Friday, October 4, 2002 07:03 AM
Am I doing the correct thing?
Are you sure you want a one-to-one correspondence, between database user accounts, and Web user accounts?
A connection pool, by definition, only uses one single database user account. Are you going to then have a separate connection pool for each of your users? (obviously not)
Oracle's own password encryption and storage is intended for comparing internally by Oracle's own login mechanism, when someone logs in to the database as a db user. I don't think (I could be wrong) it's intended as an API where you would externally validate entered passwords yourself, against the encrypted ones that Oracle maintains internally.
But, if you have to validate entered passwords against an encrypted version, you'll have to perform the encryption yourself and compare the result. (I just don't think you can do this with Oracle, unless you actually take the entered password and try logging in to the database as the db user, but then you've got another db connection, one for each Web login, no connection pooling, etc. and you might as well just let everybody run SQLPlus themselves or something...)
Generally Web applications have their own set of Web user accounts. These are maintained in some database tables but are not the same as database user accounts. You store the Web passwords in your own table with your own encryption scheme so you can control it for authentication, for validating entered passwords.