oracle 在oracle中创建密码字段
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2161610/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
creating password field in oracle
提问by deven
What is the use of "The Secure External Password Store"?
“安全外部密码存储”有什么用?
And can I create password field in my Oracle table using "The Secure External Password Store"? Or how can I create password field in my Oracle table without using "The Secure External Password Store"?
我可以使用“安全外部密码存储”在我的 Oracle 表中创建密码字段吗?或者如何在不使用“安全外部密码存储”的情况下在我的 Oracle 表中创建密码字段?
回答by Tony Andrews
One method without using "The Secure External Password Store" (whatever that may be) is to add a RAW(16) column to the table to store a hashed username and password:
一种不使用“安全外部密码存储”(无论是什么)的方法是向表中添加一个 RAW(16) 列来存储散列的用户名和密码:
alter table mytable add password raw(16);
Then store the hashed username and password in it like this:
然后将散列的用户名和密码存储在其中,如下所示:
insert into mytable (username, password, ...)
values (:username, dbms_obfuscation_toolkit.md5
(input => utl_i18n.string_to_raw
(upper(:username)||:password))
);
Then when a user tries to log in with a username and password you can check them like this:
然后,当用户尝试使用用户名和密码登录时,您可以像这样检查它们:
select 'OK'
from mytable
where username = :username
and password = dbms_obfuscation_toolkit.md5
(input => utl_i18n.string_to_raw
(upper(:username)||:password));
This way nobody can find out what the stored password is (other than by brute force).
这样没有人可以找出存储的密码是什么(除了蛮力)。
回答by APC
The secure external password store is not designed for regular user accounts. It is aimed at securely holding passords for accounts which need to connect to the database from autonomic processes (like, say, shell scripts ):
安全外部密码存储不是为普通用户帐户设计的。它旨在为需要从自主进程(例如 shell 脚本)连接到数据库的帐户安全地保存密码:
The secure external password store uses an Oracle Wallet to hold one or more user name/password combinations to run batch processes and other tasks that run without user interaction.
安全外部密码存储使用 Oracle Wallet 保存一个或多个用户名/密码组合,以运行批处理和其他无需用户交互即可运行的任务。
了解更多。
Why are you wanting to store user passwords in the database? If you want users to connect through individually identifiable accounts, use Oracle's USER functionality. If you are building a web site and your users will be connecting through a generic user then the authentication is best managed through something in the middle tier which authenticates against Active Directory (or whatever) through LDAP (or whatever).
为什么要在数据库中存储用户密码?如果您希望用户通过可单独识别的帐户进行连接,请使用 Oracle 的 USER 功能。如果您正在构建一个网站并且您的用户将通过通用用户进行连接,那么最好通过中间层中的某些东西来管理身份验证,该中间层通过 LDAP(或其他)针对 Active Directory(或其他)进行身份验证。
But if you really want to roll your own authentication then using a one-way hash as Tony suggests is the way to go. However, if you are on a recent release of Oracle (and your interest in the secure external password store suggests you are on 10g at least) then you ought to use DBMS_CRYPTO.HASH() with the SHA-1 algorithmrather than the older MD5.
但是,如果您真的想推出自己的身份验证,那么使用 Tony 建议的单向哈希是可行的方法。但是,如果您使用的是最新版本的 Oracle(并且您对安全外部密码存储的兴趣表明您至少使用 10g),那么您应该使用DBMS_CRYPTO.HASH() 和 SHA-1 算法而不是旧的 MD5 .
