Two-Factor Authentication - Expert Oracle and Java Security

Database Reference

In-Depth Information

The results of this query will resemble the following. JAVA_ADMIN has a grant to SocketPermission on

installation.

"USER#" "NAME" "NAME_1" "TYPE_NAME"

"40" "JAVA_ADMIN" "0:java.net.SocketPermission#*" "oracle.aurora.rdbms...

"93" "SECADM_ROLE" "0:java.net.SocketPermission#*" "oracle.aurora.rdbms...

We are delegating a limited permission to manage the policy regarding opening sockets (network

ports) to the secadm_role . There are other policies we might grant, like the policy regarding opening files

on the Oracle server file system, but we don't need that here.

Permitting Application Security User to Read Web Pages

Now, as the secadm user, let's grant permission for our application security, the appsec user, to actually

open a port to the web server that sends text messages to our corporate pagers. Change the name and

port number of your web server, as required, then execute the code in Listing 9-4 as secadm user.

Listing 9-4. Grant Socket Permission to Application Security User

CALL DBMS_JAVA.GRANT_PERMISSION(

'APPSEC',

'java.net.SocketPermission',

' www.org.com:80',

'connect, resolve'

);

By this Java permission grant, we are heavily restricting what can actually be done.

•

We will only permit connections to a specific server at a specific port, e.g.

www.org.com:80.

We will only permit one user to open the connection, appsec.

•

• And we will only allow the “connect” and “resolve” actions, which are sufficient to

read a web page (and via the GET method, submit data in the URL). We need

resolve action so that we (in the Oracle database) can do a DNS lookup/name

resolution on (for example) www.org.com , to find the IP Address. We need the

connect action so that we can actually establish a connection on a network port.

Those are actions that are not permitted by default from the Oracle JVM security

sandbox.

This call to GRANT_PERMISSION will likely throw an “uncaught Java exception” error. We cannot fix

that, and it's nothing to worry about. Perhaps Oracle doesn't expect us to call procedures in the

DBMS_JAVA package from the SQL command line.

Testing our ability to read web pages from Java on the Oracle database will require that we configure

a Java stored procedure and update our Java code. Let's wait and test the fully functional code after we

write it.

Search WWH ::

Custom Search

Home