Skip to main content
D
dunask123
Participant
April 28, 2010
Question

Problem: Oracle auditing and Coldfusion pages.

  • April 28, 2010
  • 2 replies
  • 702 views

Oracle 10g has robust auditing functionality.  If you want to see who is inserting records into account.staff, you issue this command.

audit insert on account.staff by access;

It's done.   All inserts into the table are tracked by Oracle automatically.

The good news is this works perfectly with asp pages.  With coldfusion-based webpages, the CF application server interposes itself between oracle and the user.  The result?  Key bits of auditing information (i.e., user id, pc IP address) are replaced with the Cold Fusion server values.

For example, instead of seeing the user’s ID, or name the audit trail has SYSTEM.  Instead of the user’s pc hostname we see the CF server name and IP address.

·         Building table specific triggers using USERENV('sessionid')in Oracle does not help

·         Using cgi variables in the CF pages like REMOTE_ADDR  (IP address of the remote host making the request) or REMOTE_USER  or AUTH_USER  also does not offer reliable information either.

What is the fix?

Our setup.  We are using:

Oracle 10g with auditing enabled

Coldfusion server version 8.0.0.176276

Windows 2003 server

Internet Information Server version 6.0

Windows integrated authentication

All web auditing via IIS 6.0 works fine.  It is just Oracle auditing that is a problem.

Thank you.

    This topic has been closed for replies.

    2 replies

    A
    Anonymous
    May 6, 2010

    jdbc; the user isn't requesting the connection, it is CF, which then keeps it open for other user requests -> it is the server who appears in the ora userenv properties (fairly standard for tiered arch). gb java

    if u connected as a user to ora directly, then you'd see the users pc/id. Normally in these sort of tiers you would send info to the db to say "Hi, I'm bob, I'd like to update the my user record to super admin" and the db would the audit this and say something like  "ok" or "sorry bob, you don't have access to update yourself to this level"; I'd imagine you'r prolly doing this logic in the application and then saying to the db "Hi, I may/may not be bob, but I'm updating bob's user record to the super admin" and the db would say "No probs, done and I've recorded that bob told me to do it" - authentication vs authorisation!

    J
    JR__Bob__Dobbs-qSBHQ2
    Inspiring
    April 30, 2010

    I'm not familiar with Oracle; but I'll take a guess as to why the behavior is different between ASP and CF.  I suspect that the ASP pages access the database using Windows integrated authentication and impersonation of users.  If user bob@example.com logs into the ASP site the bob@example.com credentials are used for database access, and this is reflected in Oracle's auditing.  ColdFusion does not use integrated authentication so all data access is handled as the user credentials setup in the CF data source and using the IP of the CF server.  I don't think that this can be changed.  As far as I know CF does not support impersonation of Windows accounts.  However, I'm not an Oracle expect so if any of this is wrong please correct me.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices