create session权限或其他权限，但不具有查询ldy用户下表的权限。

create user secure_user identified by oracle;

grant create session to secure_user;

 

2.创建1个安全角色，此时认证使用的过程包不需要已经存在(auth_role)。赋予对hxl.tb_test01表的查询权限。

create role secure_role identified using hxl.auth_role;

grant select on hxl.tb_test01 to secure_role;

 

3.创建权限信息表。目的是为了限制应用用户从指定IP连接上来才具有安全角色权限。

表结构如下

create table hxl.auth_roles

(

username varchar2(50),

role varchar2(50),

ip_address  varchar2(50),

enabled  number

);

表内容如下：

insert into ldy.auth_roles values ('SECURE_USER','SECURE_ROLE','192.168.2.84',1);

192.168.2.84这个是我客户端机器的ip,下面的存储过程需要通过该ip限制授权

4.创建验证的包和包体

需要包含AUTHID CURRENT_USER子句：

create or replace procedure ldy.auth_role

AUTHID CURRENT_USER

as

cursor vc is

SELECT role

FROM ldy.AUTH_ROLES

WHERE username = upper(sys_context('userenv','current_user'))

AND ip_address = upper(sys_context('userenv','ip_address'))

AND enabled=1;

v_role ldy.auth_roles.role%TYPE;

begin

open vc;

loop

 fetch vc into v_role;

  IF vc%ROWCOUNT = 0 THEN

    raise_application_error(-20123,'This IP has Invalid Privilege',false);

  END IF;

 exit when vc%notfound; /*客户端ip和用户都满足查询条件才设置权限*/

 dbms_session.set_role(v_role);

end loop;

exception

  when others then

  dbms_output.put_line(dbms_utility.format_error_stack);

END;

5.分配权限

grant execute on hxl.auth_role to secure_user;

grant select on hxl.auth_roles to secure_user;

grant secure_role to secure_user;

alter user secure_user default role all except secure_role;

 

6.测试连接

从IP 192.168.2.84连接

$ sqlplus secure_user/oracle@three_slnngk

SQL> exec hxl.auth_role;

 

PL/SQL procedure successfully completed.

 

SQL> select count(*) from hxl.tb_test;

 

  COUNT(*)

----------

     10

 

从其他IP连接

$ sqlplus secure_user/oracle@three_slnngk

SQL> exec hxl.auth_role;

 

PL/SQL procedure successfully completed.

 

SQL> select count(*) from hxl.tb_test;

select count(*) from hxl.tb_test

                         *

ERROR at line 1:

ORA-00942: table or view does not exist

 

 

-- The End --