NO AUTHENTICATION and PROXY ONLY CONNECT [message #683054] |
Mon, 30 November 2020 08:33  |
John Watson
Messages: 8707 Registered: January 2010 Location: Global Village
|
Senior Member |
|
|
Release 18 introduced schema only users without any sort of password, eg,create user abc no authentication; very useful: they can store all your objects, but you cannot connect to them directly, only through a proxy. But 12.1 had already introduced proxy only accounts, eg,alter user scott proxy only connect; Either technique must be better than the old way, where you create all your objects in accounts that you lock and expire the password.
But why would you use one rather than the other? In terms of functionality and security they seem identical to me.
Thank you for any insight.
|
|
|
|
Re: NO AUTHENTICATION and PROXY ONLY CONNECT [message #683340 is a reply to message #683339] |
Thu, 31 December 2020 05:23  |
John Watson
Messages: 8707 Registered: January 2010 Location: Global Village
|
Senior Member |
|
|
A nice piece of reverse engineering on the spare1 usage. I did the check:orclz>
orclz> create user test1 no authentication;
User created.
orclz> create user test2 proxy only connect;
User created.
orclz> select name,spare1 from user$ where name like 'TEST%';
NAME SPARE1
------------------------------ ---------------
TEST1 65536
TEST2 67584
orclz> alter user test1 identified by abc;
User altered.
orclz> alter user test2 identified by abc;
User altered.
orclz> select name,spare1 from user$ where name like 'TEST%';
NAME SPARE1
------------------------------ ---------------
TEST1 0
TEST2 2048
orclz> alter user test2 cancel proxy only connect;
User altered.
orclz> select name,spare1 from user$ where name like 'TEST%';
NAME SPARE1
------------------------------ ---------------
TEST1 0
TEST2 0
orclz> There really doesn't seem to be a lot of documentation about this. I'm beginning to suspect that PROXY ONLY may be a facility intended for use with JDBC connection pools. The docs docs talk a lot about persistent connections switching identity. I've never done that except for APEX, where ORDS does it all for you. Whereas NO AUTHENTICATION would be for client-server applications such as EBS, which are basically client-server Forms.
Thanks for the research.
|
|
|