Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "event 28131, event 28119 and Row Level Security"] [Next entry: "Colin Maxwell talks about reducing the scope for encryption"]

A new paper on HTMLDB and VPD



I saw the short note in Sergio's weblog about the using VPD (Virtual Private Database) with HTMLDB. VPD can of course be used with any method that accesses the data in the database. This is its strength as it protects access to the data at source.

The blog entry Sergio refers to a new technical note "Using Virtual Private Database in an Oracle HTML DB Application" written by Scott Spendolini, Sergio Leunissen, and David Knox (the author of the recent 10g security book published with Oracle press).

This is quite a good paper that looks at how VPD, FGA, RLS - what else can Oracle think of to call it :) :), can be used with an HTMLDB application. I have written a two part paper myself about Row Level Security and how to use it and protect its use.

This article about VPD and HTML DB is a very good concise article that goes through the basics of how to set up VPD with a simple example that then goes on to show how it can be tested in SQL*Plus. The authors then create a sample application in HTML DB and a test user and show that the VPD policies still work from either SQL*Plus or from HTML DB. The key is the use of a function called V that tests the HTML DB user against a value in session memory for the logged in user from HTML DB.

A very good article, again it is here.