今天在做看OCP的時候有道題是關於應用安全形色的,不是很明白,在網上找了個例子按照步驟驗證了下.
QUESTION 48
You want to create a role to meet these requirements:
1. The role is to be protected from unauthorized usage.
2. The password of the role is not to be embedded in the application source code or stored in a table.
Which method would you use to restrict enabling of such roles?
A. Create the role with external authentication.
B. Create the role as a secure application role.
C. Create the role as a password-protected role.
D. Create a role and use Fine-Grained Access Control (FGAC) to secure the role.
Correct Answer: B
Section: (none)
Explanation


有點:啟用角色時通過包，而不是通過密碼。
1.建立一個名為secure_user的應用使用者，只有create session許可權或其他許可權，但不具有查詢ldy使用者下表的許可權。
create user secure_user identified by oracle;
grant create session to secure_user;
 
2.建立1個安全形色，此時認證使用的過程包不需要已經存在(auth_role)。賦予對hxl.tb_test01表的查詢許可權。
create role secure_role identified using hxl.auth_role;
grant select on hxl.tb_test01 to secure_role;
 
3.建立許可權資訊表。目的是為了限制應用使用者從指定IP連線上來才具有安全形色許可權。
表結構如下
create table hxl.auth_roles
(
username varchar2(50),
role varchar2(50),
ip_address  varchar2(50),
enabled  number
);
表內容如下：
insert into ldy.auth_roles values ('SECURE_USER','SECURE_ROLE','192.168.2.84',1);
192.168.2.84這個是我客戶端機器的ip,下面的儲存過程需要通過該ip限制授權


4.建立驗證的包和包體
需要包含AUTHID CURRENT_USER子句：
create or replace procedure ldy.auth_role
AUTHID CURRENT_USER
as
cursor vc is
SELECT role
FROM ldy.AUTH_ROLES
WHERE username = upper(sys_context('userenv','current_user'))
AND ip_address = upper(sys_context('userenv','ip_address'))
AND enabled=1;
v_role ldy.auth_roles.role%TYPE;
begin
open vc;
loop
 fetch vc into v_role;
  IF vc%ROWCOUNT = 0 THEN
    raise_application_error(-20123,'This IP has Invalid Privilege',false);
  END IF;
 exit when vc%notfound; /*客戶端ip和使用者都滿足查詢條件才設定許可權*/
 dbms_session.set_role(v_role);
end loop;
exception
  when others then
  dbms_output.put_line(dbms_utility.format_error_stack);
END;

5.分配許可權

grant execute on hxl.auth_role to secure_user;
grant select on hxl.auth_roles to secure_user;
grant secure_role to secure_user;
alter user secure_user default role all except secure_role;
 
6.測試連線
從IP 192.168.2.84連線
$ sqlplus secure_user/[email protected]_slnngk


SQL> exec hxl.auth_role;
 
PL/SQL procedure successfully completed.
 
SQL> select count(*) from hxl.tb_test;
 
  COUNT(*)
----------
     10
 
從其他IP連線
$ sqlplus secure_user/