I currently have 2-tier Windows applications that connect directly to Oracle
to perform data operations. The connection method that I currently employ
is to store user names and passwords (encrypted of course) in an Oracle
table. A Windows application requests username and password information
from a user. The application then connects to Oracle using a "guest"
account that has no privileges other than the ability to query the password
table and checks the information that the user entered to authenticate.
What I need to do now is move to a 3-tier system and I am not sure how to do
the authentication to Oracle. It is obviously still possible for a Windows
application to request username and password information from a user, but
then how do I get that information passed through the middle-tier to Oracle
and back again to tell the Windows application that authentication was
successful or not. I realize that I could simply pass the username and
password to the middle-tier application and then have it authenticate with
that information, however, then the middle-tier application will know the
password for that user and I would prefer not to expose that kind of
information in the middle-tier.
I guess what I am looking for is an idea how to do the authentication in a
3-tier system with as little security risk as possible. I would appreciate
any information that anyone can provide that has done the 3-tier thing
already with success.
Thanks.