Database Reference
In-Depth Information
1.
Include the
OracleJavaSecure.class
and
RevLvlClassIntfc.class
files in his
CLASSPATH
(we provide a
jar
file).
2.
Write an Application ID inner class that implements
RevLvlClassIntfc
and
Serializable
.
Call
OracleJavaSecure.setAppContext()
method, passing his application
name, ID class, and two-factor authentication code (yes, he will have to handle
the loop from the first request to make a second call with the two-factor code).
3.
Ask
OracleJavaSecure
for the Oracle connections he needs by calling the
getAppAuthConn()
method.
4.
In the end, we are able to provide some Oracle connections to the developer's application. Those
connections are based on connection strings (including passwords) that are transmitted and maintained
securely, in encrypted form.
Get an Oracle Connection from the List for an Application
Our
getAppAuthConn()
method provides connections based on the list of connection strings that already
exists in memory. However, this is a great starting place, because if the connection strings do not already
exist in memory,
getAppAuthConn()
calls the
getAppConnections()
method to retrieve them form Oracle
database, based on the application ID class. This is shown in Listing 10-39.
We also test whether
appAuthSessionSecretDESKey
is null. This will be the case when we call
this method for the first time—we will not have generated or received our two-factor
authentication code. If it is null, we return a null, which lets the application know it,
needs to loop and let the user come again with a two-factor code. When we have provided the
two-factor code and we call this method again, then we will have exchanged keys and
appAuthSessionSecretDESKey
will not be null.
Listing 10-39.
Get an Oracle Connection from the List, getAppAuthConn()
public static
OracleConnection
getAppAuthConn
( String instance, String userName ) {
OracleConnection mConn = null;
try {
if( null == connsHash )
getAppConnections()
;
// If we entered without twoFactorAuth, apAuth...DESKey is null
if( null == appAuthSessionSecretDESKey )
return mConn;
instance = instance.
trim()
;
userName = userName.trim();
String
key = ( instance + "/" + userName ).toUpperCase()
;
appAuthCipherDES.init( Cipher.
DECRYPT_MODE
, appAuthSessionSecretDESKey,
appAuthParamSpec );
mConn = setConnection( new String( appAuthCipherDES.doFinal(
connsHash.get( key ).getBytes() ) ) );
We need to observe two facts about this method. First, it returns an
OracleConnection
, not a
connection string. In fact, we discard the connection string in relatively short order to reduce the
possibility of exposing the clear-text password. Second, the connections we return are configured to
proxy through an application user in order to pass further SSO testing.
We get the specific connection string that was requested by concatenating the instance name and
user name that were requested in the arguments to this method call. As with all data coming from
