Hi!
I have an ASP.NET application that uses DevArt dotConnect for Oracle, and I need to adapt it for Windows authentication. It creates connections to Oracle database using identity supplied from the client browser (yes, I know that it is not the most efficient solution, but still I need it). In Windows authentication case users in Oracle database would be authenticated using Active Directory (IDENTIFIED EXTERNALLY). As far as I know, this feature is called "OS Authentication" in DevArt dotConnect for Oracle.
1. Given WindowsIdentity, how should I proceed to make connection with this identity? Would WindowsIdentity.Impersonate be enough? Or I need to turn on ASP.NET impersonate=true option?
2. How would connection pooling work in this case? Connection string would be the same for all users, but still different users should use different connections. Application is already written for using connection pooling, I'm afraid that turning it off would severely affect performance.
Thanks for help,
Dmitry
OS Authentication questions
Please refer to http://www.devart.com/forums/viewtopic.php?t=18273.
1. I cannot check which exact impersonation settings should be made because of our network architecture (please follow the walkthrough from the link above to set up OS Authentication and play with these settings).
2.
1. I cannot check which exact impersonation settings should be made because of our network architecture (please follow the walkthrough from the link above to set up OS Authentication and play with these settings).
2.
Could you please explain what you mean? Assuming all your connection strings will be the same ("Data Source=ServerX;"), all connections should be placed to the same pool. Although your application will accept different http connections, it will use only one impersonation (of the host where it will be deployed).Connection string would be the same for all users, but still different users should use different connections.
Impersonation in .NET is per thread. So, if my application is processing two requests from different users at the same time, then there would be two threads impersonating two different users. And each thread should create connections to Oracle database using impersonating identity. So there should be two different connections into Oracle with different users. Is this possible? And is it possible to use connection pooling in this scenario?Shalex wrote:Could you please explain what you mean? Assuming all your connection strings will be the same ("Data Source=ServerX;"), all connections should be placed to the same pool. Although your application will accept different http connections, it will use only one impersonation (of the host where it will be deployed).
OS Authentication is based on the Windows user, an application (process) of which connects to the server. As I understand your scenario, there will be only one connection pool because all connections will have the same connection string. We recommend you to use the dbMonitor tool that traces database events and shows information about used connection pools and their connections:osdm wrote:...So there should be two different connections into Oracle with different users...
http://www.devart.com/dbmonitor/dbmon3.exe
http://www.devart.com/dotconnect/oracle ... nitor.html
OK, I found the other way to get around my problem - proxy users. Unfortunately, there is too little information and samples in your documentation. Which way do you recommend in my situation (ASP.NET application): using OciSessionPooling and OciSessionPoolUserId or going with OracleConnection.Open? What are the upsides and downsides of this options?
As I understand, you are choosing between proxy connections with OCI Session Pooling and proxy connections without pooling. Here is information from Oracle documentation about proxy connections and using them with OCI Session Pooling:
OCI Session Pooling is a feature of Oracle Client.With proper setup in the database, proxy authentication enables middle-tier applications to control the security by preserving database user identities and privileges, and auditing actions taken on behalf of these users. This is accomplished by creating and using a proxy database user that connects and authenticates against the database on behalf of a database user (that is, the real user) or database users.
Proxy authentication can then be used to provide better scalability with connection pooling. When connection pooling is used in conjunction with proxy authentication, the proxy authenticated connections can be shared among different real users. This is because only the connection and session established for the proxy is cached. An additional session is created for the real user when a proxy authenticated connection is requested, but it will be destroyed appropriately when the proxy authenticated connection is placed back into the pool. This design enables the application to scale well without sacrificing security.