Database Reference
In-Depth Information
We have already configured the Network ACL for
appsec
to be able to open port 25 on your SMTP
mail host, but for each session we also need to tell the
UTL_MAIL
package to use that server as our SMTP
host. As
appsec
, we add a property to our Oracle session that the
UTL_MAIL
package will read:
ALTER SESSION SET SMTP_OUT_SERVER = 'smtp.org.com';
Then we send an e-mail message. The arguments we provide are our e-mail address, address of the
recipient, title of the message, and text of the message.
CALL UTL_MAIL.SEND( '
myname@org.com
', '
myname@org.com
', '', '',
'Response','2FactorCode' );
Getting Oracle Database to Browse Web Pages
Besides sending two-factor authentication pass codes by e-mail/SMS to cell phones (and possibly e-mail
accounts), we are going to send the pass codes to pagers. At our company, we send text messages to
corporate pagers from a web page interface. This may or may not be the approach you will need to take
to distribute two-factor authentication pass codes to pagers; however, it is relevant to any message
distribution, because e-mail and web services are the primary modes of text messaging distribution from
a user application.
Delegating Java Policy to Security Administrator
We already saw how we can add an ACL to allow a user to open a port. Now, in order to open a port as a
Java stored procedure, we will need to grant Java security permissions. We are, in effect, allowing Java to
perform an activity that is normally denied by the Oracle JVM security sandbox.
First, we will have
SYS
or a
DBA
delegate the policy permission to manage specific Java sandbox
privileges to our security administrator, the
secadm
user. As
SYS
, do this with the code in Listing 9-3.
Listing 9-3.
Grant Policy for Security Administrator to Grant Socket Permissions
CALL DBMS_JAVA.GRANT_POLICY_PERMISSION(
'SECADM_ROLE', 'SYS',
'java.net.SocketPermission',
'*');
COMMIT;
The
DBMS_JAVA.GRANT_POLICY_PERMISSION
command specifies
secadm_role
as the recipient of the
permission.
SYS
is the schema in which the grant is effective. The kind of permission being granted is a
SocketPermission
. And
secadm_role
can thereby manage any socket (
*
).
Assure that the Java policy permission has been granted with the following command. The policies
are granted to a grantee number,
GRANTEE#
. We look up the name of that user in the
USER$
table where
user number,
USER#
matches the grantee number.
SELECT u.user#, u.name, p.name, p.type_name, p.action
FROM sys.user$ u, sys.java$policy$ p
WHERE p.name LIKE '%java.net.SocketPermission%'
AND p.grantee# = u.user#;