Database Reference
In-Depth Information
...
GRANT EXECUTE ON appsec.appsec_public_pkg TO PUBLIC;
For now, we will be proxying from a variety of users through
appver
to submit the
connsHash
to
f_set_decrypt_conns
, so we will grant execute to
PUBLIC
on the package
appsec_public_pkg
.
Obviously, we do not want just anybody submitting objects to this function, so we need to protect it
in one or more of the following ways:
1.
Revoke the
GRANT EXECUTE
on
f_set_decrypt_conns
from
PUBLIC
, and add
grants only to those users (OS user names) who need access.
2.
Protect the code used to accomplish this function—separate it out into an
administrative application.
3.
Implement some additional test in this code, possibly checking for a user's
existence (listing) in an Oracle table, built for this purpose.
We will do all of these things in Chapters 11 and 12.
Method to Store List of Connection Strings for Application
Certain actions that we might take are considered risky or uncertain in Java. Java is a strongly typed
language, so it doesn't abide uncertainty in object type identity. However, in cases where we are in
control of both the origination and the receipt of the object, we can ignore any warnings in this regard
and proceed.
In the
setDecryptConns()
method given in Listings 10-26 through 10-35, we engage in such an
endeavor. We will be reading an object from an
ObjectInputStream
and then treating it as if we know
what kind of object it is. We do this twice. First, we read in the application inner class object and then
call its
getRevLvl()
method, assuming it has the wherewithal to respond. The second case is when we
read in the
connsHash
object and cast it as a
HashMap
.
When compiling,
javac
will report to us that there are “unchecked or unsafe operations”. We can, by
way of the
@SuppressWarnings( "unchecked" )
annotation, ask
javac
not to bother us. That annotation
applies directly to the method that follows, and only to that method. Notice in Listing 10-26 that there is
no punctuation between the annotation and the method declaration. Unfortunately, those annotations
are not accepted in the Oracle JVM, so we need to comment them out and just live with the compile-
time warnings.
Listing 10-26.
SuppressWarnings() Annotation, setDecryptConns()
@SuppressWarnings( "unchecked" )
public static String setDecryptConns( RAW classInstance, RAW connections ) {
String rtrnString = "function";
OracleCallableStatement stmt = null;
try {
Build a Class from a Byte Array
Getting a class back from the
RAW
data type that we received on the Oracle database is the flipside of what
we saw earlier when we converted our class objects into byte arrays. The first step here in Listing 10-27,