Database Reference
In-Depth Information
the user entries; it executes three insert statements to register various aspects of the application; it grants
the current session user an administrative role; and it sets the context to the new application and calls
methods to create a placeholder in the
v_app_conn_registry
view for a future list of connection strings.
There is no two-factor authentication, nor is there key exchange for the new application in this process.
Listing 12-52 shows the code used to create the local instance of the described application inner
class. We discard any trailing dot (.) on the package name.
Listing 12-52.
Create Local Instance of Defined Class
String innerClassName = packageTextField.getText();
if (innerClassName.endsWith("."))
innerClassName.substring( 0, innerClassName.length() - 1 );
innerClassName = innerClassName + "." + classTextField.getText() +
"$" + innerClassTextField.getText();
Class classToRegister =
Class.forName
(innerClassName);
Object appClass = classToRegister.
newInstance()
;
Note
This application inner class must exist in compiled form on the same client where the Register New
Application screen is running in order to register the application. The application inner class must also be on the
current CLASSPATH.
The first insert we execute will add the current user as an application administrator for this
application. The insert command is shown in Listing 12-53. Notice we use the system context value of
the client identifier that we have set equal to the SSO user. He is the designated initial administrator of
the application associated with the fully qualified inner class name that we set as the first parameter.
Listing 12-53.
Insert Application Administrator
String updateString =
"insert into appsec.
v_application_admins
" +
"( class_name, user_id ) values ( ?, " +
"
SYS_CONTEXT( 'USERENV', 'CLIENT_IDENTIFIER' ))
";
PreparedStatement pstmt =
conn.prepareStatement(updateString);
pstmt.setString(1,
innerClassName
);
pstmt.executeUpdate();
This is a dynamic update statement, but it is not susceptible to SQL Injection. It is a parameterized,
prepared statement. We discussed and tested the security of this kind of statement in Chapter 8.
The second insert we make is into the
appsec.v_app_class_id
view. We will associate the fully
qualified inner class name with a specific application ID. The code for this insert command is provided
in Listing 12-54.This is also done using a prepared statement.
