Database Reference
In-Depth Information
Add Other Authentication Credentials
We are not limited to storing only Oracle connection strings in
v_app_conn_registry
. Recall that the
HashMap
is simply a list of string keys and associated string values. Once you get the
HashMap
back to your
application, you can request a specific value based on any key you please.
Of course you could store connection strings or at least passwords for connections to non-Oracle
databases. You might also store such things as passwords for secure FTP connections. Our current
methods in
OracleJavaSecure
are tailored for storing Oracle connection strings, but you could add a
method for storing, for example, secure FTP passwords. Listing 11-39 shows a sample method you might
employ.
Listing 11-39.
Example Method for Storing Other (FTP) Credentials
public static void putAppFTPString( String key, String password ) {
appAuthCipherDES.init( Cipher.ENCRYPT_MODE,
appAuthSessionSecretDESKey, appAuthParamSpec );
byte[] bA = appAuthCipherDES.doFinal(password.getBytes() );
connsHash.put( “FTP” + key, new RAW( bA ) );
}
For security purposes, you would want to devise your method (as shown) to prepend the key with
the string “FTP” or something. We would use this as a filter to keep this method from decrypting non-
FTP entries in the
connsHash
list. Listing 11-40 provides an example method for getting FTP passwords
from
connsHash
.
Listing 11-40.
Example Method for Retrieving Other (FTP) Credentials
private static String getAppFTPString( String key ) {
return new String(
appAuthCipherDES.doFinal( connsHash.get( “FTP” + key ).getBytes() ) );
}
Notice that this method is designated as
private
—you would want another method in
OracleJavaSecure
that establishes the FTP connection and returns the connection to the client
application, rather than returning the clear text FTP password to the application. We do not want to give
our passwords to applications.
Update Application Security Structures
Before moving on to new topics, please run all the commands and scripts that we have described thus
far. At a SQL*Plus prompt or other SQL client, as
SYS
user, run the commands in
Chapter11/Sys.sql
.
Substitute the name of an OS user who will be doing administrative tasks (you?) in the
GRANT
appver_admin
command.
Then, as the application security,
appsec
user, run the commands in
Chapter11/AppSec.sql
. That
should be easy. Additionally, execute the code from
Chapter11/F_MASK.plb
and
Chapter11/F_UNMASK.plb
(the masked versions).
Still as
appsec
user, remove the comment from the first line,
CREATE OR REPLACE AND RESOLVE JAVA
in
Chapter11/orajavsec/OJSC.java
(the obfuscated version) and execute that as SQL code. And finally,
uncomment the first line of
Chapter11/orajavsec/OracleJavaSecure.java
and edit the
expectedDomain
and
URL strings at the top of the code. Remove the passwords from the
main()
method, at the bottom. Then