Application Authorization - Expert Oracle and Java Security

Database Reference

In-Depth Information

artifacts of our local RSA public key, the modulus and exponent, and the two-factor authentication code

(if provided).

Our OUT parameters, besides the error message, are the four encrypted artifacts of our shared secret

password key and the connsHash object associated with the application ID object that we are submitting.

Listing 10-41. Procedure Call to Get List of Application Connection Strings, p_get_app_conns

stmt = ( OracleCallableStatement )conn.prepareCall(

"CALL appsec.appsec_public_pkg.p_get_app_conns(?,?,?,?,?,?,?,?,?,?,?,?)" );

stmt.registerOutParameter( 5, OracleTypes.RAW );

stmt.registerOutParameter( 6, OracleTypes.RAW );

stmt.registerOutParameter( 7, OracleTypes.RAW );

stmt.registerOutParameter( 8, OracleTypes.RAW );

stmt.registerOutParameter( 9, OracleTypes.RAW );

stmt.registerOutParameter(11, OracleTypes.NUMBER );

stmt.registerOutParameter(12, OracleTypes.VARCHAR );

stmt.setString( 1, locModulus );

stmt.setString( 2, locExponent );

stmt. setString( 3, twoFactorAuth ) ;

stmt. setBytes( 4, appClassBytes ) ;

stmt.setNull( 5, OracleTypes.RAW );

stmt.setNull( 6, OracleTypes.RAW );

stmt.setNull( 7, OracleTypes.RAW );

stmt.setNull( 8, OracleTypes.RAW );

stmt.setNull( 9, OracleTypes.RAW );

stmt. setString(10, applicationID ) ;

stmt.setInt( 11, 0 );

stmt.setNull( 12, OracleTypes.VARCHAR );

stmt.executeUpdate();

...

if( null == stmt.getRAW( 9 ) ) {

System.out.println( "Please rerun with two-factor Auth Code!" );

return ;

}

if( null == sessionSecretDESKey ) {

makeDESKey ( stmt.getRAW( 9 ), stmt.getRAW( 8 ),

stmt.getRAW( 6 ), stmt.getRAW( 7 ) );

We check to see whether any error is being reported. If not, we test one of the values returned as our

shared password key artifacts, stmt.getRAW( 9 ) . If it is null, we assume that the Oracle database has just

now sent a two-factor code and must wait until the client application returns with a two-factor code to

proceed. We ask the client to rerun this method with a two-factor code and exit (return from) this

method.

Based on the artifacts of our shared password key, we build the key by calling the makeDESKey()

method. The test of whether the sessionSecretDESKey is currently null is unnecessary during normal

operation, but feels more complete. I can't think of an instance where we would arrive here and the

sessionSecretDESKey not be null .

Expert Oracle and Java Security

Search WWH ::

Custom Search

Home