@OracleIMC Partner Resources & Training: Discover your Modernization options + Reach new potential through Innovation

Introducing Real Database Security for Web Applications

Webcast: Securing Your Business Inside Out

Oracle Database 12c provides multi-layered security spanning preventive, detective, and administrative controls. Amongst others, Oracle Database 12c provides a new declarative and granular authorization model with the introduction of the Real Application Security feature. Oracle Database 12c Real Application Security (RAS) provides a declarative model that enables security policies that encompass not only the business objects being protected but also the principals (users and roles) that have permissions to operate on those business objects. RAS is more secure, scalable, and cost effective than traditional Oracle virtual private database technology, as it applies security policies at the database layer. So those policies are applied to the data and is not relying on the security built in into an application (like VPD). 

Oracle Database Real Application Security is a database authorization model that:

  • Supports declarative security policies.
  • Enables end-to-end security for multitier applications.
  • Provides an integrated solution to secure database and application resources.
  • Advances the security architecture of Oracle Database to meet existing and emerging demands of applications developed for the Internet.

Traditional security was designed for client/server systems. These systems had a significantly smaller number of users than newer applications designed for the Internet. When application developers found traditional security inadequate, they often moved it from the database layer to the application layer. To accomplish this, developers frequently built their own tables and defined their own application users.

Because security was encoded in the application layer, rather than in the database, application users and application roles were typically known only to the application. In other words, database users were not application-level users, hence the user identity was not known during the access control decision in the database.

Furthermore, database operations were limited to DDLs and DMLs that do not represent application-level tasks or operations, hence the operation context was also not known during the access control decision in the database. These practices exposed the database to vulnerability.

Real Application Security is designed to:

  • Manage application security for application users rather than database users
  • Enable developers to manage security for application level tasks
  • Enable application user identity to be known during security enforcement
  • Enable developers to return security to the database layer, either incrementally, or all at once
  • Another aspect of security is auditing in an Oracle Database Real Application Security environment

Disadvantages of Traditional Security for Managing Application Users

Using the traditional security model, it was often difficult to manage three-tier applications, especially when performing these security tasks:

  • Extending security policies independent of application code.
  • Enforcing security policies at the database level, where the application user is unknown.
  • Enforcing least privilege principle as full access is granted to highly privileged two-tier components.

Advantages of Real Application Security

Real Application Security enables these security tasks, which improve database security and performance:

  • Three-tier and two-tier applications can declaratively define, provide, and enforce access control requirements at the database layer.
  • The database can provide a uniform security model across all tiers and support multiple application user stores, including the associated roles, authentication credentials, database attributes, and application-defined attributes.
  • This model enables application users to have a single unique global identity across an Oracle enterprise.
  • An Oracle database can natively support the application security context. The database supports integrated policy specification and enforcement for both the application and the database, so the application does not need to do this through application code. Because the database stores the application security context information, this also reduces network traffic.
  • Developers can use Real Application Security to control application user access to data in an Oracle database throughout all components of an Oracle enterprise in a common manner.

Architecture of Real Application Security

Real Application Security is managed through a collection of PL/SQL and Java APIs. This architecture that enables you to configure its components—application users, application roles, sessions, and other security-related components. With Real Application Security, you configure application counterparts to the traditional user, role, and session, through the use of entities, which are stored in tables.

See bellow the various components used in Oracle Database Real Application Security. This includes application users, application roles, access control lists, security classes, and application sessions. 


Web applications establishing application sessions to the database can now benefit from Real Application Security (RAS). A database authorization solution for end-to-end application security. For more information please review the following:

Real Application Security Administrator's and Developer's Guide

Real Application Security Java API Reference (Javadoc)

Find out more about Securing Oracle Database 12c, through the bellow Complimentary Technical Primer ebook


Use Code: db12c

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.