Skip Headers
Oracle® Database JDBC Developer's Guide and Reference,
11g Release 1 (11.1)

Part Number B31224-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

10 Proxy Authentication

Oracle Java Database Connectivity (JDBC) provides proxy authentication, also called N-tier authentication. This feature is supported through both the JDBC Oracle Call Interface (OCI) driver and the JDBC Thin driver. This chapter contains the following sections:


Oracle Database supports proxy authentication functionality in three tiers only. It does not support it across multiple middle tiers.

About Proxy Authentication

Proxy authentication is the process of using a middle-tier for user authentication. You can design a middle-tier server to proxy clients in a secure fashion by using the following three forms of proxy authentication:

In all cases, an administrator must authorize the middle-tier server to proxy a client, that is, to act on behalf of the client. Operations done on behalf of a client by a middle-tier server can be audited. Issue the following command to authorize the middle-tier server to proxy a client:


where, scott is the name of the proxy user.

You can also:


In this chapter, a JDBC connection to a database is a user session in the database and vice versa.

You need to use the different fields and methods present in the oracle.jdbc.OracleConnection interface to set up the different types of proxy connections.

Types of Proxy Connections

You can create proxy connections using any one of the following options:


  • All the options can be associated with roles.

  • When opening a new proxied connection, a new session is started on the database server. Along with this session a new local transaction is created.

Creating Proxy Connections

A user, say jeff, has to connect to the database through another user, say scott. The proxy user, scott, should have an active authenticated connection. A proxy session is then created on this active connection, with the driver issuing a command to the server to create a session for the user, jeff. The server returns the new session id, and the driver sends a session switch command to switch to this new session.

The JDBC OCI and Thin driver switch sessions in the same manner. The drivers permanently switch to the new session, jeff. As a result, the proxy session, scott, is not available until the new session, jeff, is closed.


You can use the isProxySession method from the oracle.jdbc.OracleConnection interface to check if the current session associated with your connection is a proxy session. This method returns true if the current session associated with the connection is a proxy session.

A new proxy session is opened by using the following method from the oracle.jdbc.OracleConnection interface:

void openProxySession(int type, java.util.Properties prop) throws SQLExceptionOpens


type is the type of the proxy session and can have the following values:

prop is the property value of the proxy session and can have the following values:

The following code snippet shows the use of the openProxySession method:

java.util.Properties prop = new java.util.Properties();
    prop.put(OracleConnection.PROXY_USER_NAME, "jeff");
    String[] roles = {"role1", "role2"};
    prop.put(OracleConnection.PROXY_ROLES, roles);
    conn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);

Closing a Proxy Session

You can close the proxy session opened with the OracleConnection.openProxySession method by passing the OracleConnection.PROXY_SESSION parameter to the OracleConnection.close method in the following way:


This is similar to closing a proxy session on a non-cached connection. The standard close method must be called explicitly to close the connection itself. If the close method is called directly, without closing the proxy session, then both the proxy session and the connection are closed. This can be achieved in the following way:


Caching Proxy Connections

Proxy connections, like standard connections, can be cached. Caching proxy connections enhances the performance. To cache a proxy connection, you need to create a connection using one of the getConnection methods on a cache enabled OracleDataSource object.

A proxy connection may be cached in the connection cache using the connection attributes feature of the connection cache. Connection attributes are name/value pairs that are user-defined and help tag a connection before returning it to the connection cache for reuse. When the tagged connection is retrieved, it can be directly used without having to do a round-trip to create or close a proxy session. Implicit connection cache supports caching of any user/password authenticated connection. Therefore, any user authenticated proxy connection can be cached and retrieved.

It is recommended that proxy connections should not be closed without applying the connection attributes. If a proxy connection is closed without applying the connection attributes, the connection is returned to the connection cache for reuse, but cannot be retrieved. The connection caching mechanism does not remember or reset session state.

A proxy connection can be removed from the connection cache by closing the connection directly.