auditing actual user

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

auditing actual user

Jeff Lisk

I’m creating a new ASP.Net web application that is utilizing iBatis.net and I’ve run into an issue that I need some suggestions with. The web application is using forms authentication for external users and Windows authentication for internal users. The database connection is using a generic user and is configured within the sqlmap.config file. Okay, here’s the issue. From an auditing perspective, I need the ability to actually log in the database the actual person that is signed on to the web application not the generic user that the database connection is under. Oracle provides two potential mechanisms to accomplish this, Proxy Authentication or a Client Identifier (http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_masteringdotnet.html). Both options require that I set dynamic data (username/pw) either on the connection string or the connection. I found a post on the FAQs that addresses this issue (http://opensource.atlassian.com/confluence/oss/display/IBATIS/How+do+I+set+the+connection+string+per+user+in+Web+context). Is this the recommended approach? This is a need that any large system would have and I expected the functionality to be more “baked” into iBatis. Has anyone successfully utilized Oracle’s Proxy Authentication or Client Identifier with iBatis?

 

Thanks,

 

Jeff Lisk
[hidden email]