OS Authentication questions

OS Authentication questions

Postby osdm » Thu 19 Aug 2010 15:51

Hi!

I have an ASP.NET application that uses DevArt dotConnect for Oracle, and I need to adapt it for Windows authentication. It creates connections to Oracle database using identity supplied from the client browser (yes, I know that it is not the most efficient solution, but still I need it). In Windows authentication case users in Oracle database would be authenticated using Active Directory (IDENTIFIED EXTERNALLY). As far as I know, this feature is called "OS Authentication" in DevArt dotConnect for Oracle.

1. Given WindowsIdentity, how should I proceed to make connection with this identity? Would WindowsIdentity.Impersonate be enough? Or I need to turn on ASP.NET impersonate=true option?

2. How would connection pooling work in this case? Connection string would be the same for all users, but still different users should use different connections. Application is already written for using connection pooling, I'm afraid that turning it off would severely affect performance.

Thanks for help,
Dmitry
osdm
 
Posts: 3
Joined: Thu 19 Aug 2010 11:25

Postby Shalex » Fri 20 Aug 2010 13:59

Please refer to http://www.devart.com/forums/viewtopic.php?t=18273.
1. I cannot check which exact impersonation settings should be made because of our network architecture (please follow the walkthrough from the link above to set up OS Authentication and play with these settings).
2.
Connection string would be the same for all users, but still different users should use different connections.

Could you please explain what you mean? Assuming all your connection strings will be the same ("Data Source=ServerX;"), all connections should be placed to the same pool. Although your application will accept different http connections, it will use only one impersonation (of the host where it will be deployed).
Shalex
Devart Team
 
Posts: 7839
Joined: Thu 14 Aug 2008 12:44

Postby osdm » Fri 20 Aug 2010 19:09

Shalex wrote:Could you please explain what you mean? Assuming all your connection strings will be the same ("Data Source=ServerX;"), all connections should be placed to the same pool. Although your application will accept different http connections, it will use only one impersonation (of the host where it will be deployed).


Impersonation in .NET is per thread. So, if my application is processing two requests from different users at the same time, then there would be two threads impersonating two different users. And each thread should create connections to Oracle database using impersonating identity. So there should be two different connections into Oracle with different users. Is this possible? And is it possible to use connection pooling in this scenario?
osdm
 
Posts: 3
Joined: Thu 19 Aug 2010 11:25

Postby Shalex » Sat 21 Aug 2010 14:46

osdm wrote:...So there should be two different connections into Oracle with different users...

OS Authentication is based on the Windows user, an application (process) of which connects to the server. As I understand your scenario, there will be only one connection pool because all connections will have the same connection string. We recommend you to use the dbMonitor tool that traces database events and shows information about used connection pools and their connections:
http://www.devart.com/dbmonitor/dbmon3.exe
http://www.devart.com/dotconnect/oracle ... nitor.html
Shalex
Devart Team
 
Posts: 7839
Joined: Thu 14 Aug 2008 12:44

Postby osdm » Tue 31 Aug 2010 17:39

OK, I found the other way to get around my problem - proxy users. Unfortunately, there is too little information and samples in your documentation. Which way do you recommend in my situation (ASP.NET application): using OciSessionPooling and OciSessionPoolUserId or going with OracleConnection.Open? What are the upsides and downsides of this options?
osdm
 
Posts: 3
Joined: Thu 19 Aug 2010 11:25

Postby Shalex » Wed 01 Sep 2010 12:02

As I understand, you are choosing between proxy connections with OCI Session Pooling and proxy connections without pooling. Here is information from Oracle documentation about proxy connections and using them with OCI Session Pooling:
With proper setup in the database, proxy authentication enables middle-tier applications to control the security by preserving database user identities and privileges, and auditing actions taken on behalf of these users. This is accomplished by creating and using a proxy database user that connects and authenticates against the database on behalf of a database user (that is, the real user) or database users.

Proxy authentication can then be used to provide better scalability with connection pooling. When connection pooling is used in conjunction with proxy authentication, the proxy authenticated connections can be shared among different real users. This is because only the connection and session established for the proxy is cached. An additional session is created for the real user when a proxy authenticated connection is requested, but it will be destroyed appropriately when the proxy authenticated connection is placed back into the pool. This design enables the application to scale well without sacrificing security.

OCI Session Pooling is a feature of Oracle Client.
Shalex
Devart Team
 
Posts: 7839
Joined: Thu 14 Aug 2008 12:44


Return to dotConnect for Oracle