Explanation:
Oracle9i allows you to enable the role through a package. It uses the SYS_CONTEXT mechanism to authenticate user access. The Secure Application role removes the requirement to embed a password in the application itself. When your application starts up, you should enable the roles for application by using the SET ROLE statement. Prior to Oracle9i, your application would have to try to hide this password by encrypting it. The application itself became the weakest link in the chain. If someone discovered the password, any application could enable the role and gain access to the information. Any user that has access to the application code could in fact discover the embedded password. In Oracle9i, the SET ROLE does not use a password to enable a role; instead, it invokes the associated procedure that authenticates the role. This procedure can also use SYS_CONTEXT to access session information and set up fine-grained access control.
Incorrect Answers:
2: The application has not to store the password itself.
Reference:
OCP Oracle9i Database: New Features for Administrators, Daniel Benjamin, p. 10-24
Chapter 1: Security Enhancements
Oracle 9i New Features, Robert Freeman, p. 132-135
Chapter 5: Miscellaneous Oracle9i Features and Enhancements

---