||Oracle Tips by Burleson
Chapter 4 General Oracle Security
Note the use of the function. It does not
actually return the value of the user's password. Rather it returns
YES if the password supplied by the user is correct and NO if it
isn't. This is analogous to the challenge-response type of
authentication, where the challenge is merely answered with a yes or
no response. The application user never needs to know the decrypted
value of the password.
Some user who is not normally involved in the
process of the application owns this function. The authors recommend
using a user id called SECUSER, who owns all the security related
objects. In this case, the user SECUSER owns this function and
grants execute privileges to APPUSER1 and APPUSER2 (or more, if
When the application user APPUSER1 needs to
authenticate himself or herself, he or she calls the function in the
The user never knows the
value of the password string inside. All he or she knows is that the
password is app1 and the function responds with a YES or NO answer.
Even if the user APPUSER1 selects from the table
'APPUSER1','app1') = 'YES'
is not authenticated
The above text is
an excerpt from:
Oracle Privacy Security Auditing
Final Word on Oracle Security
This is the only authoritative
book on Oracle Security, Oracle Privacy, and Oracle Auditing written
by two of the world’s leading Oracle Security experts.
This indispensable book is only
and has an
immediate download of working security scripts: